DETAILED ACTION
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 6/22/2022 has been entered.

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The applicant amended claims 1, 11, 16 and 19 in the amendment received on 6/13/2022.

The claims 1-7, 9-17 and 19-20 are pending.

Response to Arguments
Applicant’s arguments with respect to claims 1-7, 9-17 and 19-20 filed on 6/13/2022 have been considered but are moot in view of the new ground(s) of rejection.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-5, 7, 10-12, 16 and 19-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Currie et al. (U.S. Publication No. 2005/0160286 A1) in view of Gula et al. (U.S. Publication No. 2014/0007241 A1), and further in view of Mahjoub et al. (U.S. Publication No. 2019/0095512 A1).
With respect to claim 1, Currie discloses a computer-implemented method for analyzing network vulnerabilities, the method comprising: determining an address for each target device included in a plurality of target devices (i.e., The request also includes the IP address of the referring website 104 that the visitor 106 was visiting. That IP address is extracted in step S606. The address is then compared to the addresses in customer information database 304 corresponding to all registered services 102 of the system, ¶ 80.  If the extracted IP address does correspond to a stored IP address (determined in step S608), the security status information for the associated website is retrieved from customer information database 304. For example, the number of open critical and severe vulnerabilities found on website 104 and when they were found is queried using the extracted IP address, ¶ 81). 
Currie discloses wherein determining the address for each target device comprises using one or more address detecting services (i.e., Assuming that is the case (step S602), a URL causes an HTTP request to be made to security system 200, which request is then received by the verification engine 310 of system 200 (step S604). The request also includes the IP address of the referring website 104 that the visitor 106 was visiting. That IP address is extracted in step S606. The address is then compared to the addresses in customer information database 304 corresponding to all registered services 102 of the system, ¶ 80). 
Currie also discloses for each target device included in the plurality of target devices, assigning a port scanning task to an associated port scanning service (i.e., Scanning engine 302 initially scans the open ports of devices registered in customer information database 304, ¶ 42.  As set forth above, scanning engine 302 stores information about the open ports, security exposures and vulnerabilities and scans completed on a server or other network device, and associates the information with a specific customer (e.g. website operator 102). Customer information database 304 stores information about each customer service 102's company, users, website(s), and the scans performed on the website(s) or other devices associated with the website(s). Stored information includes a scan header record including the date, launch time, duration, and number of vulnerabilities classified by severity level, ¶ 43). 
Currie further discloses the port scanning task being associated with the target device (i.e., Scanning engine 302 can include any conventionally known remote security scanner or equivalent thereof, such as the open source Nessus engine (details available from www.nessus.org), that remotely obtains and produces information about open ports, available services, network protocols, security exposures and vulnerabilities existing on a server or other device that is available over a network [the port scanning task being associated with the target device]. Accordingly, scanning engine 302 periodically checks the web servers and/or network devices of service 102 to discover website component configuration and vulnerabilities. Scanning engine 302 initially scans the open ports of devices registered in customer information database 304. In one example implementation such as the Nessus open source engine, the scanning process produces a set of XML files containing all information gathered during the scan. These files are parsed by scanning engine 302 and stored in database 304, the records of which are associated with the customer account number and therefore the customer's registration information [the port scanning task being associated with the target device via the address of the target device], ¶ 42.  When a scan for the particular device is due to be launched (as determined above in step S406), the first step, as shown by step S408, is to scan all the ports on the device to see which ones are opened, identify which network transport and message protocols are offered on the port, and what services may be listening on the port. The scanning engine will then append the open port information in the customer information database 304 to the historical port scan information already stored there from prior scans, ¶ 58). 
Currie also discloses for each port scanning task, receiving a port scanning result from the port scanning service assigned to the port scanning task, the port scanning result including a list of one or more open ports for the target device associated with the port scanning task (i.e., As set forth above, scanning engine 302 stores information about the open ports [for each port scanning task, receiving a port scanning result from the port scanning service assigned to the port scanning task, the port scanning result including a list of one or more open ports for the target device associated with the port scanning task], security exposures and vulnerabilities and scans completed on a server or other network device, and associates the information with a specific customer (e.g. website operator 102). Customer information database 304 stores information about each customer service 102's company, users, website(s), and the scans performed on the website(s) or other devices associated with the website(s). Stored information includes a scan header record including the date, launch time, duration, and number of vulnerabilities classified by severity level, ¶ 43). 
Currie further discloses for each open port included in each port scanning result, assigning a vulnerability scanning task to an associated vulnerability scanning service (i.e., As set forth above, scanning engine 302 stores information about the open ports, security exposures and vulnerabilities and scans completed on a server or other network device, and associates the information with a specific customer (e.g. website operator 102). Customer information database 304 stores information about each customer service 102's company, users, website(s), and the scans performed on the website(s) or other devices associated with the website(s). Stored information includes a scan header record including the date, launch time, duration, and number of vulnerabilities classified by severity level, ¶ 43.  Alert engine 306 is a service that alerts services 102 that are customers of system 200 about potential or confirmed security vulnerabilities by sending emails and/or reporting such events online. Such alerts can be based on device and/or service information found during a scan as compared to vulnerabilities associated with such devices and/or services stored in database 312. In accordance with a further aspect of the invention, alerts can also be generated by comparing and matching existing service 102 information stored from previous scans against information about a newly discovered vulnerability. Such newly discovered vulnerabilities can be retrieved by the system and parsed into vulnerability fingerprint records and stored in database 312. These records include the devices or services that pertain to the vulnerabilities, ¶ 44). 
Currie also discloses receiving a vulnerability scanning result for each vulnerability scanning task (i.e., The particular method of allowing a service 102 to identify vulnerabilities can be implemented in a number of ways [receiving a vulnerability scanning result for each vulnerability scanning task]. For example, the system 200 can have an administrator interface that allows an administrator to receive and review return emails from the service 102 and manually update the database. As another example, the system 200 (e.g. the report engine 308) can include a web server interface that provides pages and associated scripts (e.g. scripts associated with checkboxes appearing next to reported vulnerabilities) for allowing users of services 102 to view and correct system vulnerability reports, ¶ 49.  An Alert Detail display option may be provided to accommodate the two types of alerts in the system. For example, alerts that result from new "potential" vulnerabilities would display an Alert Detail screen containing the generic vulnerability descriptive information. Alerts resulting from scans would provide scan results for that vulnerability in addition to the generic alert information [receiving a vulnerability scanning result for each vulnerability scanning task], ¶ 78). 
Currie further discloses generating a report based on at least one of the port scanning results or the vulnerability scanning results (i.e., As another example, the system 200 (e.g. the report engine 308) can include a web server interface that provides pages and associated scripts (e.g. scripts associated with checkboxes appearing next to reported vulnerabilities) for allowing users of services 102 to view and correct system vulnerability reports, ¶ 49.  Also see report engine 308 in figure 3 that produces reports based on scanned vulnerabilities). 
Currie may not explicitly disclose the port scanning task being associated with the target device via the address of the target device.
However, Gula discloses the port scanning task being associated with the target device via the address of the target device (i.e., According to one aspect of the invention, an exemplary system that may be used to identify exploitable weak points in a network and simulate attacks that attempt to exploit the identified weak points in the network may comprise one or more passive scanners configured to observe connections in the network to identify network addresses and open ports associated with the observed connections and one or more active scanners configured to scan the network to enumerate current connections in the network and identify network addresses and open ports associated with the current connections in the network [the port scanning task being associated with the target device via the address of the target device]. In addition, the system may further comprise one or more processors coupled to the one or more passive scanners and the one or more active scanners, wherein the one or more processors may be configured to model trust relationships and identify exploitable weak points in the network based on information associated with the connections observed with the one or more passive scanners and the current connections enumerated with the one or more active scanners, simulate an attack that uses the modeled trust relationships to target the exploitable weak points on a selected host in the network, and enumerate remote network addresses that could compromise the network and determine an exploitation path that the enumerated remote network addresses could use to compromise the network based on the simulated attack. In one implementation, the system may further comprise a log aggregator configured to collect events that describe activity in the network, wherein information associated with the collected events may be used to model the trust relationships and identify the exploitable weak points in the network, ¶ 16) in order to provide a system and method for identifying exploitable weak points in a network, and in particular, to leveraging active and passive vulnerability discovery to identify remotely visible and exploitable services, client software (¶ 2).
Therefore, based on Currie in view of Gula, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Gula to the system of Currie in order to provide a system and method for identifying exploitable weak points in a network, and in particular, to leveraging active and passive vulnerability discovery to identify remotely visible and exploitable services, client software.
Currie and Gula may not explicitly disclose each of the one or more address detecting services using at least one of domain name service (DNS) information, autonomous system number (ASN) information, certificate information, or tracking information from opted-in end users.
However, Mahjoub discloses each of the one or more address detecting services using at least one of domain name service (DNS) information, autonomous system number (ASN) information, certificate information, or tracking information from opted-in end users (i.e., In this example, if the entire range happens to be used for hosting exploit kit domains, it will be safer to quarantine or block those 8 IP addresses than the entire 16384 block without any potential false positives. This “finer granularity IP range” may be generalized as a monitoring phase for all suspicious or malicious IP addresses that are detected in global DNS traffic [each of the one or more address detecting services using at least one of domain name service (DNS) information]. Such techniques may be efficient and accurate at predictively blocking malware campaigns at the IP level before any domains begin resolving to the suspicious IP addresses in question, ¶ 67.  The CDD subsystem may discover various hosts and services at the IP address by sending packets to the target IP address and analyzing the responses. Scanning may provide host discovery, service detection [one or more address detecting services], operating system detection, and port scanning to enumerate the open ports on the hosts, reverse DNS names [each of the one or more address detecting services using at least one of domain name service (DNS) information], device types, and MAC addresses, ¶ 87) in order to perform lateral network fingerprinting on the IP address range via port scanning on an IP address to develop a fingerprint or overview of the network configuration for the IP address (¶ 86).
Therefore, based on Currie in view of Gula, and further in view of Mahjoub, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Mahjoub to the system of Currie and Gula in order to perform lateral network fingerprinting on the IP address range via port scanning on an IP address to develop a fingerprint or overview of the network configuration for the IP address.

