DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
This Office action is in response to the amendment filed 06/03/2022. Claims 1, 3, 8, 10, 15 and 17 have been amended.
Response to Arguments
Applicant’s arguments with respect to claims 1, 8 and 15 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Objections
Claims 1, 8 and 15 are objected to because of the following informalities: there is insufficient antecedent basis for the limitation “the plurality of vulnerability remediation actions” (Claim 1, line 10).  Appropriate correction is required. For examination purposes, the limitation is interpreted as “a plurality of vulnerability remediation actions”.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-7 are rejected under 35 U.S.C. 103 as being unpatentable over Endersz et al. (WO 2007/027131 A2) in view of Basavapatna et al. (US 2013/0191919 A1).
Regarding claim 1, Endersz discloses a method for securing a service (i.e., a database, a communication link or any other service) (page 5, line 3-4) implemented on a computer network (Fig. 1), the method comprising:
	identifying network assets in the computer network used by the service (i.e., identifying each of the resources required by and affected by the service) (Fig. 1; page 5, lines 1-12);
	identifying vulnerabilities in one or more of the network assets (i.e., a threat T is directed against a vulnerability in a system resource) (page 5, lines 9-12, 16-17), each vulnerability having one or more vulnerability risk dimensions (i.e., vulnerability parameter V which exposes assets in the system) (page 5, lines 22-27);
	based on the identified vulnerabilities, determining an asset risk score for each of the network assets (i.e., calculating a risk value R for each resource) (page 5, lines 19-36; page 6, lines 18-27;  page 7, lines 6-10);
	based on the determined asset risk scores of the network assets, determining a service risk score for the service (i.e., calculating the total risk value as the sum of the risk values) (page 6, line 29 - page 7, line 14); and
	implementing a vulnerability remediation action to best reduce the service risk score (i.e., selecting countermeasure which best meets made demands…for optimized selection of countermeasures in real time...increase protection and reduction of risk/damage in the system) (page 8, lines 17-35).
	Endersz does not disclose prioritizing implementation of a plurality of vulnerability remediation actions in a priority order based on effects on the service risk score, wherein the priority order is based on a reduction of the service risk score; and implementing one or more of the plurality of vulnerability remediation actions based on the priority order. Basavapatna discloses that network assets may be vulnerable to many different threats at any given time and a plurality of vulnerability remediation actions are needed to protect the assets from the threats (para. [0030]). Basavapatna further discloses prioritizing implementation of the plurality of vulnerability remediation actions in a priority order based on effects on the service risk score, wherein the priority order is based on a reduction of the service risk score; and implementing one or more of the plurality of vulnerability remediation actions based on the priority order (Ranking assets, vulnerabilities, and/or threats according to aggregate risk scores allows a user to quickly identify which assets are most at risk, or which vulnerabilities and threats are most dangerous for a system. The user can then remediate the most at-risk assets before remediating other less-at-risk assets, or can apply remediations across the system for the riskiest vulnerabilities and threats before applying remediations for other, less-risky ones) (para. [0138]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Endersz to prioritize implementation of the plurality of vulnerability remediation actions in a priority order based on effects on the service risk score, wherein the priority order is based on a reduction of the service risk score; and implement one or more of the plurality of vulnerability remediation actions based on the priority order, as taught by Basavapatna.  The motivation for doing so would have been to best protect the system from many different threats at any given time.
Regarding claim 2, Endersz further discloses identifying network assets in the computer network used by the service includes describing dependencies of the network assets in the computer network (i.e., Changed function or state/condition of C4 will influence C5, which in its turn will result in changes of/at C7, C8 and C9) (Fig. 1; page 5, lines 1-12).
Regarding claim 3, Endersz further discloses simulating effects of different vulnerability remediation actions on the service risk score (i.e., optimization of the risk level by simulating of effects of potential countermeasures…simulate a given countermeasure directed against the threat) (page 1, lines 11-12; page 3, lines 21-22). Accordingly, the combined method of Endersz and Basavapatna would lead to simulating the effects of the plurality of vulnerability remediation actions on the service risk score.
Regarding claim 4, Endersz further discloses identifying vulnerabilities in one or more of the network assets includes determining a risk value for each vulnerability risk dimension (i.e., vulnerability value V*C for each resource for a specific threat) (page 3, lines 15-17; page 5, lines 33-34).
Regarding claim 5, Endersz further discloses that determining a risk value for each vulnerability risk dimension includes using information obtained from one or more network security tools (i.e., the software and/or hardware component(s) that performs the steps for determining, in real time, V and C used to calculate the vulnerability value V*C) (page 1, lines 8-12; page 2, lines 1-5; page 3, lines 9-17).
Regarding claim 6, Endersz further discloses that determining an asset risk score for each of the network assets includes determining the asset risk score for each of the network assets based on the risk values of the vulnerability risk dimensions of the vulnerabilities in each of the network assets (i.e., calculating a risk value R = H*V*C for each resource) (page 5, lines 19-36; page 6, lines 18-27; page 7, lines 6-10).
Regarding claim 7, Endersz further discloses that determining the service risk score for the service includes aggregating the asset risk scores of the network assets used by the service (i.e., calculating the total risk value as the sum of the risk values) (page 6, line 29 - page 7, line 14).
Claims 8-21 are rejected under 35 U.S.C. 103 as being unpatentable over Endersz in view of Basavapatna and Official Notice.
