DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
Claims 1-20 are pending.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 9, 11, 19-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Davidi et al (PGPUB 2020/0042715), and further in view of Schmugar et al (PGPUB 2021/0200867), Buyukkayhan et al (US 9,998,484), and Walia et al (PGPUB 2021/0216595).

Regarding Claim 1:
	Davidi teaches a computer-implemented method for identifying software vulnerabilities in embedded device firmware, at least a portion of the method being performed by a computing device comprising at least one processor (abstract, method for firmware verification; paragraph 24, method performed by processor executing instructions), the method comprising:
collecting a firmware image for an Internet-of-Things device (paragraph 11, obtaining firmware code; paragraph 45, Internet of Things firmware);
extracting library dependencies from the firmware image for the Internet-of-Things device (paragraph 70, list of one or more libraries utilized by the firmware is obtained);
identifying a true version of a library specified in the firmware image (paragraph 93, version numbers of libraries used by firmware is obtained; user obtains accurate library versions); and
performing a security action to protect a user from a security risk based on identifying the true version of the library specified in the firmware image (paragraph 96, vulnerabilities of the firmware determined based on the vulnerabilities database, by identifying vulnerabilities corresponding to each library of the list of libraries that is utilized by the firmware; paragraph 107, condition relates to library versions; paragraph 128, fix of firmware includes changing library version utilized by the firmware; update may fix security breach and eliminate a vulnerability).
Davidi does not explicitly teach identifying a true version of a library by checking a ground truth database that records confirmed values for true versions for previously encountered libraries by recording extracted symbols for the previously encountered libraries;
wherein:
identifying the true version of the library specified in the firmware image comprises computing a distance between a first set of exported symbols for the library specified in the firmware image and a second set of exported symbols for the true version of the library as previously encountered within the ground truth database.
However, Schmugar teaches the concept of identifying a true version of a library by checking a ground truth database that records confirmed values for true versions for previously encountered libraries by recording extracted symbols for the previously encountered libraries (Examiner’s note: instant specification, e.g. [0047], defines “symbol” as alphanumeric identifying a function accessible through a library, i.e. a function name; paragraph 20, DLL security controller generates fingerprint of one or more target DLLs invoked by an executable; DLL fingerprint can be based on a list of imported functions of the executable; paragraph 32, OS loads DLL and identifies data, e.g. exports table, exported functions list, including names of functions that the DLL exports to other executables; paragraph 1, methods to defend against dynamic-link library (DLL) side-loading attacks; paragraph 41, DLL security controller generates fingerprint of invoked DLL; the DLL fingerprint describes and/or otherwise is representative of a relationship (e.g., a list of imported functions, one or more addresses corresponding to a DLL, etc.) between the caller of a DLL (e.g., the application 124) and the DLL, properties (e.g., static properties) of the DLL, etc., and/or a combination thereof; paragraph 71, DLL security controller includes database to store or record data including example reference fingerprints; paragraph 43, the first DLL security controller 102 can compare the DLL fingerprint to first example reference fingerprint(s) (e.g., reference DLL fingerprint(s)) 136; the first reference fingerprint(s) 136 can be DLL fingerprints previously generated by the first DLL security controller 102 of the first computing device 108, one or more of the second computing devices 110, the central facility 106, etc., and/or a combination thereof; paragraph 56, fingerprint of DLL identifies version of DLL; paragraph 60, fingerprint comparator determines whether DLL fingerprint deviates from reference fingerprints known to be associated with trusted DLLs; if the difference is greater than the deviation threshold, than the deviation threshold is satisfied; paragraph 62, if the deviation threshold is satisfied, the comparator determines that the DLL is associated with a malicious DLL);
wherein:
identifying the true version of the library specified in the firmware image comprises computing a distance between a first set of exported symbols for the library specified in the firmware image and a second set of exported symbols for the true version of the library as previously encountered within the ground truth database (paragraph 41, DLL security controller generates fingerprint based on e.g. exported functions list of the DLL; paragraph 43, DLL security controller compares DLL fingerprint to example reference DLL fingerprints, e.g. previously generated DLL fingerprints; paragraph 71, DLL security controller includes database to store or record data including example reference fingerprints; paragraph 60, fingerprint comparator determines whether DLL fingerprint deviates from reference fingerprints known to be associated with trusted DLLs; if the difference is greater than the deviation threshold, than the deviation threshold is satisfied, i.e. the DLL fingerprint does not match the reference fingerprints of the trusted DLLs; paragraph 62, if the deviation threshold is satisfied, the comparator determines that the DLL is associated with a malicious DLL).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the DLL fingerprint teachings of Schmugar with the firmware vulnerability analysis teachings of Davidi, with the benefit of providing a means to prove the safety and security of external libraries referenced by device firmware through the use of shared DLL knowledge repositories which incorporate a wide array of tested validation metrics in order to confirm that the particular version of a library used by the firmware corresponds to a version of the library which is known to be trusted by devices in the field.
Neither Davidi nor Schmugar explicitly teaches computing a Jaccard distance.
However, Buyukkayhan teaches the concept wherein identifying a true version of a library comprises computing a Jaccard distance between a first set of exported symbols for the library and a second set of exported symbols for the true version of the library as previously encountered within a ground truth database (abstract, method comprises obtaining at least a first software module not classified as benign or potentially malicious, extracting a set of features associated with the first software module including static, behavior and context features, computing distance metrics between the extracted feature set and feature sets of a plurality of clusters including one or more clusters of software modules previously classified as benign and exhibiting a first threshold level of similarity relative to one another and one or more clusters of software modules previously classified as potentially malicious and exhibiting a second threshold level of similarity relative to one another, classifying the first software module as belonging to a given cluster based at least in part on the computed distance metrics; col 3 line 1-9, software modules include dynamic link library (DLL) modules; col 10 line 57-col 11 line 7, similarity or dissimilarity between software modules may be defined using distance functions; similar software modules should have smaller distances (e.g., 0) and increase (e.g., up to 1) for dissimilar software modules; different distance functions may be used for individual features; for example, Jaccard distance may be used for sets).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the Jaccard distance teachings of Buyukkayhan with the firmware vulnerability analysis teachings of Davidi in view of Schmugar.  The Jaccard distance is a well-known metric for describing the difference between two sets of elements, and is complementary to the Jaccard index measuring similarity (equal to the ratio of the intersection of two sets to the union).  Therefore, a person of ordinary skill in the art, faced with the problem of quantizing the difference between two sets of software features, would be motivated to choose the Jaccard distance, as it is well-known, simple to understand, easy to compute (or at least program a device to compute), and provides a normalized value within the range of 0 to 1 for ease of comparison.
Neither Davidi nor Schmugar nor Buyukkayhan explicitly teaches each symbol in the first set of exported symbols is identified by a corresponding ordinal value.
However, Walia teaches the concept of a document information extraction system, wherein each symbol in a first set of exported symbols is identified by a corresponding ordinal value (Examiner’s note: a “set of exported symbols” which is “identified by a corresponding ordinal value” can simply be seen as a numbered list of elements, as an ordinal value is merely an indicator of a position in a sequence, e.g. first, second, third, etc.; abstract, document information extraction (DIE) system determines a structure of an electronic document based on characteristics of the document's constituent elements; master comparator includes a set of unit comparators and each unit comparator compares a specific characteristic between two elements; paragraph 44, the DIE system 120 may employ a master comparator 240 configured to determine familial relationships based on indexing elements (e.g., numbered lists, etc.) in the document (i.e. “identified by corresponding ordinal value”)).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the numbered list of elements teachings of Walia with the firmware vulnerability analysis teachings of Davidi in view of Schmugar and Buyukkayhan.  Placing a set of elements in a numbered list is one of the most basic methods of organizing information.  A person of ordinary skill in the art, faced with the problem of comparing multiple sets of information, would therefore consider placing the elements in a numbered list, in order to organize the elements in such a way as to make any comparison more structured and efficient.

