Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
2.	Applicant’s arguments filed 07/20/2022, with respect to the 35 U.S.C. § 102(a)(1)/(a)(2) rejection  of claims 16, 17, 20-24, and 27-31 rejected under as being
anticipated by U.S. Publication No. 20140373160 hereinafter Shigemoto , claims 18 and 25 are rejected under 35 U.S.C. § 103 as being unpatentable over Shigemoto  in view of U.S. Publication No. 20160241574 hereinafter Kumar, and claims 19 and 26 are rejected under 35 U.S.C. § 103 as being unpatentable over Shigemoto  in view of U.S. Publication No. 20140082736 hereinafter Guarnieri have been fully considered.  However, upon further consideration, a new ground(s) of rejection is made in view of amended claims.

Double Patenting
3.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp. 

Claims 16-31 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-9 of Patented Application no.10/860,722. Although the claims at issue are not identical, they are not patentably distinct from each other because both the co-assigned Application claim 16 and co-assigned Patented Application claim 1 are almost the same in scope.

Instant App. No.‘940 claim 16 and associated claims 17-31
Patent App. No.‘722 claim 1 and associated claims 2-9
16. (Currently Amended): A method performed by a terminal, the method comprising: receiving, from a server, vulnerability information concerning vulnerability, including a release date and time of the vulnerability information, and a method for investigation, before the release date and time of the vulnerability information, wherein the vulnerability information is received by the server from a vulnerability information distribution system; and investigating the terminal using the method for investigation
1. A security risk management system comprising: a server device; and an agent unit included in a terminal device, wherein the agent unit is executed by central processing unit and is associated with a software vendor; wherein: the server device transmits vulnerability information to the agent unit over a communication network before a release date and time of the vulnerability information, the agent unit investigates presence or absence of vulnerabilities in the terminal device based on information regarding a method for vulnerability investigation contained in the vulnerability information, and transmits vulnerability investigation results containing the investigation results to the server device before the release date and time of the vulnerability information, the server device presents the vulnerability information and the vulnerability investigation results on or after the release date and time of the vulnerability information, the server device stores the vulnerability information before a release date and time of the vulnerability information, the vulnerability information containing encrypted information regarding an overview of vulnerabilities, a method for investigation and a method for countermeasures, and transmits the vulnerability information to the agent unit before the release date and time of the vulnerability information, the vulnerability information containing the encrypted information regarding an overview of vulnerabilities, a method for investigation and a method for countermeasures, the agent unit stores the vulnerability information before the release date and time of the vulnerability information, the vulnerability information containing the encrypted information regarding an overview of vulnerabilities, a method for investigation and a method for countermeasures, a release flag to which a value indicating whether the vulnerability information is unreleased or released is set is added to the vulnerability information, the server device reads the vulnerability information to which the release flag to which a value indicating “unreleased” is set is added from among the stored vulnerability information, and when a release date and time contained in the read vulnerability information is before a current date and time, the server device decrypts the information regarding an overview of vulnerabilities, a method for investigation and a method for countermeasures contained in the read vulnerability information, sets a value indicating “released” to the release flag added to the read vulnerability information, and stores the read vulnerability information again.



The instant application claims 16 are directed towards a method and system of receiving and investigating vulnerability information. One of ordinary skill in the art would understand from the teachings found in Patented App ‘722 would not be significantly different from those found in the Instant application relates to receiving, storing and investigating vulnerability information. This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.
Therefore, it would have been obvious to one of ordinary skill in the art to modify instant Application claims 116 with the additional limitation of so to obtain Patented App ‘722 claim 1 as claimed.
Allowance of application claim 1 would result in an unjustified time-wise extension of the monopoly granted for the invention defined by co-pending Application claim 1. Therefore, the provisional obviousness-type double patenting is appropriate because the conflicting claims have not in fact been patented. Application claim 16 corresponds to co-assigned patented application claim 1.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
4.	Claims 16, 17, 20-24, and 32-35 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Publication No. 20140373160 hereinafter Shigemoto  in view of U.S. Publication No. 20180136921 hereinafter Pfleger.

