Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Interpretation
	Claims 9-16, directed to a computer readable storage media, have been considered under 35 U.S.C. 101.   Paragraph 0032 of the specification states: “A computer readable storage medium, as used herein, is not to be construed as being transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission media (e.g., light pulses passing through a fiber-optic cable), or electrical signals transmitted through a wire.”  Therefore, claims 9-16 are considered statutory. 

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-25, 8-13 and 16-20 are rejected under 35 U.S.C. 102(a)(1)/(a)(2) as being anticipated by US 2014/00775560 to Guy et al.

Regarding claim 1, Guy teaches a computer-implemented method for improving static analyzer output (figs 1A & 1B, paragraph 0028 property manager 110 is conjured to determine the number of static variables through which data flow within the candidate security vulnerability), comprising: 
receiving, by one or more processors, a labeled data set comprising labeled true vulnerabilities and labeled false vulnerabilities of a static analyzer output (0036: FIGS. 2A and 2B: two candidate security vulnerabilities, labeled A and B.  0044: A is manually classified as a "false positive" while B is classified as a "true" security vulnerability); 
receiving pretrained contextual embeddings from a contextual embeddings model (0045:  Machine learning techniques are then applied to determine the correlations between the property values of A and B and the classifications given to A and B.  0004: sing a set of correlations between property values and classifications of security vulnerabilities to classify the candidate security vulnerability with a classification selected from the set of predefined classifications that best correlates with the property values of the candidate security vulnerability.9); 
mapping the true vulnerabilities and the false vulnerabilities to the pretrained contextual embeddings (0045:  X is determined to be a useful differentiator between the "true" and "false positive" classifications, mapping the "true" classification to a high value and the "false positive" classification to a low value. Y, on the other hand, correlates the same property value to both classifications, and is thus not a useful differentiator between the "true" and "false positive" classifications); and 
generating a fine-tuned model comprising classifications for true vulnerabilities (fig. 2A, 206 and 2B, 212).Regarding claim 2, Guy teaches the method of claim 1, comprising: receiving a new data set comprising vulnerabilities labeled by a static analyzer; and identifying, using the fine-tuned model, a falsely labeled vulnerability in the new data set (figs 2a and 2b, identifying candidate security vulnerabilities within a learning set of computer software applications.   0020: a human operator may use classifier 106 to manually classify a candidate security vulnerability in set 102 as "false positive").Regarding claim 3, Guy teaches the method of claim 1, comprising: receiving a new data set comprising vulnerabilities labeled by a static analyzer; and ranking, using the fine-tuned model, the vulnerabilities in the new data set, wherein the ranking corresponds to a likelihood that each vulnerability is a true vulnerability or a false vulnerability (0034: Values for predefined properties are determined each of the candidate security vulnerabilities (step 204). Correlations are determined between the property values and the classifications of the security vulnerabilities (step 206), preferably by employing machine learning techniques such as the k-means algorithm.).  Regarding claim 4, Guy teaches the method of claim 1, comprising: receiving a new data set comprising vulnerabilities labeled by a static analyzer; and classifying, using the fine-tuned model, the vulnerabilities in the new data set, wherein the classification corresponds to a type of vulnerability (0003: classifying each of the candidate security vulnerabilities with any classification selected from a set of predefined classifications, determining, for each of the candidate security vulnerabilities, values for a plurality of predefined properties).Regarding claim 5, Guy teaches the method of claim 1, wherein the contextual embeddings comprise classifications generated from algorithms trained using source code (0030: the classifications of the security vulnerabilities in set 102, preferably by employing machine learning techniques such as the k-means algorithm.).Regarding claim 8, Guy teaches the method of claim 1, wherein the true vulnerabilities and the false vulnerabilities are manually labeled (0044: A is manually classified as a "false positive" while B is classified as a "true" security vulnerability.).As per claims 9-13 and 16, and claims 17-20, this is a computer program product and system version of the claimed method discussed above in claims 1-5 and 16 wherein all claimed limitations have also been addressed and/or cited as set forth above.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 6 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Guy as applied to claims 1-5 and 9-13 above, and further in view of Carback III et al., US 2015/0363294.

Regarding claims 6 and 14, Guy lacks or does not expressly disclose using comments.  However, Carback III teaches wherein the contextual embeddings comprise classifications generated from algorithms trained using comments related to the source code (0098: the extracted document artifacts from sources such as source comments).  It would have been obvious to one of ordinary skill in art before the effective filing date of the claimed invention, to modify Guy with Carback III to include extracting information from source comments in order to implement a deep learning algorithm for vulnerability patches, as taught by Carback III, paragraph 0098.

Claims 7 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Guy as applied to claims 1 and 9 above, and further in view of Lospinuso et al., US 2019/0250911.

Regarding claims 7 and 15, Guy lacks or does not expressly disclose a binary classification of vulnerabilities.  However, Lospinuso wherein the fine-tuned model comprises a selection from the group consisting of a first model for binary classification of vulnerabilities, a second model for multi-class classification of the vulnerabilities, and a third model for ranking the likelihood that the vulnerabilities are false vulnerabilities (0015: Such classification of software binaries ).  It would have been obvious to one of ordinary skill in art before the effective filing date of the claimed invention, to modify Guy with Lospinuso to include binary classification in order to perform software vulnerability analyses, as taught by Lospinuso, paragraph 0015.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
JP 2008171397 teaches determine the structural characteristics of the back-end processes of web applications, and with this knowledge, we can conduct vulnerability assessments.  The present invention allows security professionals to complete the assessment much faster, substantially eliminates false positives, and is a true vulnerability discovered during the assessment. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AUBREY H WYSZYNSKI whose telephone number is (571)272-8155. The examiner can normally be reached M-F 9-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KAMBIZ ZAND can be reached on 571-272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/AUBREY H WYSZYNSKI/Examiner, Art Unit 2434                                                                                                                                                                                                        /KAMBIZ ZAND/Supervisory Patent Examiner, Art Unit 2434