DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The 7/16/2020 IDS document has been considered by the examiner.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-8 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. Independent claim 1 recites “a memory operable to store,” where that which may be stored is “a plurality of CVEs and a plurality of device profiles… features of a device… and the features comprise…” This limitation may be interpreted as merely reciting an intended use of the memory, and does not positively recite the memory actually storing anything (i.e., what is claimed may just be a memory which can store data).  Accordingly, there is insufficient antecedent basis for the later limitations which rely on the storable information. For instance, “for each device profile from among the plurality of device profiles stored in the memory” and “identify a device profile from among the plurality of device profiles” require device profiles stored in the memory, which may only be operable to store said profiles, rather than actually storing said profiles. The dependent claims do not cure this deficiency and are therefore likewise indefinite.
Independent claim 1 further recites “a common vulnerability and exposure (CVE),” “a plurality of CVEs,” “a corresponding CVE,” “a CVE,” and “a particular CVE,” where it is not clear which of these is referred to by “a probability of the CVE to affect the device profile.” It is further not clear whether “a common vulnerability and exposure (CVE),”  “a corresponding CVE,” “a CVE,” and “a particular CVE” are distinct or can refer to the same CVE. Independent claim 1 also recites “each device profile,” “a device profile,” and “a particular device profile,” where it is not clear which of these is referred to by “the device profile.” It is further not clear whether “each device profile,” “a device profile,” and “a particular device profile” are distinct or can refer to the same device profile. Independent claim 1 also recites “a particular device profile” twice, where it is not clear whether these are the same particular device profile. The dependent claims do not cure this deficiency and are therefore likewise indefinite.
Since dependent claims 2-8 are likewise indefinite, they are also rejected with their parent claim.

Claims 9-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. Each of independent claims 9 and 16 recites “a common vulnerability and exposure (CVE),” “a CVE,” and “a particular CVE,” where it is not clear which of these is referred to by “a probability of the CVE to affect the device profile.” It is further not clear whether “a common vulnerability and exposure (CVE),” “a CVE,” and “a particular CVE” are distinct or can refer to the same CVE. Each of independent claims 9 and 16 also recites “each device profile,” “a device profile,” and “a particular device profile,” where it is not clear which of these is referred to by “the device profile.” It is further not clear whether “each device profile,” “a device profile,” and “a particular device profile” are distinct or can refer to the same device profile. Each of independent claims 9 and 16 also recites “a particular device profile” twice, where it is not clear whether these are the same particular device profile. The dependent claims do not cure this deficiency and are therefore likewise indefinite.
Since dependent claims 10-15 and 17-20 are likewise indefinite, they are also rejected with their respective parent claims.

Claims 5 and 13 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. Each of claims 5 and 13 recites “in response to determining that the particular CVE comprises security vulnerabilities that affect the particular device profile, associate the particular CVE with the particular device profile.” However, their respective parent claims already positively recite associating the particular CVE with the particular device profile. As such, it is not clear how claims 5 and 13 make an association which was already previously made (e.g., whether it is the same association, a different association, or further specifies the association in some manner).  

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to abstract idea of a mental process (i.e., concepts performed in the human mind, including an observation, evaluation, judgement, and/or opinion) without significantly more. The claim(s) recite(s) obtaining CVE information, device profile information, identifying commonalities between particular CVEs and particular device profiles based on their features, and associating the particular CVEs and particular device profiles based on whether the commonalities are over a threshold value. However, this may be interpreted as an analyst merely reading from a list of CVEs and manually matching particular ones of the CVEs to particular ones of a list of device profiles based on matching elements from the CVE descriptions to elements from the device profiles (e.g., a CVE describes devices running a given version of software, and the analyst looks through device profiles having a that version or one with a similar release date/version number). “Receiving a request from a user to associate a CVE with a particular device profile” may be interpreted as being asked to perform this role. The claimed association may be, e.g., a mental note or writing down the pair on a piece of paper.
This judicial exception is not integrated into a practical application because adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely using a computer as a tool to perform an abstract idea are not considered to be sufficient—see MPEP 2106.05(f). In this case, claim 1 recites a memory operable to store CVE and profile data, as well as a processor configured to perform the judicial exception; claim 9 recites device profiles being stored in memory; and claim 16 recites a computer-readable medium and processor for performing the judicial exception. The aforementioned processor, memory, and CRM are considered to be base elements of any computer for performing the judicial exception.
The claims further recite elements which may be considered sufficient to amount to significantly more than the judicial exception: “a memory operable to store a plurality of CVES and a plurality of device profiles… and an installed software of the device,” “a processor operably coupled to the memory,” “wherein the particular device comprises a computing device, server, desktop computer, or laptop,” “stored in a memory,” and “a non-transitory computer-readable medium…executed by a processor.” 
However, these elements are not sufficient to amount to significantly more than the judicial exception because adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely using a computer as a tool to perform an abstract idea are not considered to be sufficient—see MPEP 2106.05(f). In this case, the elements merely recite the base elements of any computer for performing the judicial exception, or a generic computing device. 
	Dependent claims 3-8, 11-15, and 18-20 are likewise rejected under this analysis as above, since they merely further specify the judicial exception in greater detail (i.e., elaborating upon the features and comparison; including additional device profiles). For instance, these claims may be interpreted as the exemplary analyst performing additional observation, evaluation, judgement, and/or opinion.
	Dependent claims 2, 10, and 17 further specify identifying a patch for the associated vulnerability. They are not considered to integrate the judicial exception into a practical application because adding insignificant extra-solution activity to the judicial exception is not considered to be sufficient—see MPEP 2106.05(g) (e.g., the analyst further looking through a list of patches for an identified profile and making a note to update the device). These claims are not considered to contain elements sufficient to amount to significantly more than the judicial exception because “flag the particular device profile to be updated with the particular security patch” may be interpreted as an intended use of the flagging, rather than the patching positively taking place. 

