DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment / Arguments
Regarding claims rejected under 35 USC 101:
Applicant's arguments have been fully considered but they are not persuasive.
Applicant argues that “the rejection should be withdrawn because the claims are not
directed to any one of the groups of abstract ideas identified by the USPTO… [t]he instant
claims are directed to software security for binary software code, and thus they do not belong to
any one of the groups listed above.” In response, it is noted that the 4/1/2022 Office action identified the claims as belonging to a mental process (i.e., concepts performed in the human mind, such as observation, evaluation, judgement, and/or opinion). The amended claims now recite that a hardware processor of a software service platform is performing the receiving, inspecting, determining, and outputting steps. However, this aspect alone is not considered to elevate the claim language beyond that of reciting the judicial exception because it appears to merely be adding instructions to implement the exception on a computer / uses a computer as a tool to perform the exception (see MPEP 2106.05(f)). Where this aspect is drawn to a software service platform specifically, it appears to merely be linking the use of the judicial exception to a particular technological environment or field of use, which is not sufficient to overcome the rejection as per MPEP 2106.05(h).
	Applicant further argues that “the present Application demonstrates a distinct technical advantage in the practical field of software security,” citing [0020]-[0021] of the instant specification stating that manual input is inefficient as compared with automation. In response, it is noted that the argued improvement (e.g., pages 9-10) appears to merely be the suggestion of automation itself. The claims appear to recite what may be performed manually by a person (e.g., inspecting code for a certain number of elements, determining whether that number is sufficiently high, and if so, determining the assignment of a score), where the argued improvement appears to be “by at least one hardware processor on a software service platform.” As discussed above concerning MPEP 2106.05(f)&(h), merely using a computer to perform the exception and/or linking the exception to a particular environment is not considered to be sufficient. In this case, the actual details of the automation are not believed to be recited within the claim language. For instance, the claim language is not believed to demonstrate how the performance of the judicial exception by the software service platform processor would be different from performance of the judicial exception by any generic processor. 

Regarding claims rejected under 35 USC 102:
Applicant’s arguments with respect to the configured threshold have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Murthy (US 2019/0258803 A1).
In response to Applicant’s arguments concerning the distinction: “parsing source code, not binary software code,” it is noted that at least [0035] and [0037] of Hufsmith concerns binary scanners. It is also noted that the Murthy reference specifically deals with binary programs. 

Regarding claims rejected for Double Patenting:
	The amended claims are considered to overcome the rejection(s) based on Double Patenting. Accordingly, the rejection(s) has/have been withdrawn.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 15-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because they are drawn to a “computer-readable media,” which may be interpreted as a signal per se. For instance, at least [0090] of the specification explicitly recites that “program instructions can be encoded on an artificially generated propagated signal” and further only discusses a non-transitory computer-readable medium using exemplary language. 

Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to the abstract idea of a mental process (concepts performed in the human mind, such as an observation, evaluation, judgment, and/or opinion) without significantly more. The claim(s) recite(s) a process for observing binary code, evaluating the binary code for a specific factor, and assigning a score based on the factor as a judgement. This is considered to be analogous to a mental process performable by a human coder reviewing binary code (e.g., using a reference book of factor-to-score mappings; or simply deciding a value consistent with CVSS). This judicial exception is not integrated into a practical application because adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely using a computer as a tool to perform an abstract idea is not considered to be sufficient—see MPEP 2106.05(f) . In this case, the claims merely recite a hardware processor and/or storage media and instructions for performing the process without further describing any particular machine. The dependent claims further specify concepts performed in the human mind (i.e., further specifying the code portions which are observed and evaluated) rather than suggesting integration into a practical application.
	Abstract idea limitations (exemplary claim 1): “A method, comprising: receiving, a binary software code; inspecting, by the at least one hardware processor, the binary software code to determine at least one Common Vulnerability Scoring Standard (CVSS) factor; and determining, by the at least one hardware processor, a CVSS score based on the at least one CVSS factor.”
Abstract idea limitations (exemplary claim 2): “wherein the at least one CVSS factor comprises at least one of an attack vector factor, an attack complexity factor, a privileges required factor, a user interaction factor, a scope factor, a confidentiality factor, an integrity factor, or an availability factor.”
Abstract idea limitations (exemplary claim 3): “wherein the at least one CVSS factor comprises an attack vector factor, and the inspecting the binary software code comprises: determining a number of text strings related to network functionalities in the binary software code, and determining the attack vector factor based on the number of text strings related to network functionalities.”
Abstract idea limitations (exemplary claim 4): “wherein the at least one CVSS factor comprises an attack complexity factor, and the inspecting the binary software code comprises: determining a number of routines related to compiler defense, obfuscation, validation, or exception handling in the binary software code, and determining the attack complexity factor based on the number of routines related to compiler defense, obfuscation, validation, or exception handling.”
Abstract idea limitations (exemplary claim 5): “wherein the at least one CVSS factor comprises a privileges required factor, and the inspecting the binary software code comprises: determining a number of application program interfaces (APIs) related to privilege processing in the binary software code, and determining the privileges required factor based on the number of APIs related to privilege processing.”
Abstract idea limitations (exemplary claim 6): “wherein the at least one CVSS factor comprises a user interaction factor, and the inspecting the binary software code comprises: determining a number of routines related to user input in the binary software code, and determining the user interaction factor based on the number of routines related to user input.”
Abstract idea limitations (exemplary claim 7): “The method of Claim 1, further comprising outputting the CVSS score.”
	Potential limitations which may recite significantly more: “computer-implemented,” “by at least one hardware processor,” “one or more computer-readable storage media coupled to the at least one hardware processor and storing programming instructions for execution by the at least one hardware processor” (exemplary claim 8); “on a software service platform” / “by the software service platform.”
The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely using a computer as a tool to perform an abstract idea is not considered to be sufficient—see MPEP 2106.05(f) . In this case, the claims merely recite a hardware processor and/or storage media and instructions for performing the process without further describing any particular machine, which is analogous to merely using a computer as a tool to the judicial exception. 
Independent claims 8 and 15 comprise substantially similar subject matter, and are likewise rejected. The dependent claims further specify factors which a human coder may observe and evaluate within the binary code (i.e., further specifying the code portions which are observed and evaluated). They do not specify any additional elements which may be significantly more than the judicial exception. Since the dependent claims do not rectify the identified issues, they are likewise rejected. 

 Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-2, 5-6, 8-9, 12-13, 15-16, and 19-20  is/are rejected under 35 U.S.C. 103 as being unpatentable over Hufsmith (US 2020/0097662 A1) in view of Murthy (US 2019/0258803 A1).

Regarding claim 1, Hufsmith discloses: A computer-implemented method, comprising: 
receiving, by at least one hardware processor on a software service platform, a binary software code; 
Refer to at least [0033] and [0036] of Hufsmith, wherein “[b]y analyzing the data in each of the layers of a container, some embodiments extract the binaries and send them to the most appropriate scanning technique across multiple scanning engines.”
Inspecting, by the at least one hardware processor, the binary software code to determine at least one Common Vulnerability Scoring Standard (CVSS) factor, wherein the at least one CVSS factor comprises an attack vector factor, and the inspecting the binary software code comprises: 
Refer to at least [0033] of Hufsmith, wherein “[t]he binary and package information may be assessed and sent to engines to acquire the CVE and CWE information for the binary.”
Refer to at least [0084], [0113] and [0116] of Hufsmith with respect to CVE and CVSS.
Refer to at least [0117] of Hufsmith with respect to exploitability metrics. 
determining a number of text strings related to remote network functionalities in the binary software code, and determining the attack vector factor based on the number of text strings related to remote network functionalities in the binary software code;
Refer to at least [0140] of Hufsmith, wherein “a container image may include a subroutine that registered with a networks socket, but a composition file or other code may indicate that the subroutine is never invoked. Or an container image may include a library with module having a sys.exec command based on a passed value, but a call graph of a the larger distributed application may indicate that the sys.exec command module is never called.”
Refer to at least [0163] and [0185] of Hufsmith with respect to parsing source code and analyzing commands. 
determining, by the at least one hardware processor, a CVSS score based on the at least one CVSS factor; and
outputting, by the software service platform, the CVSS score.
Refer to at least [0033] of Hufsmith, wherein “some embodiments may apply algorithms to the results to generate a comprehensive view into the image to obtain a threat assessment, remediation recommendations and exposure report.”
Refer to at least the abstract and FIG. 6 with respect to providing a score with the assessment/report.
Hufsmith does not appear to specify: determining the attack vector factor based on the number of text strings related to remote network functionalities in the binary software code and a configured threshold for remote network functionalities. However, Hufsmith in view of Murthy discloses: determining the attack vector factor based on the number of text strings related to remote network functionalities in the binary software code and a configured threshold for remote network functionalities.
Refer to at least [0140], [0052]-[0059], [0063], and [0066]-[0067] of Murthy with respect to identifying a number of found instructions against a threshold number of instructions. 
The teachings of Hufsmith and Murthy both concern vulnerability analysis of code, and are considered to be within the same field of endeavor and combinable as such. 
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Hufsmith to further include counting and comparison against a threshold number of instructions for at least the purpose of efficiently determining a threat assessment (i.e., based on a count). 