Regarding claims 8 and 15, Endersz discloses a method for securing a service (i.e., a database, a communication link or any other service) (page 5, line 3-4) implemented on a computer network (Fig. 1), the method comprising:
	identifying network assets in the computer network used by the service (i.e., identifying each of the resources required by and affected by the service) (Fig. 1; page 5, lines 1-12);
	identifying vulnerabilities in one or more of the network assets (i.e., a threat T is directed against a vulnerability in a system resource) (page 5, lines 9-12, 16-17), each vulnerability having one or more vulnerability risk dimensions (i.e., vulnerability parameter V which exposes assets in the system) (page 5, lines 22-27);
	based on the identified vulnerabilities, determining an asset risk score for each of the network assets (i.e., calculating a risk value R for each resource) (page 5, lines 19-36; page 6, lines 18-27;  page 7, lines 6-10);
	based on the determined asset risk scores of the network assets, determining a service risk score for the service (i.e., calculating the total risk value as the sum of the risk values) (page 6, line 29 - page 7, line 14); and
	implementing a vulnerability remediation action to best reduce the service risk score (i.e., selecting countermeasure which best meets made demands…for optimized selection of countermeasures in real time...increase protection and reduction of risk/damage in the system) (page 8, lines 17-35).
	Endersz does not disclose prioritizing implementation of a plurality of vulnerability remediation actions in a priority order based on effects on the service risk score, wherein the priority order is based on a reduction of the service risk score; and implementing one or more of the plurality of vulnerability remediation actions based on the priority order. Basavapatna discloses that network assets may be vulnerable to many different threats at any given time and a plurality of vulnerability remediation actions are needed to protect the assets from the threats (para. [0030]). Basavapatna further discloses prioritizing implementation of the plurality of vulnerability remediation actions in a priority order based on effects on the service risk score, wherein the priority order is based on a reduction of the service risk score; and implementing one or more of the plurality of vulnerability remediation actions based on the priority order (Ranking assets, vulnerabilities, and/or threats according to aggregate risk scores allows a user to quickly identify which assets are most at risk, or which vulnerabilities and threats are most dangerous for a system. The user can then remediate the most at-risk assets before remediating other less-at-risk assets, or can apply remediations across the system for the riskiest vulnerabilities and threats before applying remediations for other, less-risky ones) (para. [0138]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Endersz to prioritize implementation of the plurality of vulnerability remediation actions in a priority order based on effects on the service risk score, wherein the priority order is based on a reduction of the service risk score; and implement one or more of the plurality of vulnerability remediation actions based on the priority order, as taught by Basavapatna.  The motivation for doing so would have been to best protect the system from many different threats at any given time.
	Endersz does not disclose implementing the method in software. Official Notice is taken that both concept and advantage of implementing a method in software to lower the cost and facilitate update are well known and expected in the art.  It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have implemented the method disclosed by Endersz further in software to lower the cost and facilitate update. Accordingly, the software would be recorded on a non-transitory computer-readable storage medium and executed by a computing device.
Regarding claims 9 and 16, Endersz further discloses including descriptions of dependencies of the network assets in the computer network when identifying network assets in the computer network used by the service (i.e., Changed function or state/condition of C4 will influence C5, which in its turn will result in changes of/at C7, C8 and C9) (Fig. 1; page 5, lines 1-12). Accordingly, this feature would be implemented in software.
Regarding claims 10 and 17, Endersz further discloses simulating effects of different vulnerability remediation actions on the service risk score (i.e., optimization of the risk level by simulating of effects of potential countermeasures…simulate a given countermeasure directed against the threat) (page 1, lines 11-12; page 3, lines 21-22). Accordingly, the combined method of Endersz and Basavapatna would lead to simulating the effects of the plurality of vulnerability remediation actions on the service risk score. Accordingly, this feature would be implemented in software.
Regarding claims 11 and 18, Endersz further discloses determining a risk value for each vulnerability risk dimension of the identified vulnerabilities (i.e., vulnerability value V*C for each resource for a specific threat) (page 3, lines 15-17; page 5, lines 33-34). Accordingly, this feature would be implemented in software.
Regarding claims 12 and 19, Endersz further discloses determining a risk value for each vulnerability risk dimension using information obtained from one or more network security tools (i.e., the computing component(s) that performs the steps for determining, in real time, V and C used to calculate the vulnerability value V*C) (page 1, lines 8-12; page 2, lines 1-5; page 3, lines 9-17). Accordingly, this feature would be implemented in software.
Regarding claims 13 and 20, Endersz further discloses determining the asset risk score for each of the network assets based on the risk values of the vulnerability risk dimensions of the vulnerabilities in each of the network assets (i.e., calculating a risk value R = H*V*C for each resource) (page 5, lines 19-36; page 6, lines 18-27; page 7, lines 6-10). Accordingly, this feature would be implemented in software.
Regarding claims 14 and 21, Endersz further discloses determining the service risk score for the service by aggregating the asset risk scores of the network assets used by the service (i.e., calculating the total risk value as the sum of the risk values) (page 6, line 29 - page 7, line 14). Accordingly, this feature would be implemented in software.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MINH DINH whose telephone number is (571)272-3802. The examiner can normally be reached Mon-Fri: 9 AM - 5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on 469-295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MINH DINH/Primary Examiner, Art Unit 2432