DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the application filed on 09/28/2020. Claims 1-22 are examined.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claim(s) 1-12, 15-20 is/are rejected under 35 U.S.C. 102(a)(1) as being Anticipated by Carver (U.S. 20180124098).

Regarding claim 1,
A system for assessing software vulnerability, comprising: a memory to store executable instructions; and a processor adapted to access the memory, the processor further adapted to execute the executable instructions stored in the memory to ([0069, Fig 1-100] The process 600 will be described as being performed by a computer system comprising one or more computers, for example, the system 100 as shown in FIG. 1): access an automated triage rule library ([0041] The analyst investigations 120 includes data that are related to analyst actions taken in response to different types of security incidents. The analyst investigations 120 may include actions performed in response to a trojan attack, a malware attack, etc. The analyst investigations 120 may include actions such as querying different databases of the threat intelligence engine 112 and different external verification engines 114) comprising a plurality of pre-defined automated triage policies ([0005] The system also includes a scoring system and event triage engine that is configured to analyze the actions of the one or more workflows and of the particular workflow, and based on analyzing the actions of the one or more workflows and of the particular workflow, select a primary workflow as a workflow to respond to the computer security threat… [0044] The automated incident investigation engine 104 may then use the total confidence score to identify instructions for the response engine 126) corresponding to a plurality of predetermined vulnerability types ([0044] the ASSET engine 117 may perform the scoring of the paths and identify paths for each workflow for each type of incident… The automated incident investigation engine 104 may then use the total confidence score to identify instructions for the response engine 126), wherein each automated triage policy comprises a decision tree for determining whether one of the plurality of predetermined vulnerability types is exploitable ([0065] FIG. 5 illustrates an example binary tree 500 for identifying actions to respond to a computer security threat or incident); access a machine learning model library ([0020] The system may be able to learn and improve its threat response over time using machine learning techniques) for probabilistic determination of whether one of the predetermined plurality of predetermined vulnerability types is exploitable ([0044] the ASSET engine 117 may perform the scoring of the paths and identify paths for each workflow for each type of incident… The automated incident investigation engine 104 may then use the total confidence score to identify instructions for the response engine 126); obtain an electronic document listing potential vulnerability issues of a software product based on source code of the software product ([0033] the computer security alert 102 also includes data that specifically identifies the type of incident; [0059] Path 420a-424a includes an analysis… software data); determine whether the potential vulnerability issues are associated with one of the plurality of predetermined vulnerability types ([0005] the computer security threat and that each identify one or more actions to remediate the computer security threat); and when it is determined that the potential vulnerability issues are associated with the one of the plurality of predetermined vulnerability types ([0007] actions performed in response to the computer security threat), determine whether the software product ([0059] Path 420a-424a includes an analysis… software data) is exploitable based ([0059] Process 400a includes four paths taken by one or more analysts in response to malware 402a incident) on processing the electronic document ([0033] the computer security alert 102 also includes data that specifically identifies the type of incident; [0058] The processes 400a to 400e (FIGS. 4A-4E) illustrate a critical path analysis algorithm and record manual incident investigations by analysts and replicates them in automated workflows that can be used to update workflows in the automated investigation engine to provide new investigative paths and its associated scores. After each step of an investigation by an analyst is recorded, the engine determines which paths have been taken most often by the analysts) using an automated triage policy ([0058] the automated investigation engine to provide new investigative paths and its associated scores) retrieved from the automated triage rule library([0041] The analyst investigations 120 includes data that are related to analyst actions taken in response to different types of security incidents. The analyst investigations 120 may include actions performed in response to a trojan attack, a malware attack, etc. The analyst investigations 120 may include actions such as querying different databases of the threat intelligence engine 112 and different external verification engines 114) associated with the one of the plurality of predetermined vulnerability types ([0007] actions performed in response to the computer security threat) and a corresponding decision tree ([0058] That path is added as an additional branch to the workflow that may be analyzed by the binary tree traversal model), otherwise determine probabilistically ([0044] the ASSET engine 117 may perform the scoring of the paths and identify paths for each workflow for each type of incident… The automated incident investigation engine 104 may then use the total confidence score to identify instructions for the response engine 126) whether the software product is exploitable ([0059] Process 400a includes four paths taken by one or more analysts in response to malware 402a incident) based on processing the Page 24Attorney Docket No. 15718-761electronic document ([0033] the computer security alert 102 also includes data that specifically identifies the type of incident; [0058] The processes 400a to 400e (FIGS. 4A-4E) illustrate a critical path analysis algorithm and record manual incident investigations by analysts and replicates them in automated workflows that can be used to update workflows in the automated investigation engine to provide new investigative paths and its associated scores. After each step of an investigation by an analyst is recorded, the engine determines which paths have been taken most often by the analysts) using a machine learning model from the machine learning model library ([0020] The system may be able to learn and improve its threat response over time using machine learning techniques).