Regarding claim 2, Hufsmith-Murthy discloses: The method of Claim 1, wherein the at least one CVSS factor comprises at least one of an attack complexity factor, a privileges required factor, a user interaction factor, a scope factor, a confidentiality factor, an integrity factor, or an availability factor.
Refer to at least [0117] of Hufsmith with respect to exploitability metrics. 

Regarding claim 5, Hufsmith-Murthy discloses: The method of Claim 1, wherein the at least one CVSS factor comprises a privileges required factor, and the inspecting the binary software code comprises: determining a number of application program interfaces (APIs) related to privilege processing in the binary software code, and determining the privileges required factor based on the number of APIs related to privilege processing.
Refer to at least [0083] of Hufsmith, wherein “such dynamic tests include calling an API exposed by that body of code with API requests including code injection attacks and including parameters configured to cause a buffer overflow to detect whether the code appropriately handles the attack or if it allows access or privilege escalation when it should not.”

Regarding claim 6, Hufsmith-Murthy discloses: The method of Claim 1, wherein the at least one CVSS factor comprises a user interaction factor, and the inspecting the binary software code comprises: determining a number of routines related to user input in the binary software code, and determining the user interaction factor based on the number of routines related to user input.
Refer to at least [0117] of Hufsmith with respect to user interaction metrics. 
Refer to at least [0188] of Hufsmith with respect to creating and traversing call graphs of the binary. 

Regarding independent claim 8, it is substantially similar to independent claim 1 above, and is therefore rejected for substantially the same reasons (i.e., the citations).

Regarding claims 9 and 12-13, they are substantially similar to claims 2 and 5 above, and are therefore likewise rejected.

Regarding independent claim 15,  it is substantially similar to independent claim 1 above, and is therefore rejected for substantially the same reasons (i.e., the citations).

Regarding claims 16 and 19-20, they are substantially similar to claims 2 and 5-6 above, and are therefore likewise rejected.

Claims 4, 11, and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hufsmith-Murthy as applied to claims 1-2, 5-6, 8-9, 12-13, 15-16, and 19-20 above, and further in view of Yawalkar (US 2020/0137126 A1).

Regarding claim 4, Hufsmith-Murthy discloses: The method of Claim 1, wherein the at least one CVSS factor comprises an attack complexity factor, and the inspecting the binary software code comprises: determining a number of routines, and determining the attack complexity factor. 
Refer to at least [0117] of Hufsmith with respect to attack complexity as a vulnerability metric. 
Hufsmith-Murthy does not appear to disclose: routines related to compiler defense, obfuscation, validation, or exception handling in the binary software code; based on the number of routines related to compiler defense, obfuscation, validation, or exception handling. However, Hufsmith-Murthy in view of Yawalkar discloses: routines related to compiler defense, obfuscation, validation, or exception handling in the binary software code; based on the number of routines related to compiler defense, obfuscation, validation, or exception handling. 
Refer to at least [0024] of Yawalkar, wherein “security risk factors… comparison against the NVD, common vulnerabilities and exposures (CVEs)… similarity with adblocker scripts, similarity with privacy snooping scripts, presence of dangerous JavaScript constructs such as eval, instances of personally identifiable information (PII) handling, obfuscation measures, such as an assessment of effectiveness of code or PII obfuscation techniques, and any other security risk factors.”
The teachings of Hufsmith-Murthy and Yawalkar each concern security risk factors, and are considered to be within the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Hufsmith-Murthy to further include vulnerability metrics such as those listed in [0024] of Yawalkar for at least the purpose of further providing additional scanning for better detection and scoring of threats. This would increase security in line with the intent of Hufsmith (i.e., performing multiple scans and aggregating the results for scoring). 

Claims 11 and 18 are substantially similar to claim 4 above, and are therefore likewise rejected.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751. The examiner can normally be reached 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        


/V.S/Examiner, Art Unit 2432