With respect to claim 2, Currie discloses wherein each port scanning task is further associated with a duration in which the port scanning task is to be completed (i.e., Stored information includes a scan header record including the date, launch time, duration, and number of vulnerabilities classified by severity level, ¶ 43). 

With respect to claim 3, Currie discloses wherein the duration is determined based on an expected amount of time to perform the port scanning task (i.e., Generally, the scanning engine is invoked for each device the customer service 102 has registered in the customer information database 304 according the schedule requested for that device. In one example, customers are offered five possible queue times to schedule scans of their service 102: Immediate or once daily at 1 AM, 7 AM, 1 PM or 7 PM [wherein the duration is determined based on an expected amount of time to perform the port scanning task]. Accordingly, after the engine has been invoked for a specified device (step S404), it is determined in step S406 whether a scan of the specified device is currently scheduled. If not, the next device is retrieved from the customer's information (i.e., control is returned to step S404). Otherwise, a scan for the specified device is queued up and executed in random sequence by the scanning engine daemons and threads established during engine startup. These request devices to be scanned from the queue, ¶ 57). 

With respect to claim 4, Currie discloses wherein each port scanning task requests that the port scanning service associated with the port scanning task perform a two-pass port scan, wherein a first pass identifies the open ports and a second pass identifies a service listening at each of the open ports (i.e., As set forth above, scanning engine 302 stores information about the open ports, security exposures and vulnerabilities and scans completed on a server or other network device, and associates the information with a specific customer (e.g. website operator 102). Customer information database 304 stores information about each customer service 102's company, users, website(s), and the scans performed on the website(s) or other devices associated with the website(s). Stored information includes a scan header record including the date, launch time, duration, and number of vulnerabilities classified by severity level [wherein each port scanning task requests that the port scanning service associated with the port scanning task perform a two-pass port scan, wherein a first pass identifies the open ports]. The stored information also includes information about what sockets are open on the scanned device, what generic services should be running on those ports, and what services are actually running on the open ports including version, network message protocol and other available information, ¶ 43.  When a scan for the particular device is due to be launched (as determined above in step S406), the first step, as shown by step S408, is to scan all the ports on the device to see which ones are opened [wherein each port scanning task requests that the port scanning service associated with the port scanning task perform a two-pass port scan, wherein a first pass identifies the open ports], identify which network transport and message protocols are offered on the port, and what services may be listening on the port [a second pass identifies a service listening at each of the open ports], ¶ 58). 