Regarding Claim 9:
Davidi in view of Schmugar, Buyukkayhan, and Walia teaches the computer-implemented method of claim 1.  In addition, Schmugar teaches wherein identifying the true version of the library specified in the firmware image by checking the ground truth database comprises:
extracting the first set of exported symbols for the library specified in the firmware image (Examiner’s note: instant specification, e.g. [0047], defines “symbol” as alphanumeric identifying a function accessible through a library, i.e. a function name; paragraph 20, DLL security controller generates fingerprint of one or more target DLLs invoked by an executable; DLL fingerprint can be based on a list of imported functions of the executable; paragraph 32, OS loads DLL and identifies data, e.g. exports table, exported functions list, including names of functions that the DLL exports to other executables);
checking the first set of exported symbols against a list of sets of symbols produced for the previously encountered libraries, respectively, according to the ground truth database (paragraph 41, DLL security controller generates fingerprint based on e.g. exported functions list of the DLL; paragraph 43, DLL security controller compares DLL fingerprint to example reference DLL fingerprints, e.g. previously generated DLL fingerprints; paragraph 71, DLL security controller includes database to store or record data including example reference fingerprints); and
identifying a match between the first set of exported symbols for the library specified in the firmware image and an entry in the list of sets of symbols produced for the previously encountered libraries (paragraph 60, fingerprint comparator determines whether DLL fingerprint deviates from reference fingerprints known to be associated with trusted DLLs; if the difference is greater than the deviation threshold, than the deviation threshold is satisfied, i.e. the DLL fingerprint does not match the reference fingerprints of the trusted DLLs; paragraph 62, if the deviation threshold is satisfied, the comparator determines that the DLL is associated with a malicious DLL).
The rationale to combine Davidi and Schmugar is the same as provided for claim 1 due to the overlapping subject matter between claims 1 and 9.