As per claim 16, Shigemoto  discloses:
A method performed by a terminal (Fig. 1, para 0009 “In addressing the foregoing and other problems of the related art and according to one embodiment of the present invention, there is provided a vulnerability countermeasure device for taking countermeasures against the vulnerability of a system configured of multiple computers connected via a network.”), the method comprising:
receiving, from a server, vulnerability information concerning vulnerability, including a release date and time, and a method for investigation, before the release date and time (para 0081 “FIG. 5 shows an example of the vulnerability information data 209. As shown in FIG. 5, the vulnerability information data 209 includes vulnerability ID's 501, release dates 502, software 503, and versions 504.” Para 0085 “ For purpose of simplification and illustration, the vulnerability information data 209 was shown above to include the release dates 502, software 503, and versions 504. Alternatively, the vulnerability information data 209 may further include information indicating eventual effects of vulnerability, the presence or absence of countermeasure patches against vulnerability, CVSS (Common Vulnerability Scoring System) values representing degrees of severity of vulnerability, or information about countermeasures to be taken against vulnerability as needed.” Para 0086 “The service provider checks the vulnerability information disclosure sites 105 periodically and, whenever new vulnerability is disclosed, causes information about the new vulnerability to be reflected in the vulnerability information data 209. As an alternative, the service provider may use suitable tools to automate updating of the vulnerability information data 209.”),
wherein the vulnerability information is received by the server from a vulnerability information distribution system (Fig. 1, element 105, para 0086 “The service provider checks the vulnerability information disclosure sites 105 periodically and, whenever new vulnerability is disclosed, causes information about the new vulnerability to be reflected in the vulnerability information data
209. As an alternative, the service provider may use suitable tools to automate updating of the vulnerability information data 209.”);
and investigating the terminal using the method for investigation (para 0087 “The vulnerability information data 209 is used when the assessment program 211 executed by the CPU 203 assesses whether there is a vulnerability in the software installed in servers. Specific processing of the assessment program 211 will be discussed later using FIG. 7.”). 

	Shigemoto  does not discloses:
a release date and time of the vulnerability information, and a method for investigation, before the release date and time of the vulnerability information

	Pfleger discloses:
a release date and time of the vulnerability information, and a method for investigation, before the release date and time of the vulnerability information (para 0032 “Other statistical vulnerability-related information may be acquired for populating the models that determine the state transitions. For example, an average time from disclosure to weaponization of a vulnerability is acquired. Studies or specific information based on release dates of versions of software indicate the time from when a vulnerability is created to when the vulnerability is discovered. An average time from disclosure for all vulnerabilities, vulnerability by type, vulnerability by asset type, or other categorization may be determined. As another example, a time history or exploitation of vulnerabilities is acquired from studies or specific information. The average, median, other probabilistic distribution (e.g., Weibull, exponential, log normal, or combination) or other time history of exploitation of vulnerabilities in general or by categories of vulnerabilities is determined.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the vulnerability countermeasure device of Shigemoto  in view of Pfleger to include a release date and time of the vulnerability information, and a method for investigation, before the release date and time of the vulnerability information, as taught by Pfleger.
The motivation would have been to properly obtain information about release dates and times about vulnerability to properly investigate vulnerability information.

As per claim 17, Shigemoto  in view of Pfleger discloses:
The method according to claim 16, wherein the investigating is performed before the release date and time of the vulnerability information (Shigemoto  para 0083 “The release dates 502 each represent the date on which vulnerability was announced. The software 503 denotes software susceptible to the announced vulnerability. The versions 504 each represent the version of the software susceptible to the vulnerability in question. As an alternative, the versions 504 may hold information saying "before version such-and-such" indicating all versions prior to a particular version.” Para 0084 “ For example, in the vulnerability information with "1" as the vulnerability ID 501, the release data 502 is "2010/11/11/," the software 503 is "Web server program," and the version 504 is "Before 1.0." This indicates that vulnerability was found on Nov. 11, 2011, in the Web server programs of the versions before 1.0.” Also see para 0118-0126) and (Pfleger para 0032 “The motivation would have been to properly obtain information about release dates and times about vulnerability to properly investigate vulnerability information.”)

As per claim 20, the implementation of the method performed by a terminal of claim 16 will execute the method comprising receiving, from a vulnerability information distribution system, vulnerability information of claim 16. The claim is analyzed with respect to claim 16.