With respect to claim 5, Currie discloses wherein assigning each port scanning task comprises: pushing the port scanning task onto one of one or more port scanning queues based on a frequency at which successive port scans of the target device associated with the port scanning task are to be performed (i.e., Generally, the scanning engine is invoked for each device the customer service 102 has registered in the customer information database 304 according the schedule requested for that device. In one example, customers are offered five possible queue times to schedule scans of their service 102: Immediate or once daily at 1 AM, 7 AM, 1 PM or 7 PM [pushing the port scanning task onto one of one or more port scanning queues based on a frequency at which successive port scans of the target device associated with the port scanning task are to be performed]. Accordingly, after the engine has been invoked for a specified device (step S404), it is determined in step S406 whether a scan of the specified device is currently scheduled. If not, the next device is retrieved from the customer's information (i.e., control is returned to step S404). Otherwise, a scan for the specified device is queued up and executed in random sequence by the scanning engine daemons and threads established during engine startup [based on a frequency at which successive port scans of the target device associated with the port scanning task are to be performed]. These request devices to be scanned from the queue, ¶ 57).
Currie also discloses popping the port scanning task from the one of the one or more port scanning queues in response to receiving a request from the port scanning service associated with the port scanning task (i.e., These daemons request test jobs from a worker manager process which manages the queue and can run many tests for one or more devices in parallel [popping the port scanning task from the one of the one or more port scanning queues in response to receiving a request from the port scanning service associated with the port scanning task], ¶ 56.  Otherwise, a scan for the specified device is queued up and executed….These request devices to be scanned from the queue, ¶ 57). 

With respect to claim 7, Currie discloses wherein assigning the vulnerability scanning task comprises: pushing the vulnerability scanning task onto a queue; and popping the vulnerability scanning task from the queue in response to receiving a request from the associated vulnerability scanning service (i.e., Processing continues to step S412, where the scanning engine selects vulnerability tests to run against the server according to information collected during the port, protocol and service discovery scans run on the device. The worker daemons request queued test jobs from the worker manager process. This continues until all relevant vulnerability tests have been completed [pushing the vulnerability scanning task onto a queue; and popping the vulnerability scanning task from the queue in response to receiving a request from the associated vulnerability scanning service], ¶ 61). 

With respect to claim 10, Currie discloses in response to the port scanning service associated with a first port scanning task reporting an anomalous port scan for the target device associated with the first port scanning task (i.e., In accordance with another example implementation of the invention, the components of on-line services are stored and compared to fingerprints of potential new vulnerabilities when they arise. Depending on whether the fingerprints match the components of the on-line services, alerts to the on-line services can be generated without performing actual scans, ¶ 22.  Alert engine 306 is a service that alerts services 102 that are customers of system 200 about potential or confirmed security vulnerabilities by sending emails and/or reporting such events online. Such alerts can be based on device and/or service information found during a scan as compared to vulnerabilities associated with such devices and/or services stored in database 312. In accordance with a further aspect of the invention, alerts can also be generated by comparing and matching existing service 102 information stored from previous scans against information about a newly discovered vulnerability. Such newly discovered vulnerabilities can be retrieved by the system and parsed into vulnerability fingerprint records and stored in database 312. These records include the devices or services that pertain to the vulnerabilities. When a new vulnerability record is entered into database 312, and if there is a possibility that the new vulnerability could present a security problem for the customer's service 102, alert engine 306 can then generate an alert to service 102, ¶ 44.  These alerts are a type of anomalous port scan for the targeted devices). 
Currie also discloses reporting a discrepancy between a first pass scan of ports of the target device associated with the first port scanning task and a second pass scan of the ports of the target device associated with the first port scanning task (i.e., Alert engine 306 is a service that alerts services 102 that are customers of system 200 about potential or confirmed security vulnerabilities by sending emails and/or reporting such events online. Such alerts can be based on device and/or service information found during a scan as compared to vulnerabilities associated with such devices and/or services stored in database 312. In accordance with a further aspect of the invention, alerts can also be generated by comparing and matching existing service 102 information stored from previous scans against information about a newly discovered vulnerability [reporting a discrepancy between a first pass scan of ports of the target device associated with the first port scanning task and a second pass scan of the ports of the target device associated with the port scanning task], ¶ 44). 