Regarding Claim 11:
Davidi teaches a system for protecting users (abstract, method for firmware verification; paragraph 24, method performed by processor executing instructions), the system comprising:
a collection module, stored in memory, that collects a firmware image for an Internet-of- Things device (paragraph 11, obtaining firmware code; paragraph 45, Internet of Things firmware);
an extraction module, stored in memory, that extracts library dependencies from the firmware image for the Internet-of-Things device (paragraph 70, list of one or more libraries utilized by the firmware is obtained);
an identification module, stored in memory, that identifies a true version of a library specified in the firmware image (paragraph 93, version numbers of libraries used by firmware is obtained; user obtains accurate library versions);
a performance module, stored in memory, that performs a security action to protect a user from a security risk based on identifying the true version of the library specified in the firmware image (paragraph 96, vulnerabilities of the firmware determined based on the vulnerabilities database, by identifying vulnerabilities corresponding to each library of the list of libraries that is utilized by the firmware; paragraph 107, condition relates to library versions; paragraph 128, fix of firmware includes changing library version utilized by the firmware; update may fix security breach and eliminate a vulnerability); and
at least one physical processor configured to execute the collection module, the extraction module, the identification module, and the performance module (abstract, method for firmware verification; paragraph 24, method performed by processor executing instructions).
Davidi does not explicitly teach identifying a true version of a library by checking a ground truth database that records confirmed values for true versions for previously encountered libraries by recording extracted symbols for the previously encountered libraries;
wherein:
identifying the true version of the library specified in the firmware image comprises computing a distance between a first set of exported symbols for the library specified in the firmware image and a second set of exported symbols for the true version of the library as previously encountered within the ground truth database.
However, Schmugar teaches the concept of identifying a true version of a library by checking a ground truth database that records confirmed values for true versions for previously encountered libraries by recording extracted symbols for the previously encountered libraries (Examiner’s note: instant specification, e.g. [0047], defines “symbol” as alphanumeric identifying a function accessible through a library, i.e. a function name; paragraph 20, DLL security controller generates fingerprint of one or more target DLLs invoked by an executable; DLL fingerprint can be based on a list of imported functions of the executable; paragraph 32, OS loads DLL and identifies data, e.g. exports table, exported functions list, including names of functions that the DLL exports to other executables; paragraph 1, methods to defend against dynamic-link library (DLL) side-loading attacks; paragraph 41, DLL security controller generates fingerprint of invoked DLL; the DLL fingerprint describes and/or otherwise is representative of a relationship (e.g., a list of imported functions, one or more addresses corresponding to a DLL, etc.) between the caller of a DLL (e.g., the application 124) and the DLL, properties (e.g., static properties) of the DLL, etc., and/or a combination thereof; paragraph 71, DLL security controller includes database to store or record data including example reference fingerprints; paragraph 43, the first DLL security controller 102 can compare the DLL fingerprint to first example reference fingerprint(s) (e.g., reference DLL fingerprint(s)) 136; the first reference fingerprint(s) 136 can be DLL fingerprints previously generated by the first DLL security controller 102 of the first computing device 108, one or more of the second computing devices 110, the central facility 106, etc., and/or a combination thereof; paragraph 56, fingerprint of DLL identifies version of DLL; paragraph 60, fingerprint comparator determines whether DLL fingerprint deviates from reference fingerprints known to be associated with trusted DLLs; if the difference is greater than the deviation threshold, than the deviation threshold is satisfied; paragraph 62, if the deviation threshold is satisfied, the comparator determines that the DLL is associated with a malicious DLL);
wherein:
identifying the true version of the library specified in the firmware image comprises computing a distance between a first set of exported symbols for the library specified in the firmware image and a second set of exported symbols for the true version of the library as previously encountered within the ground truth database (paragraph 41, DLL security controller generates fingerprint based on e.g. exported functions list of the DLL; paragraph 43, DLL security controller compares DLL fingerprint to example reference DLL fingerprints, e.g. previously generated DLL fingerprints; paragraph 71, DLL security controller includes database to store or record data including example reference fingerprints; paragraph 60, fingerprint comparator determines whether DLL fingerprint deviates from reference fingerprints known to be associated with trusted DLLs; if the difference is greater than the deviation threshold, than the deviation threshold is satisfied, i.e. the DLL fingerprint does not match the reference fingerprints of the trusted DLLs; paragraph 62, if the deviation threshold is satisfied, the comparator determines that the DLL is associated with a malicious DLL).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the DLL fingerprint teachings of Schmugar with the firmware vulnerability analysis teachings of Davidi, with the benefit of providing a means to prove the safety and security of external libraries referenced by device firmware through the use of shared DLL knowledge repositories which incorporate a wide array of tested validation metrics in order to confirm that the particular version of a library used by the firmware corresponds to a version of the library which is known to be trusted by devices in the field.
Neither Davidi nor Schmugar explicitly teaches computing a Jaccard distance.
However, Buyukkayhan teaches the concept wherein identifying a true version of a library comprises computing a Jaccard distance between a first set of exported symbols for the library and a second set of exported symbols for the true version of the library as previously encountered within a ground truth database (abstract, method comprises obtaining at least a first software module not classified as benign or potentially malicious, extracting a set of features associated with the first software module including static, behavior and context features, computing distance metrics between the extracted feature set and feature sets of a plurality of clusters including one or more clusters of software modules previously classified as benign and exhibiting a first threshold level of similarity relative to one another and one or more clusters of software modules previously classified as potentially malicious and exhibiting a second threshold level of similarity relative to one another, classifying the first software module as belonging to a given cluster based at least in part on the computed distance metrics; col 3 line 1-9, software modules include dynamic link library (DLL) modules; col 10 line 57-col 11 line 7, similarity or dissimilarity between software modules may be defined using distance functions; similar software modules should have smaller distances (e.g., 0) and increase (e.g., up to 1) for dissimilar software modules; different distance functions may be used for individual features; for example, Jaccard distance may be used for sets).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the Jaccard distance teachings of Buyukkayhan with the firmware vulnerability analysis teachings of Davidi in view of Schmugar.  The Jaccard distance is a well-known metric for describing the difference between two sets of elements, and is complementary to the Jaccard index measuring similarity (equal to the ratio of the intersection of two sets to the union).  Therefore, a person of ordinary skill in the art, faced with the problem of quantizing the difference between two sets of software features, would be motivated to choose the Jaccard distance, as it is well-known, simple to understand, easy to compute (or at least program a device to compute), and provides a normalized value within the range of 0 to 1 for ease of comparison.
Neither Davidi nor Schmugar nor Buyukkayhan explicitly teaches each symbol in the first set of exported symbols is identified by a corresponding ordinal value.
However, Walia teaches the concept of a document information extraction system, wherein each symbol in a first set of exported symbols is identified by a corresponding ordinal value (Examiner’s note: a “set of exported symbols” which is “identified by a corresponding ordinal value” can simply be seen as a numbered list of elements, as an ordinal value is merely an indicator of a position in a sequence, e.g. first, second, third, etc.; abstract, document information extraction (DIE) system determines a structure of an electronic document based on characteristics of the document's constituent elements; master comparator includes a set of unit comparators and each unit comparator compares a specific characteristic between two elements; paragraph 44, the DIE system 120 may employ a master comparator 240 configured to determine familial relationships based on indexing elements (e.g., numbered lists, etc.) in the document (i.e. “identified by corresponding ordinal value”)).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the numbered list of elements teachings of Walia with the firmware vulnerability analysis teachings of Davidi in view of Schmugar and Buyukkayhan.  Placing a set of elements in a numbered list is one of the most basic methods of organizing information.  A person of ordinary skill in the art, faced with the problem of comparing multiple sets of information, would therefore consider placing the elements in a numbered list, in order to organize the elements in such a way as to make any comparison more structured and efficient.