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1-2, 5-6, 8-10, 13-17, and 20  is/are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Gerber (US 2021/0126936 A1).

Regarding claim 1, Gerber discloses: A system for associating a common vulnerability and exposure (CVE) with a particular device profile, comprising: 
a memory operable to store a plurality of CVEs (e.g., vulnerability database 108 in FIG. 1 of Gerber) and a plurality of device profiles (i.e., assets), each device profile associated with a corresponding CVE, wherein each device profile comprises features of a device, 
Refer to at least [0050] and [0064]-[0069] of Gerber with respect to assets having unique identifiers and vulnerabilities (e.g., CVE) having unique identifiers, the assets and vulnerabilities being associated together. 
and the features comprise at least two of an operating system, a CPU architecture, a GPU architecture, a memory architecture, and an installed software of the device; and 
Refer to at least [0075] of Gerber with respect to OS and applications of the assets.  
a processor operably coupled to the memory, configured to: 
receive a request from a user to associate a CVE with a particular device profile; 
Refer to at least [0018] and [0028] of Gerber with respect to a security operations center and user devices for communicating with the SOC.
Refer to at least 200 in FIG. 2 of Gerber with respect to an initial scan to be performed. 
for each device profile from among the plurality of device profiles stored in the memory, determine feature importance values for features of each device profile, wherein a feature importance value of a corresponding feature of a device profile associated with a CVE indicates a probability of the CVE to affect the device profile with respect to that feature; 
Refer to at least [0016], [0071]-[0072], and [0104] of Gerber with respect to obtaining features of the assets. 
Refer to at least [0016], [0053], [0072], and [0074] of Gerber with respect to probability and weighting. 
identify a device profile from among the plurality of device profiles that has one or more features in common with the particular device profile, wherein the one or more features are associated with a total feature importance value above a feature importance threshold value, and the total feature importance value of the device profile is a sum of feature importance values of the one or more features of the device profile in common with the particular device profile; 
Refer to at least 204 in FIG. 2, [0049], [0076]-[0083], and [0102]-[0103] of Gerber with respect to identifying similarities between assets, asset clusters, and vulnerabilities; with respect to recommenders using, e.g., a weighted sum. 
identify a particular CVE associated with the identified device profile; and 
associate the particular CVE with the particular device profile.
Refer to at least the abstract, 206-208 in FIG. 2, [0053], and [0072]-[0073] of Gerber with respect to predicting vulnerabilities for a second set of assets based on the analyzed assets and vulnerabilities. 

Regarding claim 2, Gerber discloses: The system of Claim 1, wherein the processor is further configured to: identify a particular security patch associated with the identified device profile; associate the particular security patch to the particular device profile; and flag the particular device profile to be updated with the particular security patch to address security vulnerabilities identified in the particular CVE associated with the particular device profile.
Refer to at least [0054] of Gerber with respect to patching the vulnerability as part of a remedial action. 

Regarding claim 5, it is rejected for substantially the same reasons as claim 1 above (i.e., the citations including FIG. 2 of Gerber).