With respect to claim 11, the limitations of claim 11 are similar to the limitations of claim 1 above.  The limitations of claim 11 are rejected in the analysis of claim 1 above, and the claim is rejected on that basis.
Currie further discloses a non-transitory computer-readable storage medium including instructions that, when executed by a processor, cause the processor to analyze network vulnerabilities by performing steps comprising: determining an IP address for each computing device included in a plurality of computing devices (i.e., The request also includes the IP address of the referring website 104 that the visitor 106 was visiting. That IP address is extracted in step S606. The address is then compared to the addresses in customer information database 304 corresponding to all registered services 102 of the system, ¶ 80.  If the extracted IP address does correspond to a stored IP address (determined in step S608), the security status information for the associated website is retrieved from customer information database 304. For example, the number of open critical and severe vulnerabilities found on website 104 and when they were found is queried using the extracted IP address, ¶ 81). 
Currie also discloses for each computing device included in the plurality of computing devices, assigning a port scanning task to an associated port scanning service (i.e., Scanning engine 302 initially scans the open ports of devices registered in customer information database 304, ¶ 42.  As set forth above, scanning engine 302 stores information about the open ports, security exposures and vulnerabilities and scans completed on a server or other network device, and associates the information with a specific customer (e.g. website operator 102). Customer information database 304 stores information about each customer service 102's company, users, website(s), and the scans performed on the website(s) or other devices associated with the website(s). Stored information includes a scan header record including the date, launch time, duration, and number of vulnerabilities classified by severity level, ¶ 43). 
Currie further discloses the port scanning task being associated with the computing device (i.e., Scanning engine 302 can include any conventionally known remote security scanner or equivalent thereof, such as the open source Nessus engine (details available from www.nessus.org), that remotely obtains and produces information about open ports, available services, network protocols, security exposures and vulnerabilities existing on a server or other device that is available over a network [the port scanning task being associated with the computing device]. Accordingly, scanning engine 302 periodically checks the web servers and/or network devices of service 102 to discover website component configuration and vulnerabilities. Scanning engine 302 initially scans the open ports of devices registered in customer information database 304. In one example implementation such as the Nessus open source engine, the scanning process produces a set of XML files containing all information gathered during the scan. These files are parsed by scanning engine 302 and stored in database 304, the records of which are associated with the customer account number and therefore the customer's registration information [the port scanning task being associated with the computing device], ¶ 42). 
Currie also discloses for each port scanning task, receiving a port scanning result from the port scanning service assigned to the port scanning task, the port scanning result including a list of one or more open ports for the computing device associated with the port scanning task (i.e., As set forth above, scanning engine 302 stores information about the open ports [for each port scanning task, receiving a port scanning result from the port scanning service assigned to the port scanning task, the port scanning result including a list of one or more open ports for the computing device associated with the port scanning task], security exposures and vulnerabilities and scans completed on a server or other network device, and associates the information with a specific customer (e.g. website operator 102). Customer information database 304 stores information about each customer service 102's company, users, website(s), and the scans performed on the website(s) or other devices associated with the website(s). Stored information includes a scan header record including the date, launch time, duration, and number of vulnerabilities classified by severity level, ¶ 43). 
Currie further discloses for each open port included in each port scanning result, assigning a vulnerability scanning task to an associated vulnerability service (i.e., As set forth above, scanning engine 302 stores information about the open ports, security exposures and vulnerabilities and scans completed on a server or other network device, and associates the information with a specific customer (e.g. website operator 102). Customer information database 304 stores information about each customer service 102's company, users, website(s), and the scans performed on the website(s) or other devices associated with the website(s). Stored information includes a scan header record including the date, launch time, duration, and number of vulnerabilities classified by severity level, ¶ 43.  Alert engine 306 is a service that alerts services 102 that are customers of system 200 about potential or confirmed security vulnerabilities by sending emails and/or reporting such events online. Such alerts can be based on device and/or service information found during a scan as compared to vulnerabilities associated with such devices and/or services stored in database 312. In accordance with a further aspect of the invention, alerts can also be generated by comparing and matching existing service 102 information stored from previous scans against information about a newly discovered vulnerability. Such newly discovered vulnerabilities can be retrieved by the system and parsed into vulnerability fingerprint records and stored in database 312. These records include the devices or services that pertain to the vulnerabilities, ¶ 44). 
Currie further discloses receiving a vulnerability scanning result for each vulnerability scanning task (i.e., The particular method of allowing a service 102 to identify vulnerabilities can be implemented in a number of ways [receiving a vulnerability scanning result for each vulnerability scanning task]. For example, the system 200 can have an administrator interface that allows an administrator to receive and review return emails from the service 102 and manually update the database. As another example, the system 200 (e.g. the report engine 308) can include a web server interface that provides pages and associated scripts (e.g. scripts associated with checkboxes appearing next to reported vulnerabilities) for allowing users of services 102 to view and correct system vulnerability reports, ¶ 49.  An Alert Detail display option may be provided to accommodate the two types of alerts in the system. For example, alerts that result from new "potential" vulnerabilities would display an Alert Detail screen containing the generic vulnerability descriptive information. Alerts resulting from scans would provide scan results for that vulnerability in addition to the generic alert information [receiving a vulnerability scanning result for each vulnerability scanning task], ¶ 78). 
Currie also discloses generating a report based on the port scanning results, the vulnerability scanning results, or both the port scanning results and the vulnerability scanning results (i.e., As another example, the system 200 (e.g. the report engine 308) can include a web server interface that provides pages and associated scripts (e.g. scripts associated with checkboxes appearing next to reported vulnerabilities) for allowing users of services 102 to view and correct system vulnerability reports, ¶ 49.  Also see report engine 308 in figure 3 that produces reports based on scanned vulnerabilities). 
Currie may not explicitly disclose the port scanning task being associated with the computing device via the IP address of the computing device.
However, Gula discloses the port scanning task being associated with the computing device via the IP address of the computing device (i.e., According to one aspect of the invention, an exemplary system that may be used to identify exploitable weak points in a network and simulate attacks that attempt to exploit the identified weak points in the network may comprise one or more passive scanners configured to observe connections in the network to identify network addresses and open ports associated with the observed connections [the port scanning task being associated with the computing device via the IP address of the computing device] and one or more active scanners configured to scan the network to enumerate current connections in the network and identify network addresses and open ports associated with the current connections in the network [the port scanning task being associated with the computing device via the IP address of the computing device]. In addition, the system may further comprise one or more processors coupled to the one or more passive scanners and the one or more active scanners, wherein the one or more processors may be configured to model trust relationships and identify exploitable weak points in the network based on information associated with the connections observed with the one or more passive scanners and the current connections enumerated with the one or more active scanners, simulate an attack that uses the modeled trust relationships to target the exploitable weak points on a selected host in the network, and enumerate remote network addresses that could compromise the network and determine an exploitation path that the enumerated remote network addresses could use to compromise the network based on the simulated attack. In one implementation, the system may further comprise a log aggregator configured to collect events that describe activity in the network, wherein information associated with the collected events may be used to model the trust relationships and identify the exploitable weak points in the network, ¶ 16) in order to provide a system and method for identifying exploitable weak points in a network, and in particular, to leveraging active and passive vulnerability discovery to identify remotely visible and exploitable services, client software (¶ 2).
Gula also discloses the port scanning task being associated with the IP address of the computing device associated the port scanning result and the open port (i.e., According to one aspect of the invention, an exemplary system that may be used to identify exploitable weak points in a network and simulate attacks that attempt to exploit the identified weak points in the network may comprise one or more passive scanners configured to observe connections in the network to identify network addresses and open ports associated with the observed connections and one or more active scanners configured to scan the network to enumerate current connections in the network and identify network addresses and open ports associated with the current connections in the network [the port scanning task being associated with the IP address of the computing device associated the port scanning result and the open port]. In addition, the system may further comprise one or more processors coupled to the one or more passive scanners and the one or more active scanners, wherein the one or more processors may be configured to model trust relationships and identify exploitable weak points in the network based on information associated with the connections observed with the one or more passive scanners and the current connections enumerated with the one or more active scanners, simulate an attack that uses the modeled trust relationships to target the exploitable weak points on a selected host in the network, and enumerate remote network addresses that could compromise the network and determine an exploitation path that the enumerated remote network addresses could use to compromise the network based on the simulated attack. In one implementation, the system may further comprise a log aggregator configured to collect events that describe activity in the network, wherein information associated with the collected events may be used to model the trust relationships and identify the exploitable weak points in the network, ¶ 16).
Therefore, based on Currie in view of Gula, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Gula to the system of Currie in order to provide a system and method for identifying exploitable weak points in a network, and in particular, to leveraging active and passive vulnerability discovery to identify remotely visible and exploitable services, client software.