Regarding Claim 19:
Davidi in view of Schmugar, Buyukkayhan, and Walia teaches the system of claim 11.  In addition, Schmugar teaches wherein the identification module identifies the true version of the library specified in the firmware image by checking the ground truth database at least in part by:
extracting a set of exported symbols for the library specified in the firmware image (Examiner’s note: instant specification, e.g. [0047], defines “symbol” as alphanumeric identifying a function accessible through a library, i.e. a function name; paragraph 20, DLL security controller generates fingerprint of one or more target DLLs invoked by an executable; DLL fingerprint can be based on a list of imported functions of the executable; paragraph 32, OS loads DLL and identifies data, e.g. exports table, exported functions list, including names of functions that the DLL exports to other executables);
checking the extracted set of exported symbols against a list of sets of symbols produced for the previously encountered libraries, respectively, according to the ground truth database (paragraph 41, DLL security controller generates fingerprint based on e.g. exported functions list of the DLL; paragraph 43, DLL security controller compares DLL fingerprint to example reference DLL fingerprints, e.g. previously generated DLL fingerprints; paragraph 71, DLL security controller includes database to store or record data including example reference fingerprints); and
identifying a match between the set of exported symbols for the library specified in the firmware image and an entry in the list of sets of symbols produced for the previously encountered libraries (paragraph 60, fingerprint comparator determines whether DLL fingerprint deviates from reference fingerprints known to be associated with trusted DLLs; if the difference is greater than the deviation threshold, than the deviation threshold is satisfied, i.e. the DLL fingerprint does not match the reference fingerprints of the trusted DLLs; paragraph 62, if the deviation threshold is satisfied, the comparator determines that the DLL is associated with a malicious DLL).
The rationale to combine Davidi and Schmugar is the same as provided for claim 1 due to the overlapping subject matter between claims 1 and 9.