As per claim 21, Shigemoto  in view of Pfleger discloses:
The method according to claim 20, further comprising: displaying the result before the release date and time of the vulnerability information (Shigemoto  para 0083 “The release dates 502 each represent the date on which vulnerability was announced. The software 503 denotes software susceptible to the announced vulnerability. The versions 504 each represent the version of the software susceptible to the vulnerability in question. As an alternative, the versions 504 may hold information saying "before version such-and-such" indicating all versions prior to a particular version.” Para 0084 “For example, in the vulnerability information with "1" as the vulnerability ID 501, the release data 502 is "2010/11/11/," the software 503 is "Web server program," and the version 504 is "Before 1.0." This indicates that vulnerability was found on Nov. 11, 2011, in the Web server programs of the versions before 1.0.” Also see para 0118-0126 and Figs. 14 and 15, para 0217) and (Pfleger para 0032 “The motivation would have been to properly obtain information about release dates and times about vulnerability to properly investigate vulnerability information.”)

As per claim 22, the implementation of the method of claim 16 will execute the method for a system including a server and a terminal of claim 22. The claim is analyzed with respect to claim 16. 

As per claim 23, the implementation of the method of claim 16 will execute the terminal of claim 23. The claim is analyzed with respect to claim 16. 

As per claim 24, the claim is analyzed with respect to claim 17. 

As per claim 27, the implementation of the method of claim 22 will execute server of claim 22. The claim is analyzed with respect to claim 22. 

As per claim 28, the claim is analyzed with respect to claim 21.

As per claim 26, the claim is analyzed with respect to claim 19.

As per claim 29, the implementation of the method of claim 22 will execute
system of claim 29. The claim is analyzed with respect to claim 22.

As per claim 30, the implementation of the method of claim 16 will execute
the non-transitory computer readable information recording medium
(Shigemoto ) of claim 30. The claim is analyzed with respect to claim 16.

As per claim 31, the implementation of the method of claim 22 will execute
the non-transitory computer readable information recording medium
(Shigemoto  in view of Pfleger para 0146 and 0147) of claim 30. The claim is analyzed with respect to claim 16.

As per claim 32, Shigemoto  in view of Pfleger discloses:
The method according to claim 16, wherein the release date and time of the vulnerability information is a date and time when the vulnerability information is released by a software vendor (Pfleger para 0003 and 0032 “The motivation would have been to properly obtain information about release dates and times about vulnerability to properly investigate vulnerability information.”).

As per claim 33, Shigemoto  in view of Pfleger discloses:
The method according to claim 32, wherein the vulnerability information is about software executed by the terminal, and wherein software is created by the software vendor (Pfleger para 0003 and 0032 “The motivation would have been to properly obtain information about release dates and times about vulnerability to properly investigate vulnerability information.”).

As per claim 34, Shigemoto  in view of Pfleger discloses:
The method according to claim 33, wherein vulnerabilities of the terminal are managed by a security risk management system comprising the server (Pfleger para 0005, 0024 and 0032 “The motivation would have been to properly obtain information about release dates and times about vulnerability to properly investigate vulnerability information.”).

As per claim 35, Shigemoto  in view of Pfleger discloses:
The method according to claim 34, wherein the security risk management system is provided to a user by an external security risk management system provider, wherein the vulnerability information is received by the external security risk management system provider from a vulnerability information providing institution before the date and time when the vulnerability information is released by the software vendor, wherein the vulnerability information distribution system is managed by the external security risk management system provider, wherein the method for investigation comprises investigating a presence or absence of vulnerabilities of the terminal, wherein the investigating the terminal yields investigation results configured to enable the user to start development of a vulnerability countermeasure for the terminal before the date and time when the vulnerability information is released by the software vendor (Shigemoto para 0081, 0086 and 0087) and (Pfleger para 0005, 0024, 0032 and 0039 “The motivation would have been to properly obtain information about release dates and times about vulnerability to properly investigate vulnerability information.”).

5.	Claims 18 and 25 are rejected under 35 U.S.C. 103 as being unpatentable over Shigemoto  in view of Pfleger in view of U.S. Publication No. 20160241574 hereinafter Kumar. 