With respect to claim 12, the limitations of claim 12 are rejected in the analysis of claim 4 above, and the claim is rejected on that basis.

With respect to claim 16, the limitations of claim 16 are similar to the limitations of claim 1 above.  the limitations of claim 16 are rejected in the analysis of claim 1 above, and the claim is rejected on that basis.
Currie further discloses a computing device, comprising: a memory; and a processor coupled to the memory (i.e., It should be noted that system 200 can include many other conventional and novel components and functionalities such as providing system manager access and providing web server and other network access, as well as other storage and processing capability, ¶ 40.  In one example implementation, security system 200 is implemented as a Sun computer running Solaris. In such an implementation, engines 302, 306 and 308 are real-time software processes developed using Java. Database 304 may be implemented using a database or a flat memory and/or other known equivalents, ¶ 41). 
Currie also discloses wherein the processor is configured to: determine an IP address for each target device included in a plurality of target devices (i.e., The request also includes the IP address of the referring website 104 that the visitor 106 was visiting. That IP address is extracted in step S606. The address is then compared to the addresses in customer information database 304 corresponding to all registered services 102 of the system, ¶ 80.  If the extracted IP address does correspond to a stored IP address (determined in step S608), the security status information for the associated website is retrieved from customer information database 304. For example, the number of open critical and severe vulnerabilities found on website 104 and when they were found is queried using the extracted IP address, ¶ 81). 
Currie further discloses for each target device included in the plurality of target devices, assign a port scanning task to an associated port scanner (i.e., Scanning engine 302 initially scans the open ports of devices registered in customer information database 304, ¶ 42.  As set forth above, scanning engine 302 stores information about the open ports, security exposures and vulnerabilities and scans completed on a server or other network device, and associates the information with a specific customer (e.g. website operator 102). Customer information database 304 stores information about each customer service 102's company, users, website(s), and the scans performed on the website(s) or other devices associated with the website(s). Stored information includes a scan header record including the date, launch time, duration, and number of vulnerabilities classified by severity level, ¶ 43).  
Currie also discloses the port scanning task being associated with the target device (i.e., Scanning engine 302 can include any conventionally known remote security scanner or equivalent thereof, such as the open source Nessus engine (details available from www.nessus.org), that remotely obtains and produces information about open ports, available services, network protocols, security exposures and vulnerabilities existing on a server or other device that is available over a network [the port scanning task being associated with the target device]. Accordingly, scanning engine 302 periodically checks the web servers and/or network devices of service 102 to discover website component configuration and vulnerabilities. Scanning engine 302 initially scans the open ports of devices registered in customer information database 304. In one example implementation such as the Nessus open source engine, the scanning process produces a set of XML files containing all information gathered during the scan. These files are parsed by scanning engine 302 and stored in database 304, the records of which are associated with the customer account number and therefore the customer's registration information [the port scanning task being associated with the target device], ¶ 42). 
Currie further discloses a duration in which the port scanning task is to be completed (i.e., Stored information includes a scan header record including the date, launch time, duration, and number of vulnerabilities classified by severity level, ¶ 43). 
Currie also discloses for each port scanning task, receiving a port scanning result from the port scanner assigned to the port scanning task, the port scanning result including a list of one or more open ports for the target device associated with the port scanning task (i.e., As set forth above, scanning engine 302 stores information about the open ports [for each port scanning task, receiving a port scanning result from the port scanner assigned to the port scanning task, the port scanning result including a list of one or more open ports for the target device associated with the port scanning task], security exposures and vulnerabilities and scans completed on a server or other network device, and associates the information with a specific customer (e.g. website operator 102). Customer information database 304 stores information about each customer service 102's company, users, website(s), and the scans performed on the website(s) or other devices associated with the website(s). Stored information includes a scan header record including the date, launch time, duration, and number of vulnerabilities classified by severity level, ¶ 43). 
Currie further discloses for each open port included in each port scanning result, assigning a vulnerability scanning task to an associated vulnerability scanner (i.e., As set forth above, scanning engine 302 stores information about the open ports, security exposures and vulnerabilities and scans completed on a server or other network device, and associates the information with a specific customer (e.g. website operator 102). Customer information database 304 stores information about each customer service 102's company, users, website(s), and the scans performed on the website(s) or other devices associated with the website(s). Stored information includes a scan header record including the date, launch time, duration, and number of vulnerabilities classified by severity level, ¶ 43.  Alert engine 306 is a service that alerts services 102 that are customers of system 200 about potential or confirmed security vulnerabilities by sending emails and/or reporting such events online. Such alerts can be based on device and/or service information found during a scan as compared to vulnerabilities associated with such devices and/or services stored in database 312. In accordance with a further aspect of the invention, alerts can also be generated by comparing and matching existing service 102 information stored from previous scans against information about a newly discovered vulnerability. Such newly discovered vulnerabilities can be retrieved by the system and parsed into vulnerability fingerprint records and stored in database 312. These records include the devices or services that pertain to the vulnerabilities, ¶ 44). 
Currie also discloses receiving a vulnerability scanning result for each vulnerability scanning task (i.e., The particular method of allowing a service 102 to identify vulnerabilities can be implemented in a number of ways [receiving a vulnerability scanning result for each vulnerability scanning task]. For example, the system 200 can have an administrator interface that allows an administrator to receive and review return emails from the service 102 and manually update the database. As another example, the system 200 (e.g. the report engine 308) can include a web server interface that provides pages and associated scripts (e.g. scripts associated with checkboxes appearing next to reported vulnerabilities) for allowing users of services 102 to view and correct system vulnerability reports, ¶ 49.  An Alert Detail display option may be provided to accommodate the two types of alerts in the system. For example, alerts that result from new "potential" vulnerabilities would display an Alert Detail screen containing the generic vulnerability descriptive information. Alerts resulting from scans would provide scan results for that vulnerability in addition to the generic alert information [receiving a vulnerability scanning result for each vulnerability scanning task], ¶ 78). 
Currie further discloses generating a report based on at least one of the port scanning results, at least one of the vulnerability scanning results, or at least one of both the port scanning results and at least one of the vulnerability scanning results (i.e., As another example, the system 200 (e.g. the report engine 308) can include a web server interface that provides pages and associated scripts (e.g. scripts associated with checkboxes appearing next to reported vulnerabilities) for allowing users of services 102 to view and correct system vulnerability reports, ¶ 49.  Also see report engine 308 in figure 3 that produces reports based on scanned vulnerabilities). 
Currie also discloses wherein each port scanning task requests that the port scanner associated with the port scanning task perform a two-pass port scan, wherein a first pass identifies the open ports and a second pass identifies a service listening at each of the open ports (i.e., As set forth above, scanning engine 302 stores information about the open ports, security exposures and vulnerabilities and scans completed on a server or other network device, and associates the information with a specific customer (e.g. website operator 102). Customer information database 304 stores information about each customer service 102's company, users, website(s), and the scans performed on the website(s) or other devices associated with the website(s). Stored information includes a scan header record including the date, launch time, duration, and number of vulnerabilities classified by severity level [wherein each port scanning task requests that the port scanner associated with the port scanning task perform a two-pass port scan, wherein a first pass identifies the open ports]. The stored information also includes information about what sockets are open on the scanned device, what generic services should be running on those ports, and what services are actually running on the open ports including version, network message protocol and other available information, ¶ 43.  When a scan for the particular device is due to be launched (as determined above in step S406), the first step, as shown by step S408, is to scan all the ports on the device to see which ones are opened [wherein each port scanning task requests that the port scanner associated with the port scanning task perform a two-pass port scan, wherein a first pass identifies the open ports], identify which network transport and message protocols are offered on the port, and what services may be listening on the port [a second pass identifies a service listening at each of the open ports], ¶ 58). 
Currie may not explicitly disclose the port scanning task being associated with the target device via the IP address of the target device.
However, Gula discloses the port scanning task being associated with the target device via the IP address of the target device (i.e., According to one aspect of the invention, an exemplary system that may be used to identify exploitable weak points in a network and simulate attacks that attempt to exploit the identified weak points in the network may comprise one or more passive scanners configured to observe connections in the network to identify network addresses and open ports associated with the observed connections [the port scanning task being associated with the target device via the IP address of the target device] and one or more active scanners configured to scan the network to enumerate current connections in the network and identify network addresses and open ports associated with the current connections in the network [the port scanning task being associated with the target device via the IP address of the target device]. In addition, the system may further comprise one or more processors coupled to the one or more passive scanners and the one or more active scanners, wherein the one or more processors may be configured to model trust relationships and identify exploitable weak points in the network based on information associated with the connections observed with the one or more passive scanners and the current connections enumerated with the one or more active scanners, simulate an attack that uses the modeled trust relationships to target the exploitable weak points on a selected host in the network, and enumerate remote network addresses that could compromise the network and determine an exploitation path that the enumerated remote network addresses could use to compromise the network based on the simulated attack. In one implementation, the system may further comprise a log aggregator configured to collect events that describe activity in the network, wherein information associated with the collected events may be used to model the trust relationships and identify the exploitable weak points in the network, ¶ 16) in order to provide a system and method for identifying exploitable weak points in a network, and in particular, to leveraging active and passive vulnerability discovery to identify remotely visible and exploitable services, client software (¶ 2).
Therefore, based on Currie in view of Gula, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Gula to the system of Currie in order to provide a system and method for identifying exploitable weak points in a network, and in particular, to leveraging active and passive vulnerability discovery to identify remotely visible and exploitable services, client software.