Regarding Claim 20:
	This is the non-transitory computer-readable medium corresponding to the system of claim 11, and is therefore rejected for corresponding reasons.

Claims 2-4, 12-14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Davidi in view of Schmugar, Buyukkayhan, and Walia, and further in view of Wang et al (Association Analysis of Firmware Based on NoSQL Database).

Regarding Claim 2:
Davidi in view of Schmugar, Buyukkayhan, and Walia teaches the computer-implemented method of claim 1.  
Neither Davidi nor Schmugar nor Buyukkayhan nor Walia explicitly teaches wherein the firmware image for the Internet-of-Things device is collected from a vendor website.
However, Wang teaches wherein a firmware image for an Internet-of-Things device is collected from a vendor website (page 99, dynamic crawler program using Scrapy application framework to crawl the firmware from specific manufacturer’s website; page 94, Internet-of-things embedded devices; embedded device firmware).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the firmware collection from a website teachings of Wang with the firmware vulnerability analysis teachings of Davidi in view of Schmugar, Buyukkayhan, and Walia, in order to automate the dynamic analysis of firmware for vulnerabilities at a large scale, thereby providing improved security for a large number of different devices in a short amount of time, utilizing the improved efficiency provided by web scraping and crawling tools.

Regarding Claim 3:
Davidi in view of Schmugar, Buyukkayhan, Walia, and Wang teaches the computer-implemented method of claim 2.  In addition, Wang teaches wherein the firmware image for the Internet-of-Things device is collected from the vendor website using a screen scraping component (page 99, dynamic scraper using Scrapy application framework to crawl data of website and obtain firmware information).
	The rationale to combine Davidi and Wang is the same as provided for claim 2 due to the overlapping subject matter between claims 2 and 3.

Regarding Claim 4:
Davidi in view of Schmugar, Buyukkayhan, Walia, and Wang teaches the computer-implemented method of claim 3.  In addition, Wang teaches wherein the firmware image for the Internet-of-Things device is collected from the vendor website by a web crawler using the screen scraping component (page 99, dynamic scraper using Scrapy application framework to crawl data of website and obtain firmware information).
	The rationale to combine Davidi and Wang is the same as provided for claim 3 due to the overlapping subject matter between claims 3 and 4.