Regrading claim 2 and 16,
Carver discloses: The system of claim 1, 
Carver further discloses: wherein the decision tree comprises a set of progressively ordered automated triage methods ([0066] The example binary tree 500 includes three paths. The first path A-B-C begins with checking running processes 505, then comparing process identifiers to network statistics 510, and then comparing external IP addresses to a virus database 515. The second path A-D-E begins with checking running processes 505, then comparing processes to a bad process list 520, and then checking startup for persistent processes 525. The third path A-D-F begins with checking running processes 505, then comparing processes to a bad process list 520, and then checking the registry for startup processes 530).

Regarding claim 3 and 17,
Carver discloses: The system of claim 2, 
Carver further discloses: wherein each automated triage method in the automated triage policy is configured to generate a triage output ([0035] In another exemplary implementation, the automated incident investigation engine 104 generates a memory threat confidence score as a result of executing the memory investigative path) when processing the electronic document ([0033] the computer security alert 102 also includes data that specifically identifies the type of incident; [0058] The processes 400a to 400e (FIGS. 4A-4E) illustrate a critical path analysis algorithm and record manual incident investigations by analysts and replicates them in automated workflows that can be used to update workflows in the automated investigation engine to provide new investigative paths and its associated scores. After each step of an investigation by an analyst is recorded, the engine determines which paths have been taken most often by the analysts).

Regarding claim 4 and 18, 
Carver discloses: The system of claim 3, 
Carver further discloses: wherein the triage output from each automated triage method comprises one of triage determinations indicating that the software product is unexploitable, is exploitable, or that an exploitability of the software product is undetermined ([0010] The system may also include an asset scoring engine that is configured to receive data identifying a computing device associated with the computer security threat, and determine a criticality score based on a user of the computing device and data stored on the computing device. The automated incident investigation engine may also be configured to process the computer security threat according to the particular workflow based on the criticality score satisfying a threshold; [0012] data that identifies a computer security threat).

Regarding claim 5 and 19.
Carver discloses: The system of claim 4, wherein the processor is adapted to determine whether the software product is exploitable based on the automated triage policy
Carver further discloses: by invoking the automated triage methods of the automated triage policy progressively ([0066] The example binary tree 500 includes three paths. The first path A-B-C begins with checking running processes 505, then comparing process identifiers to network statistics 510, and then comparing external IP addresses to a virus database 515. The second path A-D-E begins with checking running processes 505, then comparing processes to a bad process list 520, and then checking startup for persistent processes 525. The third path A-D-F begins with checking running processes 505, then comparing processes to a bad process list 520, and then checking the registry for startup processes 530) according to the decision tree ([0066] The example binary tree 500 includes three paths. The first path A-B-C begins with checking running processes 505, then comparing process identifiers to network statistics 510, and then comparing external IP addresses to a virus database 515. The second path A-D-E begins with checking running processes 505, then comparing processes to a bad process list 520, and then checking startup for persistent processes 525. The third path A-D-F begins with checking running processes 505, then comparing processes to a bad process list 520, and then checking the registry for startup processes 530) when output of the automated triage methods indicates that the software product is exploitable or that the exploitability of the software product is undetermined ([0010] The system may also include an asset scoring engine that is configured to receive data identifying a computing device associated with the computer security threat, and determine a criticality score based on a user of the computing device and data stored on the computing device. The automated incident investigation engine may also be configured to process the computer security threat according to the particular workflow based on the criticality score satisfying a threshold; [0012] data that identifies a computer security threat), and by terminating the decision tree ([0066] The example binary tree 500 includes three paths. The first path A-B-C begins with checking running processes 505, then comparing process identifiers to network statistics 510, and then comparing external IP addresses to a virus database 515. The second path A-D-E begins with checking running processes 505, then comparing processes to a bad process list 520, and then checking startup for persistent processes 525. The third path A-D-F begins with checking running processes 505, then comparing processes to a bad process list 520, and then checking the registry for startup processes 530) when an triage output of unexploitable is obtained ([0010] The automated incident investigation engine may also be configured to process the computer security threat according to the particular workflow based on the criticality score satisfying a threshold).