With respect to claim 19, Currie discloses wherein for each target device, to determine the IP address of the target device, the processor is further configured to determine a same IP address for the target device from a predetermined number of address detecting services (i.e., That IP address is extracted in step S606. The address is then compared to the addresses in customer information database 304 corresponding to all registered services 102 of the system [determine a same IP address for the target device from a predetermined number of address detecting services], ¶ 80). 
Currie and Gula may not explicitly disclose address detecting services using the DNS information, the ASN information, or the certificate information.
However, Mahjoub discloses address detecting services using the DNS information, the ASN information, or the certificate information (i.e., In this example, if the entire range happens to be used for hosting exploit kit domains, it will be safer to quarantine or block those 8 IP addresses than the entire 16384 block without any potential false positives. This “finer granularity IP range” may be generalized as a monitoring phase for all suspicious or malicious IP addresses that are detected in global DNS traffic [address detecting services using the DNS information, the ASN information, or the certificate information]. Such techniques may be efficient and accurate at predictively blocking malware campaigns at the IP level before any domains begin resolving to the suspicious IP addresses in question, ¶ 67.  The CDD subsystem may discover various hosts and services at the IP address by sending packets to the target IP address and analyzing the responses. Scanning may provide host discovery, service detection [address detecting services], operating system detection, and port scanning to enumerate the open ports on the hosts, reverse DNS names [address detecting services using the DNS information, the ASN information, or the certificate information], device types, and MAC addresses, ¶ 87) in order to perform lateral network fingerprinting on the IP address range via port scanning on an IP address to develop a fingerprint or overview of the network configuration for the IP address (¶ 86).
Therefore, based on Currie in view of Gula, and further in view of Mahjoub, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Mahjoub to the system of Currie and Gula in order to perform lateral network fingerprinting on the IP address range via port scanning on an IP address to develop a fingerprint or overview of the network configuration for the IP address.

With respect to claim 20, Currie discloses wherein, for each target device, the processor is configured to validate the IP address for the target device using one or more address detection modules (i.e., Assuming that is the case (step S602), a URL causes an HTTP request to be made to security system 200, which request is then received by the verification engine 310 of system 200 (step S604). The request also includes the IP address of the referring website 104 that the visitor 106 was visiting. That IP address is extracted in step S606. The address is then compared to the addresses in customer information database 304 corresponding to all registered services 102 of the system [wherein, for each target device, the processor is configured to validate the IP address for the target device using one or more address detection modules], ¶ 80.  If the extracted IP address does correspond to a stored IP address (determined in step S608), the security status information for the associated website is retrieved from customer information database [wherein, for each target device, the processor is configured to validate the IP address for the target device using one or more address detection modules], ¶ 81). 