Regarding Claim 12:
Davidi in view of Schmugar, Buyukkayhan, and Walia teaches the system of claim 11.  
Neither Davidi nor Schmugar explicitly teaches wherein the firmware image for the Internet-of-Things device is collected from a vendor website.
However, Wang teaches wherein a firmware image for an Internet-of-Things device is collected from a vendor website (page 99, dynamic crawler program using Scrapy application framework to crawl the firmware from specific manufacturer’s website; page 94, Internet-of-things embedded devices; embedded device firmware).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the firmware collection from a website teachings of Wang with the firmware vulnerability analysis teachings of Davidi in view of Schmugar, Buyukkayhan, and Walia, in order to automate the dynamic analysis of firmware for vulnerabilities at a large scale, thereby providing improved security for a large number of different devices in a short amount of time, utilizing the improved efficiency provided by web scraping and crawling tools.

Regarding Claim 13:
Davidi in view of Schmugar, Buyukkayhan, Walia, and Wang teaches the system of claim 12.  In addition, Wang teaches wherein the collection module is configured to collect the firmware image for the Internet-of-Things device from the vendor website using a screen scraping component (page 99, dynamic scraper using Scrapy application framework to crawl data of website and obtain firmware information).
	The rationale to combine Davidi and Wang is the same as provided for claim 12 due to the overlapping subject matter between claims 12 and 13.

Regarding Claim 14:
Davidi in view of Schmugar, Buyukkayhan, Walia, and Wang teaches the system of claim 13.  In addition, Wang teaches wherein the collection module is configured to collect the firmware image for the Internet-of-Things device from the vendor website as part of a web crawler using the screen scraping component (page 99, dynamic scraper using Scrapy application framework to crawl data of website and obtain firmware information).
	The rationale to combine Davidi and Wang is the same as provided for claim 13 due to the overlapping subject matter between claims 13 and 14.

Claims 5-6, 15-16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Davidi in view of Schmugar, Buyukkayhan, and Walia, and further in view of Boutnaru et al (PGPUB 2021/0390182).

Regarding Claim 5:
Davidi in view of Schmugar, Buyukkayhan, and Walia teaches the computer-implemented method of claim 1.
Neither Davidi nor Schmugar nor Buyukkayhan nor Walia explicitly teaches wherein extracting the library dependencies from the firmware image for the Internet-of-Things device comprises extracting the library dependencies from entries within a program file header.
However, Boutnaru teaches the concept wherein extracting library dependencies from a software image comprises extracting the library dependencies from entries within a program file header (abstract, determining whether application has been corrupted or compromised by malicious code; paragraph 67, header and section reader analyzes header of image file to determine the libraries that are dynamically-linkable during execution); and
Davidi teaches wherein the software is the firmware image for the Internet-of-Things device (paragraph 11, obtaining firmware code; paragraph 45, Internet of Things firmware).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the extracting entries from a file header teachings of Boutnaru with the firmware vulnerability analysis teachings of Davidi in view of Schmugar, Buyukkayhan, and Walia, in order to take advantage of the fact that many declared variables and external functions/libraries are declared in a program header file, thus improving efficiency by relying on conventional software development methods to obtain the list of dependencies without having to perform full static analysis on a firmware program.

Regarding Claim 6:
Davidi in view of Schmugar, Buyukkayhan, Walia, and Boutnaru teaches the computer-implemented method of claim 5.  In addition, Boutnaru teaches wherein the entries within the program file header identify libraries requested by a corresponding program file (paragraph 40, image comprises binaries, scripts, executable program code of an application and dependencies necessary for application execution; dependencies include libraries; paragraph 67, header and section reader analyzes header of image file to determine the libraries that are dynamically-linkable during execution).
The rationale to combine Boutnaru and Davidi is the same as provided for claim 5 due to the overlapping subject matter between claims 5 and 6.