Regarding claim 6 and 20,
Carver discloses: The system of claim 3, wherein each automated triage method of the automated triage policy comprises
Carver further discloses: a codified version of one or more triage algorithms ([0007] actions performed in response to the computer security threat; [0058] The processes 400a to 400e (FIGS. 4A-4E) illustrate a critical path analysis algorithm and record manual incident investigations by analysts and replicates them in automated workflows that can be used to update workflows in the automated investigation engine to provide new investigative paths and its associated scores) for determining a triagePage 25Attorney Docket No. 15718-761 output as an answer to a predetermined triage inquiry among a predetermined inquiry tree of the automated triage policy ([0007] actions performed in response to the computer security threat; [0041] The analyst investigations 120 includes data that are related to analyst actions taken in response to different types of security incidents. The analyst investigations 120 may include actions performed in response to a trojan attack, a malware attack, etc. The analyst investigations 120 may include actions such as querying different databases of the threat intelligence engine 112 and different external verification engines 114).

Regarding claim 7, 
Carver discloses: The system of claim 6, wherein each triage policy and the automated triage methods 
Carver further discloses: are established based on a set of guidelines ([0043] The continuous machine learning processes and the cognitive processing techniques therefore assist the incident triage scoring engine 124 to reach an improved and acceptable confidence level that the workflow (e.g. the selected primary workflow) being executed is properly analyzing the security threat or incident) derived based on separate contextual data, experiential data, and computational data ([0009] The automated incident investigation engine may be further configured to process the computer security threat according to the particular workflow using log data that is associated with a computing device that is associated with the computer security threat and databases that include information related to IP addresses associated with the computing device and information related to processes associated with the computing device).

Regarding claim 8, 
Carver discloses: The system of claim 7, wherein the set of guidelines
Carver further discloses: are encoded in a predefined format ([0007] actions performed in response to the computer security threat) that is processed to generate the codified version of the one or more triage algorithms ([0007] actions performed in response to the computer security threat; [0058] The processes 400a to 400e (FIGS. 4A-4E) illustrate a critical path analysis algorithm and record manual incident investigations by analysts and replicates them in automated workflows that can be used to update workflows in the automated investigation engine to provide new investigative paths and its associated scores).

Regarding claim 9,
Carver discloses: The system of claim 1, wherein the processor is further adapted to: 
Carver further discloses: scan the source code of the software product ([0035] For example, an investigative path may analyze network features, such as IP addresses, processes, modified or newly created files, memory, registry, software, etc) to detect the potential vulnerability issues and generate the electronic document ([0033] the computer security alert 102 also includes data that specifically identifies the type of incident; [0059] Path 420a-424a includes an analysis… software data); based on the detected potential vulnerability issues ([0005] the computer security threat and that each identify one or more actions to remediate the computer security threat).

Regarding claim 10 and 21,
Carver discloses: The system of claim 9, wherein the processor is adapted to determine probabilistically whether the software product is exploitable by: 
Carver further discloses: extracting features from the electronic document for each potential vulnerability issue ([0033] the computer security alert 102 also includes data that specifically identifies the type of incident); determining a vector based on the extracted features; selecting one of a plurality of vulnerability-scoring models based on the vector, the vulnerability-scoring models selected from the machine learning model library ([0044] the ASSET engine 117 may perform the scoring of the paths and identify paths for each workflow for each type of incident… The automated incident investigation engine 104 may then use the total confidence score to identify instructions for the response engine 126); and Page 26Attorney Docket No. 15718-761 determining a vulnerability accuracy score based on the vector using the selected one of the vulnerability-scoring models ([0020] The system may use the outcome of an assessment and response sequence to further train the system to improve the speed and accuracy of future assessment and response sequences, thus continuously improving the security and performance of the system; [0067] Prior to analyzing each of the paths of the binary tree, each node is assigned a score based how accurately the node reflects the risk to an organization upon receipt of an incident. Depending on the network structure and computing device distribution and setup, different organizations may provide varying levels of accuracy to assess risk upon performing a particular analysis. In the binary tree 500, comparing external IP addresses to a virus database 515 may be assigned a score of ten (10) because when an external IP address is associated with a virus in the virus database, there is a high probability that the incident is legitimate).

