DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Response to Amendment
The Amendment filed on 07/27/2022 has been entered. 
The rejection of claims 11-15 under 35 U.S.C 101 is withdrawn in view of the amendment.
The rejection of claims 1, 8-10 under 35 U.S.C 112(b) is withdrawn in view of the amendment and applicant’s remark.
Claims 1, 5, 8-10, 14 and 24 are amended.
Claims 1-25 are pending of which claims 1, 8, 9 and 10 are independent claims.

Response to Arguments
The applicant's arguments filed on 07/27/2022 have been fully considered but the arguments are essentially directed towards the newly introduced limitations and they are addressed in this Office Action, below.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-2, 4-11, 13-16,18-21 and 23-25 are rejected under 35 U.S.C. 103 as being unpatentable over Narasimhan et al. (Pub. No.: US 2014/0282406, hereinafter Narasimhan) in view of Bach et al. (Pub. No.: US 2016/0078231, hereinafter Bach).
Regarding claim 1: Narasimhan discloses A vulnerability checking system comprising:
a terminal (Narasimhan - Fig. 1, user system 102A);
a management server that manages software installed in the terminal (Narasimhan - [0030]: First server(s) 106A is shown to include an automatic risk analyzer 108 for illustrative purposes. Automatic risk analyzer 108 is configured to perform automatic risk analysis of software); and [wherein the distribution server] comprises:
a collection part that collects descriptions related to vulnerability of software, from information published on a network (Narasimhan - [0020]: collect information regarding any of a variety of correlations, including but not limited to a correlation of code enhancements to code defects (e.g., enhancement “abc” caused nine defects), a correlation of code defects to code defects (e.g., fixing defect “xyz” caused or introduced eleven other defects), a correlation of code defects to code churn (e.g., fixing defect “xyz” at a specified time is too risky in terms of code churn)…); and
an analysis part that analyzes the collected descriptions, calculates, as a degree of activity, the number of descriptions related to vulnerability of software that is a target for vulnerability checking within a prescribed period (Narasimhan - [0031]: Automatic risk analyzer 108 may compare the correlations corresponding to a first time instance and the correlations corresponding to a second time instance to determine any of a variety of temporal relationships regarding underlying factors such as churn rate of a function in the software. [0020]:  “code churn” (a.k.a. churn rate) indicates a number of times that a function in the software program is changed during a designated period of time), and generates the new vulnerability information according to the calculated degree of activity (Narasimhan - [0021]: Risk(s) for the software program may be determined based on observed correlation patterns, such as those discussed above).
However Narasimhan doesn’t explicitly teach, but Bach discloses:
a distribution server (Bach - vulnerability processing system 250) that distributes information related to software in which a vulnerability is estimated to be present, as new vulnerability information, to the management server (Bach - [0079]: Upon identifying a vulnerability, vulnerability processing system 250 transmits a notification message 260 to the corresponding operator 270. … The message may include identification of the vulnerable software type and version);
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Narasimhan with Bach so that a message with effected software type and version is transmitted. The modification would have allowed the system to detect and response to new vulnerability. 
Regarding claim 2: Narasimhan as modified discloses wherein the collection part collects descriptions including at least one of: software information that uniquely identifies the software, a vulnerability term related to a vulnerability of the software, and a non-new vulnerability term used when information exchange related to a known vulnerability is performed (Narasimhan - [0031]: . Examples of an underlying factor include but are not limited to new feature(s) of the software, enhancement(s) to existing feature(s) of the software, defect(s) in the software,).
Regarding claim 4: Narasimhan as modified discloses wherein the analysis part obtains vulnerability checking information in order to identify software that is the target for vulnerability checking (Narasimhan - [0030]: determine correlations between binaries of the software and source files of the software, between the source files and functions (i.e., sub-routines) of the software, between changes to source code of the software and defects in the software, between the changes to source code and new features that are added to the software, between changes to the source code and enhancements to existing features of the software, between attributes of the software (e.g., attributes associated with the changes to the source code), etc).
Regarding claim 5: Narasimhan as modified discloses wherein the collection part collects descriptions related to vulnerability of software, based on information related to a site that is accessed in order to collect descriptions related to vulnerability of the software (Bach - [0041]: Vulnerability scanning and notification system 200 includes one or more network-based (e.g., cloud-based) scanners 240 that scan servers 210 and applications 220 to identify software types and versions operating on servers 210 and included in applications 220).
Bach is combined with Narasimhan herein for similar obviousness reasons and motivation and the same rationale as stated for claim 1.
Regarding claim 6: Narasimhan as modified discloses wherein the analysis part transmits information identifying software that is the target for vulnerability checking corresponding to the degree of activity matching a predetermined condition, as the new vulnerability information, to the management server (Bach - [0079]: Upon identifying a vulnerability, vulnerability processing system 250 transmits a notification message 260 to the corresponding operator 270. … The message may include identification of the vulnerable software type and version).
Bach is combined with Narasimhan herein for similar obviousness reasons and motivation and the same rationale as stated for claim 1.
Regarding claim 7: Narasimhan as modified discloses wherein the management server instructs the terminal to check the state of software in the terminal, the software being identified from the new vulnerability information (Bach - [0079]: The message may include identification of the vulnerable software type and version, as well as a suggested remediation such as updating the version of the vulnerable software).
Bach is combined with Narasimhan herein for similar obviousness reasons and motivation and the same rationale as stated for claim 1.

Regarding claims 8, 11, 13-15: Claims are directed to distribution server claims and do not teach or further define over the limitations recited in claims 1-6. Therefore, claims 8, 11, 13-15 are also rejected for similar reasons set forth in claims 1-6. 

Regarding claims 9, 16, 18-20: Claims are directed to method claims and do not teach or further define over the limitations recited in claims 1-6. Therefore, claims 9, 16, 18-20 are also rejected for similar reasons set forth in claims 1-6. 

Regarding claims 10, 21, 23-25: Claims are directed to computer readable medium claims and do not teach or further define over the limitations recited in claims 1-6. Therefore, claims 10, 21, 23-25 are also rejected for similar reasons set forth in claims 1-6. 

Claims 3, 12, 17 and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Narasimhan et al. (Pub. No.: US 2014/0282406, hereinafter Narasimhan) in view of Bach et al. (Pub. No.: US 2016/0078231, hereinafter Bach) and Abramowitz (Pub. No.: US 2016/0112445).
Regarding claims 3, 12, 17 and 22: Narasimhan as modified doesn’t explicitly teach but Abramowitz discloses wherein the analysis part calculates the degree of activity, excluding descriptions that include the non-new vulnerability term, among the collected descriptions (Abramowitz - [0059]: dynamically and periodically determining one or more new vulnerabilities and, in response to determining the one or more new vulnerabilities, assigning a new risk rating).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Narasimhan and Bach with Abramowitz so that a risk rating or degree of activity is calculated based on new vulnerabilities The modification would have allowed the system to enhance security. 

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
M C et al. (Pub. No: US 2017/0116421) - Security vulnerabilities
Basavapatna et al. (Pub. No.: US  2013/0191919) - Calculating quantitative asset risk
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MENG LI whose telephone number is (571)272-8729.  The examiner can normally be reached on M-F 8:30-5:30.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s acting supervisor, Kristine Kincaid can be reached on (571) 272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8729.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MENG LI/
Primary Examiner, Art Unit 2437