Regarding Claim 15:
Davidi in view of Schmugar, Buyukkayhan, and Walia teaches the system of claim 11.
Neither Davidi nor Schmugar nor Buyukkayhan nor Walia explicitly teaches wherein the extraction module extracts the library dependencies from the firmware image for the Internet-of-Things device by extracting the library dependencies from entries within a program file header.
However, Boutnaru teaches the concept wherein an extraction module extracts library dependencies from a software image by extracting the library dependencies from entries within a program file header (abstract, determining whether application has been corrupted or compromised by malicious code; paragraph 67, header and section reader analyzes header of image file to determine the libraries that are dynamically-linkable during execution); and
Davidi teaches wherein the software is the firmware image for the Internet-of-Things device (paragraph 11, obtaining firmware code; paragraph 45, Internet of Things firmware).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the extracting entries from a file header teachings of Boutnaru with the firmware vulnerability analysis teachings of Davidi in view of Schmugar, Buyukkayhan, and Walia, in order to take advantage of the fact that many declared variables and external functions/libraries are declared in a program header file, thus improving efficiency by relying on conventional software development methods to obtain the list of dependencies without having to perform full static analysis on a firmware program.

Regarding Claim 16:
Davidi in view of Schmugar, Buyukkayhan, Walia, and Boutnaru teaches the system of claim 15.  In addition, Boutnaru teaches wherein the entries within the program file header identify libraries requested by a corresponding program file (paragraph 40, image comprises binaries, scripts, executable program code of an application and dependencies necessary for application execution; dependencies include libraries; paragraph 67, header and section reader analyzes header of image file to determine the libraries that are dynamically-linkable during execution).
The rationale to combine Boutnaru and Davidi is the same as provided for claim 15 due to the overlapping subject matter between claims 15 and 16.

Claims 7, 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Davidi in view of Schmugar, Buyukkayhan, and Walia, and further in view of Dalessio et al (US 10,235,527).

Regarding Claim 7:
Davidi in view of Schmugar, Buyukkayhan, and Walia teaches the computer-implemented method of claim 1.
Neither Davidi nor Schmugar nor Buyukkayhan nor Walia explicitly teaches wherein the ground truth database is generated at least in part by collecting from public repositories binary distributions of libraries that are labeled with true versions.
However, Dalessio teaches the concept wherein a ground truth database is generated at least in part by collecting from public repositories binary distributions of libraries that are labeled with true versions (abstract, method for monitoring states of application packages deployed on a platform; col 5 line 45-58, using the library names and versions, the report server retrieves status data from various data stores; the report server retrieves vulnerability data from software vulnerability database; the report server retrieves version data from a library index database; the version data can include past and current versions of a library; the version data can include a most up-to-date version number of the library, a date of release of the most up-to-date version, or both).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the distributed true versions of libraries teachings of Dalessio with the  firmware vulnerability analysis teachings of Davidi in view of Schmugar, Buyukkayhan, and Walia, in order to obtain accurate version data of up-to-date library revisions from a variety of data providers, thereby creating a usable database of vulnerable/safe library versions which is comprehensive, covering a wide array of libraries, and thus improving the security environment.

Regarding Claim 17:
Davidi in view of Schmugar, Buyukkayhan, and Walia teaches the system of claim 11.
Neither Davidi nor Schmugar nor Buyukkayhan nor Walia explicitly teaches wherein the ground truth database is generated at least in part by collecting from public repositories binary distributions of libraries that are labeled with true versions.
However, Dalessio teaches the concept wherein a ground truth database is generated at least in part by collecting from public repositories binary distributions of libraries that are labeled with true versions (abstract, method for monitoring states of application packages deployed on a platform; col 5 line 45-58, using the library names and versions, the report server retrieves status data from various data stores; the report server retrieves vulnerability data from software vulnerability database; the report server retrieves version data from a library index database; the version data can include past and current versions of a library; the version data can include a most up-to-date version number of the library, a date of release of the most up-to-date version, or both).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the distributed true versions of libraries teachings of Dalessio with the  firmware vulnerability analysis teachings of Davidi in view of Schmugar, Buyukkayhan, and Walia, in order to obtain accurate version data of up-to-date library revisions from a variety of data providers, thereby creating a usable database of vulnerable/safe library versions which is comprehensive, covering a wide array of libraries, and thus improving the security environment.

Claims 8, 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Davidi in view of Schmugar, Buyukkayhan, and Walia, and further in view of Makkar (PGPUB 2019/0079753).