Regarding claim 11,
Carver discloses: The system of claim 10, wherein the processor is further adapted to: 
Carver further discloses: receive a set of policy data or business rules; compare the extracted features relative to the set of policy data or business rules; and, determine a token based on the scanned source code corresponding to at least one of the detected potential vulnerability issues ([0040] In addition to these threat confidence scores, the system 100 also calculates a criticality score based on the importance of the endpoint. The importance of an endpoint may be representative of the particular user; [0067] Depending on the network structure and computing device distribution and setup, different organizations may provide varying levels of accuracy to assess risk upon performing a particular analysis. In the binary tree 500, comparing external IP addresses to a virus database 515 may be assigned a score of ten (10) because when an external IP address is associated with a virus in the virus database, there is a high probability that the incident is legitimate; [0034] The automated incident investigation engine 104 receives that computer security alert 102 and generates and assigns a threat confidence score; [0044] the automated incident investigation engine 104 calculates a total confidence score based on the criticality score and the confidence scores for each of the paths. The automated incident investigation engine 104 may then use the total confidence score to identify instructions for the response engine 126).
	
	Regarding claim 12,
	Carver discloses: The system of claim 11,
Carver further discloses: wherein the vector is based on the token ([0020] The system may use the outcome of an assessment and response sequence to further train the system to improve the speed and accuracy of future assessment and response sequences, thus continuously improving the security and performance of the system).
	
Regarding claim 15,
A method for assessing software vulnerability, comprising the steps of: accessing an automated triage rule library ([0041] The analyst investigations 120 includes data that are related to analyst actions taken in response to different types of security incidents. The analyst investigations 120 may include actions performed in response to a trojan attack, a malware attack, etc. The analyst investigations 120 may include actions such as querying different databases of the threat intelligence engine 112 and different external verification engines 114) comprising a plurality of pre-defined automated triage policies ([0005] The system also includes a scoring system and event triage engine that is configured to analyze the actions of the one or more workflows and of the particular workflow, and based on analyzing the actions of the one or more workflows and of the particular workflow, select a primary workflow as a workflow to respond to the computer security threat… [0044] The automated incident investigation engine 104 may then use the total confidence score to identify instructions for the response engine 126) corresponding to a plurality of predetermined vulnerability types ([0044] the ASSET engine 117 may perform the scoring of the paths and identify paths for each workflow for each type of incident… The automated incident investigation engine 104 may then use the total confidence score to identify instructions for the response engine 126), wherein each automated triage policy comprises a decision tree for determining whether one of the plurality of predetermined vulnerability types is exploitable ([0065] FIG. 5 illustrates an example binary tree 500 for identifying actions to respond to a computer security threat or incident); accessing a machine learning model library ([0020] The system may be able to learn and improve its threat response over time using machine learning techniques) for probabilistic determination of whether one of the predetermined plurality of predetermined vulnerability types is exploitable ([0044] the ASSET engine 117 may perform the scoring of the paths and identify paths for each workflow for each type of incident… The automated incident investigation engine 104 may then use the total confidence score to identify instructions for the response engine 126); obtaining an electronic document listing potential vulnerability issues of a software product based on source code of the software product ([0059] Path 420a-424a includes an analysis… software data); determining whether the potential vulnerability issues are associated with one of the plurality of predetermined vulnerability types ([0005] the computer security threat and that each identify one or more actions to remediate the computer security threat); and when it is determined that the potential vulnerability issues are associated with the one of the plurality of predetermined vulnerability types ([0007] actions performed in response to the computer security threat), determining whether the software product ([0059] Path 420a-424a includes an analysis… software data) is exploitable based ([0059] Process 400a includes four paths taken by one or more analysts in response to malware 402a incident) on processing the electronic document ([0058] The processes 400a to 400e (FIGS. 4A-4E) illustrate a critical path analysis algorithm and record manual incident investigations by analysts and replicates them in automated workflows that can be used to update workflows in the automated investigation engine to provide new investigative paths and its associated scores. After each step of an investigation by an analyst is recorded, the engine determines which paths have been taken most often by the analysts) using an automated triage policy ([0058] the automated investigation engine to provide new investigative paths and its associated scores) retrieved from the automated triage rule library ([0041] The analyst investigations 120 includes data that are related to analyst actions taken in response to different types of security incidents. The analyst investigations 120 may include actions performed in response to a trojan attack, a malware attack, etc. The analyst investigations 120 may include actions such as querying different databases of the threat intelligence engine 112 and different external verification engines 114) associated with the one of the plurality of predetermined vulnerability types ([0007] actions performed in response to the computer security threat) and a corresponding decision tree ([0058] That path is added as an additional branch to the workflow that may be analyzed by the binary tree traversal model), otherwise determining probabilistically ([0044] the ASSET engine 117 may perform the scoring of the paths and identify paths for each workflow for each type of incident… The automated incident investigation engine 104 may then use the total confidence score to identify instructions for the response engine 126) whether the software product is exploitable ([0059] Process 400a includes four paths taken by one or more analysts in response to malware 402a incident) based on processing the Page 24Attorney Docket No. 15718-761electronic document ([0058] The processes 400a to 400e (FIGS. 4A-4E) illustrate a critical path analysis algorithm and record manual incident investigations by analysts and replicates them in automated workflows that can be used to update workflows in the automated investigation engine to provide new investigative paths and its associated scores. After each step of an investigation by an analyst is recorded, the engine determines which paths have been taken most often by the analysts) using a machine learning model from the machine learning model library ([0020] The system may be able to learn and improve its threat response over time using machine learning techniques).