As per claim 18, Shigemoto  in view of Pfleger discloses: 
The method according to claim 16, further comprising: sending a result of the investigating (Shigemoto  Figs. 14 and 15, para 0217) 

Shigemoto  in view of Pfleger does not disclose: 
sending a result of investigating to a server 

Kumar discloses: 
sending a result of investigating to a server (para 0040 “The third party endpoint assessment service 117 receives information regarding vulnerabilities, configuration, compliance, and the patch status of different systems and services that exist in the environment. Integrity measurement and verification reports are created after the third party endpoint assessment service 117 has processed the received information. The information is generated in these reports by actively monitoring aspects of the environment from equipment deployed within the environment, or through externally hosted equipment that accesses the environment through controlled conduits such as an open port in the network
firewall. For example, one of these external services may report an alert indicating that a violation with an associated severity score for a monitored system. The third party endpoint assessment service 117 transforms this information into a normalized format for consideration by the trust orchestrator 101.” Para 0041 “The trust broker 103 retrieves reports from the endpoint assessment services 117 and generates temporal events that provide the system event correlator 108 information related to the damage potential of any malicious activity on the device. The temporal information is at least in part based on the reports provided by the endpoint assessment service 117 and provide a snapshot in time of the state of the system while being agnostic to runtime aspects of the system including applications. In one embodiment, the reports are represented in a markup language such as, but not limited to, Extensible Markup Language (XML).” Para 0042 “The trust broker 103 can also be configured to parse, normalize and collate received the reports. In accordance with embodiments, the parsing, normalizing, and/or collating can be based on one or more object identifiers. Exemplary object identifiers can include, but are not limited to, machine hostnames, IP addresses, application names, and package names. This parsing, normalization, and collation (collectively, processing) generates temporal events that annotate the state of the endpoints (devices) at scan time.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the vulnerability
countermeasure device of Shigemoto  in view of Pfleger to include sending a result of investigating to a server, as taught by Kumar.
The motivation would have been to ascertain results of an investigation of vulnerabilities to properly determine the best steps to protect a computing system.

As per claim 25, the claim is analyzed with respect to claim 18.

6. 	Claims 19 and 26 are rejected under 35 U.S.C. 103 as being unpatentable over Shigemoto  in view of Pfleger in view of U.S. Publication No. 20140082736 hereinafter Guarnieri.

As per claim 19, Shigemoto  in view of Pfleger discloses:

The method according to claim 16, wherein the vulnerability information (Shigemoto  para 0080 and 0085)

Shigemoto  in view of Pfleger does not disclose:
vulnerability information is encrypted, and the method further comprising: decrypting the encrypted vulnerability information before the investigating is performed

Guarnieri discloses:
vulnerability information is encrypted, and the method further comprising:
decrypting the encrypted vulnerability information before the investigating is
performed (para 0011 “A further method for server security verification is shown that includes scanning a server for one or more vulnerabilities using a scanning module located at the server; generating an encrypted report of server-side security that includes an indication regarding the presence of a vulnerability for each of said one or more vulnerabilities based on the results of said scanning, said encryption being performed using a private key; transmitting the encrypted report to a requesting client; decrypting the encrypted report using a public key; determining a level of server-side security based on the decrypted report using a processor; configuring a scanning module located at the client to increase or diminish scanning of specific vulnerabilities based on the determined level of server-side security; and scanning the server for vulnerabilities using a scanning module located at the client.” para 0013 “A further client security module is shown that includes a report validation module configured to acquire a public key associated with a received report, said received report having been generated at a server and indicating the presence of one or more vulnerabilities at the server, to decrypt the received report using the public key, and to determine a level of server-side security based on the decrypted report; a scanning module configured to scan the server for vulnerabilities based on the received report, wherein the scanning module enhances or diminishes scanning of specific vulnerabilities based on the determined level of server-side security; and a processor configured to reconfigure a browser responsive to the determined level of server-side security and an outcome of the scanning module.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the vulnerability countermeasure device of Shigemoto  in view of Pfleger to include vulnerability information is encrypted, and the method further comprising: decrypting the encrypted vulnerability information before the investigating is performed, as taught by Guarnieri.
The motivation would have been to decrypt results of an investigation of vulnerabilities to properly determine the best steps to protect a computing system.

As per claim 26, the claim is analyzed with respect to claim 19.


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to GARY S GRACIA whose telephone number is (571)270-5192. The examiner can normally be reached Monday-Friday 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GARY S GRACIA/Primary Examiner, Art Unit 2499