Regarding Claim 8:
Davidi in view of Schmugar, Buyukkayhan, and Walia teaches the computer-implemented method of claim 1.
Neither Davidi nor Schmugar nor Buyukkayhan nor Walia explicitly teaches wherein the ground truth database is generated at least in part by collecting source code distributions.
However, Makkar teaches the concept wherein a ground truth database is generated at least in part by collecting source code distributions (abstract, method for adding library models to a library knowledge base; paragraph 68, to support the addition of new library functions to the accumulated library knowledge base, the workflow is configure to receive and validate a library configuration file created by the program developer when adding a library configuration model to the library knowledge base; generally speaking, the library configuration file includes library function information, functionally similar code snippets which perform the same work as the library function, sample inputs and outputs for the library function, and educational content).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the source code distribution teachings of Makkar with the firmware vulnerability analysis teachings of Davidi in view of Schmugar, Buyukkayhan, and Walia, in order to catalogue library functions according to source code, thereby enabling the system to observe code which makes up a function to ensure the library does not contain inefficient, unnecessary, or malicious code segments.

Regarding Claim 18:
Davidi in view of Schmugar, Buyukkayhan, and Walia teaches the system of claim 11.
Neither Davidi nor Schmugar nor Buyukkayhan nor Walia explicitly teaches wherein the ground truth database is generated at least in part by collecting source code distributions.
However, Makkar teaches the concept wherein a ground truth database is generated at least in part by collecting source code distributions (abstract, method for adding library models to a library knowledge base; paragraph 68, to support the addition of new library functions to the accumulated library knowledge base, the workflow is configure to receive and validate a library configuration file created by the program developer when adding a library configuration model to the library knowledge base; generally speaking, the library configuration file includes library function information, functionally similar code snippets which perform the same work as the library function, sample inputs and outputs for the library function, and educational content).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the source code distribution teachings of Makkar with the firmware vulnerability analysis teachings of Davidi in view of Schmugar, Buyukkayhan, and Walia, in order to catalogue library functions according to source code, thereby enabling the system to observe code which makes up a function to ensure the library does not contain inefficient, unnecessary, or malicious code segments.

Claim 10 is/are rejected under 35 U.S.C. 103 as being unpatentable over Davidi in view of Schmugar, Buyukkayhan, and Walia, and further in view of Kalidindi et al (PGPUB 2016/0378453).

Regarding Claim 10:
Davidi in view of Schmugar, Buyukkayhan, and Walia teaches the computer-implemented method of claim 1.
Neither Davidi nor Schmugar nor Buyukkayhan nor Walia explicitly teaches wherein the security action comprises comparing a release date for the firmware image against a release date for the true version of the library specified in the firmware image to give an indication of how well-maintained the Internet-of-Things device is.
However, Kalidindi teaches the concept wherein a security action comprises comparing a release date for a firmware image against a release date for a true version of a library specified in the firmware image to give an indication of how well-maintained a device is (abstract, device obtains updated code segment files and dependency information for client application, the information associating known defects with code segments; paragraph 26, software includes application/firmware; paragraph 34, sample data structure for dependencies matrix including dependencies field; paragraph 37, dependencies field associates particular logical code functions with corresponding defect marker; entries in dependencies field identify version, date, or timestamp of logical code functions; device compares version/date of currently installed code section with version/date of the entry in dependencies field to determine if updated code segment is available to address particular defect); and
Davidi teaches wherein the device is the Internet-of-Things device (paragraph 11, obtaining firmware code; paragraph 45, Internet of Things firmware).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the dependency date comparison teachings of Kalidindi with the firmware vulnerability analysis teachings of Davidi in view of Schmugar, Buyukkayhan, and Walia, in order to provide a means of determining that a software element was using dependencies which are kept up-to-date, and did not contain old code segments with unpatched vulnerabilities.

Response to Arguments
Applicant's arguments filed 4/14/2022 have been fully considered but they are not persuasive.

Regarding the rejection of claims under 35 USC 103:
	Applicant’s arguments merely assert that the prior art of record fails to disclose at least the amended features of the claims.  However, a new ground(s) for rejection is presented above which does teach these additional features, as added by amendment.
	Further, regarding the assertion that the dependent claims are allowable for the same reasons as the respective independent claims, Examiner notes that the respective independent claims are not allowable.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FORREST L CAREY whose telephone number is (571)270-7814. The examiner can normally be reached 9:00AM-5:30PM M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/FORREST L CAREY/Examiner, Art Unit 2491                                                                                                                                                                                                        

/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491