Regarding claim 22,
A non-transitory computer-readable medium including instructions configured to be executed by a processor, wherein the executed instructions are adapted to cause the processor to: access an automated triage rule library ([0041] The analyst investigations 120 includes data that are related to analyst actions taken in response to different types of security incidents. The analyst investigations 120 may include actions performed in response to a trojan attack, a malware attack, etc. The analyst investigations 120 may include actions such as querying different databases of the threat intelligence engine 112 and different external verification engines 114) comprising a plurality of pre-defined automated triage policies ([0005] The system also includes a scoring system and event triage engine that is configured to analyze the actions of the one or more workflows and of the particular workflow, and based on analyzing the actions of the one or more workflows and of the particular workflow, select a primary workflow as a workflow to respond to the computer security threat… [0044] The automated incident investigation engine 104 may then use the total confidence score to identify instructions for the response engine 126) corresponding to a plurality of predetermined vulnerability types ([0044] the ASSET engine 117 may perform the scoring of the paths and identify paths for each workflow for each type of incident… The automated incident investigation engine 104 may then use the total confidence score to identify instructions for the response engine 126), wherein each automated triage policy comprises a decision tree for determining whether one of the plurality of predetermined vulnerability types is exploitable ([0065] FIG. 5 illustrates an example binary tree 500 for identifying actions to respond to a computer security threat or incident); access a machine learning model library ([0020] The system may be able to learn and improve its threat response over time using machine learning techniques) for probabilistic determination of whether one of the predetermined plurality of predetermined vulnerability types is exploitable ([0044] the ASSET engine 117 may perform the scoring of the paths and identify paths for each workflow for each type of incident… The automated incident investigation engine 104 may then use the total confidence score to identify instructions for the response engine 126); obtain an electronic document listing potential vulnerability issues of a software product based on source code of the software product ([0033] the computer security alert 102 also includes data that specifically identifies the type of incident; [0059] Path 420a-424a includes an analysis… software data); determine whether the potential vulnerability issues are associated with one of the plurality of predetermined vulnerability types ([0005] the computer security threat and that each identify one or more actions to remediate the computer security threat); and when it is determined that the potential vulnerability issues are associated with the one of the plurality of predetermined vulnerability types ([0007] actions performed in response to the computer security threat), determine whether the software product ([0059] Path 420a-424a includes an analysis… software data) is exploitable based ([0059] Process 400a includes four paths taken by one or more analysts in response to malware 402a incident) on processing the electronic document ([0033] the computer security alert 102 also includes data that specifically identifies the type of incident; [0058] The processes 400a to 400e (FIGS. 4A-4E) illustrate a critical path analysis algorithm and record manual incident investigations by analysts and replicates them in automated workflows that can be used to update workflows in the automated investigation engine to provide new investigative paths and its associated scores. After each step of an investigation by an analyst is recorded, the engine determines which paths have been taken most often by the analysts) using an automated triage policy ([0058] the automated investigation engine to provide new investigative paths and its associated scores) retrieved from the automated triage rule library([0041] The analyst investigations 120 includes data that are related to analyst actions taken in response to different types of security incidents. The analyst investigations 120 may include actions performed in response to a trojan attack, a malware attack, etc. The analyst investigations 120 may include actions such as querying different databases of the threat intelligence engine 112 and different external verification engines 114) associated with the one of the plurality of predetermined vulnerability types ([0007] actions performed in response to the computer security threat) and a corresponding decision tree ([0058] That path is added as an additional branch to the workflow that may be analyzed by the binary tree traversal model), otherwise determine probabilistically ([0044] the ASSET engine 117 may perform the scoring of the paths and identify paths for each workflow for each type of incident… The automated incident investigation engine 104 may then use the total confidence score to identify instructions for the response engine 126) whether the software product is exploitable ([0059] Process 400a includes four paths taken by one or more analysts in response to malware 402a incident) based on processing the Page 24Attorney Docket No. 15718-761electronic document ([0033] the computer security alert 102 also includes data that specifically identifies the type of incident; [0058] The processes 400a to 400e (FIGS. 4A-4E) illustrate a critical path analysis algorithm and record manual incident investigations by analysts and replicates them in automated workflows that can be used to update workflows in the automated investigation engine to provide new investigative paths and its associated scores. After each step of an investigation by an analyst is recorded, the engine determines which paths have been taken most often by the analysts) using a machine learning model from the machine learning model library ([0020] The system may be able to learn and improve its threat response over time using machine learning techniques).

	Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claim 13-14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Carver (U.S. 2000000000), in view of S. Gowda, D. Prajapati, R. Singh and S. S. Gadre, "False Positive Analysis of Software Vulnerabilities Using Machine Learning," 2018 IEEE International Conference on Cloud Computing in Emerging Markets (CCEM), 2018, pp. 3-6, doi: 10.1109/CCEM.2018.00010).

Regarding claim 13,
Carver discloses: The system of claim 10, wherein the processor is further adapted 
Carver does not disclose: to display the vulnerability accuracy score to a user.
However, in the same field of endeavor Gowda teaches: to display the vulnerability accuracy score to a user (pg. 4 tables 5-6).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Gowda in the accuracy scores of Gowda by displaying the scores. This would have been obvious because the person having ordinary skill in the art would have been motivated in order to show actual accuracy of predictions (Gowda Pg. 6 IV. Conclusion Para. 1).

Regarding claim 14,
Carver discloses: The system of claim 1, wherein the machine learning model library comprises 
Carver does not disclose: a plurality of random forest machine learning models.
However, in the same field of endeavor Gowda teaches: a plurality of random forest machine learning models.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Gowda in the machine learning model library of Carver by using random forests. This would have been obvious because the person having ordinary skill in the art would have been motivated because Random forest classifier algorithms have the highest actual accuracy as they are best suited for categorical and nonlinear data which is the case with false positive analysis (Gowda Pg. 6 IV. Conclusion Para. 2).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's
disclosure.
Beck 8/22/2019 (US 2019) teaches secure communication platforms to review and examine potential cyber threats.

Any inquiry concerning this communication or earlier communications from the examiner
should be directed to THOMAS A CARNES whose telephone number is (571)272-4378. The examiner can
normally be reached Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a
USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use
the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor,
Shewaye Gelagay can be reached on (571) 272-4219. The fax phone number for the organization where
this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from
Patent Center. Unpublished application information in Patent Center is available to registered users. To
file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit
https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and
https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional
questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like
assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or
571-272-1000.
/T.A.C./
Examiner, Art Unit 2436

/AMIE C. LIN/Primary Examiner, Art Unit 2436