Regarding claim 6, Gerber discloses: The system of Claim 1, wherein the processor is further configured to: identify a first device profile associated with a first CVE; determine whether a first total feature importance values of one or more features of the first device profile in common with the particular device profile is higher than the feature importance threshold value; in response to determining that the first total feature importance values of one or more features of the first device profile in common with the particular device profile is higher than the feature importance threshold value, associate the first CVE to the particular device profile; identify a second device profile associated with a second CVE; determine whether a second total feature importance values of one or more features of the second device profile in common with the particular device profile is higher than the feature importance threshold value; and in response to determining that the second total feature importance values of one or more features of the second device profile in common with the particular device profile is higher than the feature importance threshold value, associate the second CVE to the particular device profile.
Refer to at least [0049], [0052], and [0072] of Gerber with respect to thresholds for features during, e.g., step 204 in FIG. 2 of Gerber. 
Refer to at least [0076]-[0083] of Gerber with respect to exemplary recommender systems; with respect to at least the abstract and 206 in FIG. 2 of Gerber with respect to identifying vulnerabilities. 

Regarding claim 8, Gerber discloses: The system of Claim 1, wherein the particular device comprises a computing device, server, desktop computer, or laptop.
Refer to at least [0017] of Gerber with respect to exemplary assets.

Regarding independent claim 9, it is substantially similar to elements of independent claim 1 above, and is therefore likewise rejected for substantially the same reasons (i.e., the citations).

Regarding claims 10 and 13-15, they are substantially similar to claims 2, 5-6, and 8 above, and are therefore likewise rejected.

Regarding independent claim 16, it is substantially similar to elements of independent claim 1 above, and is therefore likewise rejected for substantially the same reasons (i.e., the citations).

Regarding claim 17, it is substantially similar to claim 2 above, and is therefore likewise rejected.

Regarding claim 20, it is substantially similar to claim 6 above, and is therefore likewise rejected. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 3-4, 11-12, and 18-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Gerber as applied to claims 1-2, 5-6, 8-10, 13-17, and 20 above, and further in view of Vasudevan (US 2017/0324763 A1).

Regarding claim 3, Gerber discloses implicit asset technology profile features associated with vulnerabilities and determining asset similarities, Gerber does not fully disclose: wherein identifying the device profile from among the plurality of device profiles that has one or more features in common with the particular device profile comprises: identifying a first feature of the particular device profile; determining whether a first device profile comprises the first feature; in response to determining that the first device profile comprises the first feature, determine that the first device profile has the first feature in common with the particular device profile; identifying a second feature of the particular device profile; determining whether the first device profile comprises the second feature; and in response to determining that the first device profile comprises the second feature, determine that the first device profile has the second feature in common with the particular device profile. However, Gerber in view of Vasudevan discloses: wherein identifying the device profile from among the plurality of device profiles that has one or more features in common with the particular device profile comprises: identifying a first feature of the particular device profile; determining whether a first device profile comprises the first feature; in response to determining that the first device profile comprises the first feature, determine that the first device profile has the first feature in common with the particular device profile; identifying a second feature of the particular device profile; determining whether the first device profile comprises the second feature; and in response to determining that the first device profile comprises the second feature, determine that the first device profile has the second feature in common with the particular device profile. 
Refer to at least [0024], [0027], and [0029] of Vasudevan with respect to extrapolating known vulnerability information about some assets in order to guess vulnerability statuses for other assets via making use of, e.g., asset criticality, vulnerability severity, and platform information.
Refer to at least [0003], [0030], and FIG. 11D-E of Vasudevan with respect to exemplary profile information for use in comparison and determination of vulnerabilities. 
The teachings of Gerber and Vasudevan both concern identifying vulnerabilities of assets based on those of similar assets, and are considered to be within the same field of endeavor and combinable as such. 
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Gerber to further rely non the technology profile of the assets during the recommender step (204 in FIG. 2 and 405 in FIG. 4 of Gerber) for at least the purpose of increasing an accuracy of vulnerability predictions by means of additional input data (e.g., helping to eliminate situations where a similarity is inferred but not present).

Regarding claim 4, it is rejected for substantially the same reasons as claims 6 and 3 above (i.e., the citations and obviousness rationale). 

Regarding claims 11-12, they are substantially similar to claims 3-4 above, and are therefore likewise rejected.

Regarding claims 18-19, they are substantially similar to claims 3-4 above, and are therefore likewise rejected.

Claim(s) 7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Gerber as applied to claims 1-2, 5-6, 8-10, 13-17, and 20 above, and further in view of Karabatis (US 2020/0401702 A1).

Regarding claim 7, Gerber does not disclose: wherein the feature importance threshold value is configurable by the user. However, Gerber in view of Karabatis discloses: wherein the feature importance threshold value is configurable by the user. 
Refer to at least [0236] and [0239] of Karabatis with respect to a user-defined threshold.
The teachings of Gerber and Karabatis concern vulnerability scanning and machine learning, and are considered to be within the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Gerber to further include user-configurable threshold values for at least the reasons specified in the cited portions of Karabatis (i.e., raising or lowering the amount of hits as needed). 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751. The examiner can normally be reached 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        




/V.S/Examiner, Art Unit 2432