Claims 6, 9, 13-15 and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Currie et al. (U.S. Publication No. 2005/0160286 A1) in view of Gula et al. (U.S. Publication No. 2014/0007241 A1), and Mahjoub et al. (U.S. Publication No. 2019/0095512 A1), and in further view of Boyter et al. (U.S. Publication No. 2003/0212779 A1).
With respect to claim 6, Currie, Gula and Mahjoub may not explicitly disclose pushing the port scanning task back onto one of the one or more port scanning queues in response to the port scanning service associated with the port scanning task reporting an inability to complete a port scan of the target device associated with the port scanning task.
However, Boyter discloses pushing the port scanning task back onto one of the one or more port scanning queues in response to the port scanning service associated with the port scanning task reporting an inability to complete a port scan of the target device associated with the port scanning task (i.e., An embodiment of the present invention is a method for scanning network nodes for detection and reporting of security vulnerabilities, comprising the steps of scanning all network host nodes within designated address ranges for determining all active hosts, scanning all ports in each active host for determining all open ports, scanning each port of each active host for detecting security vulnerabilities, notifying a user of all open ports and detected security vulnerabilities, and repeating the scanning and notifying steps above in an iterative manner. The step of scanning all ports may comprise the steps of simultaneously scanning each port using a User Datagram Protocol bind attempt and a Transmission Control Protocol connection attempt, determining the state of the User Datagram Protocol bind upon completion of the Transmission Control Protocol connection attempt, confirming a closed state of a port upon failure of either the User Datagram Protocol bind attempt or the Transmission Control Protocol connection attempt [in response to the port scanning service associated with the port scanning task reporting an inability to complete a port scan of the target device associated with the port scanning task], confirming an open state of a port if both the User Datagram Protocol bind remains valid and the Transmission Control Protocol connection attempt was successful, and determining a rate limiting of the target host and the round trip time of the network connection to that host. The method may further comprise the step of tracking, port status changes over time for reporting the changes to a user, ¶ 12.  Considering the scanning of hosts 225, the Host Scanner Daemon 130 references the list of potential targets from the Control Database 170. The Host Scanner Daemon 130 sends a TCP SYN packet to every host on the list while listening for responses in a separate thread. If an IP address does not respond, its TimeSinceLastHostScan value gets updated to now( ) so a future iteration can re-check it. When an IP address does respond, indicating a new host 230, the Host Scanner Daemon 130 gathers available information about the host and stores it 240 in the Control Database 170. These may data include hostname, NetBIOS name, MAC address, and IP address. When a host does not respond after having been identified and added to the Control Database 170, the Host Scanner Daemon 130 performs two (2) additional connection attempts. If all three connection attempts fail, indicating an inactive hast 235, the host is updated to "Inactive" 245 in the Control Database 170. The TimeSinceLastHostScan and TimeSinceLastPortScan values are each set to now( ), preventing the other scanner daemons from scanning an inactive target. The service for TimeSinceLastVulnScan is reset on that host, which pops that service back up to the top of the priority stack [pushing the port scanning task back onto one of the one or more port scanning queues in response to the port scanning service associated with the port scanning task reporting an inability to complete a port scan of the target device associated with the port scanning task]. The next rescan of that service will then include the new plug-in and all other tests that the new plug in is dependent upon, ¶ 53) in order to provide a vulnerability-scanning system with a self-contained scanner and reporting system (¶ 8).
Therefore, based on Currie in view of Gula and Mahjoub, and further in view of Boyter, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Boyter to the system of Currie, Gula and Mahjoub in order to provide a vulnerability-scanning system with a self-contained scanner and reporting system.

With respect to claim 9, Currie, Gula and Mahjoub may not explicitly disclose in response to the port scanning service associated with a first port scanning task reporting an inability to port scan the target device associated with the first port scanning task within a target scanning duration, changing a scanning frequency for the target device associated with the first port scanning task.
However, Boyter discloses in response to the port scanning service associated with a first port scanning task reporting an inability to port scan the target device associated with the first port scanning task within a target scanning duration, changing a scanning frequency for the target device associated with the first port scanning task (i.e., The step of scanning all ports may comprise the steps of simultaneously scanning each port using a User Datagram Protocol bind attempt and a Transmission Control Protocol connection attempt, determining the state of the User Datagram Protocol bind upon completion of the Transmission Control Protocol connection attempt, confirming a closed state of a port upon failure of either the User Datagram Protocol bind attempt or the Transmission Control Protocol connection attempt [in response to the port scanning service associated with a first port scanning task reporting an inability to port scan the target device associated with the first port scanning task within a target scanning duration], … and determining a rate limiting of the target host and the round trip time of the network connection to that host, ¶ 12.  Considering the Assessment Daemon 150, the purpose of the Assessment Daemon 150 is to start further sub processes based on the priorities and configurations present in the database, e.g., the High Priority Port Scanner Daemon 154, the Port Scanner Daemon 158, and Vulnerability Scanner Daemon 160. The number of each type of sub process to run as well as the behavior of each while it is running can be altered by the user and stored as a runtime configuration in the database. These settings also control how the task priority is arranged and therefore which sub processes the Assessment Daemon runs and at what times [changing the scanning frequency based on inability or ability to scan]. The results from all of the assessment sub processes are stored back in to the Control Database 170, and these results may lead to the reprioritization of further subtasks [changing a scanning frequency for the target device associated with the first port scanning task], ¶ 29.  The Port Scanner Daemon 158 must use the Host Port Scanner 130 results as stored in the Control Database 170 as targets for the port scans and must use a priority-based system to determine when to re-scan a host for open ports. Once a host is scanned, it is moved to the bottom of the priority list and it filters to the top over time. As new scan lists and ranges are added to the job queue, the new IP addresses are placed at the top of the priority ordering system. The port-scan priority tracking must be separate from the host-scan priority tracking facility. The Port Scanner Daemon 158 port-scanning priority-system works on a "time-last-checked" basis to keep attributes from having to be updated to increase priority levels, ¶ 30) in order to provide a vulnerability-scanning system with a self-contained scanner and reporting system (¶ 8).
Therefore, based on Currie in view of Gula and Mahjoub, and further in view of Boyter, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Boyter to the system of Currie, Gula and Mahjoub in order to provide a vulnerability-scanning system with a self-contained scanner and reporting system.

With respect to claims 13 and 17, the limitations of claims 13 and 17 are rejected in the analysis of claim 9 above, and the claim is rejected on that basis.

With respect to claim 14, Currie, Gula and Mahjoub may not explicitly disclose wherein the steps further comprise, in response to the port scanning service associated with a first port scanning task reporting a failed, slow, incomplete, or anomalous port scan of the computing device associated with the first port scanning task within a target scanning duration, changing a scanning frequency for the computing device associated with the first port scanning task.
However, Boyter discloses wherein the steps further comprise, in response to the port scanning service associated with a first port scanning task reporting a failed, slow, incomplete, or anomalous port scan of the computing device associated with the first port scanning task within a target scanning duration, changing a scanning frequency for the computing device associated with the first port scanning task (i.e., Considering the Daemon Supervisor 110, the purpose of the Daemon Supervisor 110 is to start all scanner daemons at system initiation, and ensure that they are restarted upon failure. The Daemon Supervisor module 110 starts when the system boots, and stays running until the system is shutdown. The Supervisor daemon is responsible for starting up and monitoring all of the major subsystems, including the User Interface Gateway 175, the Web Administrator Daemon 114, the Serial Console Daemon 118, the Host Scanner or Discovery Daemon 130, the Assessment Daemon 150, and the OS Detection Daemon 140. Depending upon the configuration, the Daemon Supervisor module 110 instantiates the scanner daemons that then performs work based on database settings. The Daemon Supervisor module 110 keeps tabs on which daemons are running, and restarts any that fail for any reason [wherein the steps further comprise, in response to the port scanning service associated with a first port scanning task reporting a failed, slow, incomplete, or anomalous port scan of the computing device associated with the first port scanning task within a target scanning duration]. Since this job is so crucial, the Daemon Supervisor 110 receives no other tasking to ensure simplicity and reliability. On system startup, the Supervisor Daemon 110 must reference an externally configurable list of processes stored in the Control Database 170 that need to be started, and starts them. In addition, the Supervisor Daemon 110 must react to watched daemons that terminate by restarting them and logging their need to be restarted. Failure to keep a watched daemon running must generate an alert that is viewable through the Graphical User Interface 185, ¶ 26.  Considering the Assessment Daemon 150, the purpose of the Assessment Daemon 150 is to start further sub processes based on the priorities and configurations present in the database, e.g., the High Priority Port Scanner Daemon 154, the Port Scanner Daemon 158, and Vulnerability Scanner Daemon 160. The number of each type of sub process to run as well as the behavior of each while it is running can be altered by the user and stored as a runtime configuration in the database. These settings also control how the task priority is arranged and therefore which sub processes the Assessment Daemon runs and at what times [changing the scanning frequency based on inability or ability to scan]. The results from all of the assessment sub processes are stored back in to the Control Database 170, and these results may lead to the reprioritization of further subtasks [changing a scanning frequency for the computing device associated with the first port scanning task], ¶ 29.  The Port Scanner Daemon 158 must use the Host Port Scanner 130 results as stored in the Control Database 170 as targets for the port scans and must use a priority-based system to determine when to re-scan a host for open ports [changing a scanning frequency for the computing device associated with the first port scanning task], ¶ 30) in order to provide a vulnerability-scanning system with a self-contained scanner and reporting system (¶ 8).
Therefore, based on Currie in view of Gula and Mahjoub, and further in view of Boyter, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Boyter to the system of Currie, Gula and Mahjoub in order to provide a vulnerability-scanning system with a self-contained scanner and reporting system.

With respect to claim 15, Currie, Gula and Mahjoub may not explicitly disclose wherein the steps further comprise, in response to a first computing device having a same or more than a threshold number of failed, slow, incomplete, or anomalous port scans during a configurable number of port scans, reducing a port scanning frequency for the first computing device.
However, Boyter discloses wherein the steps further comprise, in response to a first computing device having a same or more than a threshold number of failed, slow, incomplete, or anomalous port scans during a configurable number of port scans, reducing a port scanning frequency for the first computing device (i.e., Considering the Daemon Supervisor 110, the purpose of the Daemon Supervisor 110 is to start all scanner daemons at system initiation, and ensure that they are restarted upon failure. The Daemon Supervisor module 110 starts when the system boots, and stays running until the system is shutdown. The Supervisor daemon is responsible for starting up and monitoring all of the major subsystems, including the User Interface Gateway 175, the Web Administrator Daemon 114, the Serial Console Daemon 118, the Host Scanner or Discovery Daemon 130, the Assessment Daemon 150, and the OS Detection Daemon 140. Depending upon the configuration, the Daemon Supervisor module 110 instantiates the scanner daemons that then performs work based on database settings. The Daemon Supervisor module 110 keeps tabs on which daemons are running, and restarts any that fail for any reason [in response to a first computing device having a number of failed, slow, incomplete, or anomalous port scans during a configurable number of port scans]. Since this job is so crucial, the Daemon Supervisor 110 receives no other tasking to ensure simplicity and reliability. On system startup, the Supervisor Daemon 110 must reference an externally configurable list of processes stored in the Control Database 170 that need to be started, and starts them. In addition, the Supervisor Daemon 110 must react to watched daemons that terminate by restarting them and logging their need to be restarted. Failure to keep a watched daemon running must generate an alert that is viewable through the Graphical User Interface 185, ¶ 26.  This daemon does not need to do continuous assessments of the hosts, since a one-time process on host detection is sufficient. However, if the probability is below a configurable threshold, a recheck may be warranted after other scanner daemons gather more information about available services on that host [in response to a first computing device having a same or more than a threshold number of failed, slow, incomplete, or anomalous port scans during a configurable number of port scans], ¶ 28.  Considering the Assessment Daemon 150, the purpose of the Assessment Daemon 150 is to start further sub processes based on the priorities and configurations present in the database, e.g., the High Priority Port Scanner Daemon 154, the Port Scanner Daemon 158, and Vulnerability Scanner Daemon 160. The number of each type of sub process to run as well as the behavior of each while it is running can be altered by the user and stored as a runtime configuration in the database. These settings also control how the task priority is arranged and therefore which sub processes the Assessment Daemon runs and at what times [changing the scanning frequency based on inability or ability to scan]. The results from all of the assessment sub processes are stored back in to the Control Database 170, and these results may lead to the reprioritization of further subtasks [reducing a port scanning frequency for the first computing device], ¶ 29.  The Port Scanner Daemon 158 must use the Host Port Scanner 130 results as stored in the Control Database 170 as targets for the port scans and must use a priority-based system to determine when to re-scan a host for open ports [reducing a port scanning frequency for the first computing device], ¶ 30) in order to provide a vulnerability-scanning system with a self-contained scanner and reporting system (¶ 8).
Therefore, based on Currie in view of Gula and Mahjoub, and further in view of Boyter, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Boyter to the system of Currie, Gula and Mahjoub in order to provide a vulnerability-scanning system with a self-contained scanner and reporting system.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAREN M MEANS whose telephone number is (571)270-7202.  The examiner can normally be reached on 12pm-6pm ET.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joon Hwang can be reached on 571-272-4036.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).





Jaren M. Means
/J.M.M./
Patent Examiner
Art Unit 2447	
9/28/2022

/JOON H HWANG/Supervisory Patent Examiner, Art Unit 2447