Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Detailed Action
This communication is in response to the application filed on 11/19/2019 in which Claims 1-20 are presented for examination.
Drawings
The applicant’s drawings submitted on 11/19/2019 are acceptable for examination purposes. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.


Claims 1-3 and 5-18 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Ocepek US 20200120126 A1 in view of Sidagni US 10754958 B1.
As claim 1, Ocepek teaches a method for adaptive vulnerability management of a computer system, the method comprising (Ocepek Pa. [0047]) [vulnerability management]: collecting vulnerability information over a network from a publishing source (Ocepek Pa. [0005]) [Vulnerability scan results data corresponding to a network of data processing systems are received from a vulnerability scanner], 
wherein the vulnerability information includes a known vulnerability of a first computer asset (Ocepek Pa. [0033]) [ach entry containing an identification number, a description, and at least one public reference for known cybersecurity vulnerabilities], wherein the vulnerability information includes a set of cybersecurity vulnerabilities and exposures (CVEs) published on a public network (Ocepek Pa. [0024]) [vulnerability scan reports; security threat information identifiers, such as Common Vulnerabilities and Exposure (CVE) identification numbers], at least some of the CVEs being in a human-readable format (Ocepek Pa. [0033]) [Security threat information identifiers 228 may be, for example, CVE identification numbers which can be human-readable]; collecting system information of the computer system, the computer system being subject to the vulnerability management (Ocepek Pa. [0047]) [Vulnerability management is a process that involves: 1) performing scanning of a network environment using a vulnerability scanner…], 
It is noted that Ocepek does not explicitly disclose wherein the system information includes information about a second computer asset of the computer system; processing the collected vulnerability information and the collected system information by: interpreting at least some of the human-readable CVEs with natural language processing (NLP) and correlating the interpreted CVEs with the collected system information; and identifying a potential vulnerability of the second computer asset based on a correlation between the interpreted CVEs and the collected system information.  
However, Sidagni discloses wherein the system information includes information about a second computer asset of the computer system (Sidagni Col. 1, lines 62-64) [determine a security vulnerability affecting assets associated with the network environment]; processing the collected vulnerability information and the collected system information by: interpreting at least some of the human-readable CVEs with natural language processing (NLP) (Sidagni Col. 19, lines 31-39) [At 113, CVEs associated with the selected asset may be determined. For example, a security vulnerability and/or exposure may be associated with a CVE data record having a CVE identifier (CVE ID). In some aspects, the asset's identifier (e.g., identifier associated with the asset's infrastructure function within the network environment, identifier associated with the application, etc.) may be utilized to retrieve a set of associated CVE IDs from a database] and correlating the interpreted CVEs with the collected system information; and identifying a potential vulnerability of the second computer asset based on a correlation between the interpreted CVEs and the collected system information (Sidagni Col. 20, lines 40-60) [the base VRS for the CVE may be augmented based on malware correlation. For example, a malware program may be available that correlates with a security vulnerability described by the CVE to compromise assets. In some aspects, a database may be queried (e.g., via REST API) to retrieve a set of correlated malware associated with the CVE ID of the CVE. FIG. 2 illustrates a logic flow diagram in accordance with aspects of the present disclosure that provides additional details regarding how malware is correlated with CVE IDs. The base vulnerability risk score for the CVE may be augmented based on the retrieved set of malware]
Thus, it would have been recognized by one of ordinary skill in the art at before the effective filing date of the claimed invention, that applying the known technique taught by Sidagni to the intrusions detection system of Ocepek would have yield predictable results and resulted in an improved system, namely, a system that would  facilitate vulnerability risk mitigation by identifying, classifying, prioritizing, patching, and/or the like with respect to security vulnerabilities in a network environment (Sidagni Col. 1])

As claim 2, the combination of Ocepek and Sidagni teaches wherein the first computer asset includes a first hardware asset, a first software asset, or a first configuration of a first computer system, and the second computer asset includes a second hardware asset, a second software asset, or a second configuration of the computer system (Sidagni Col. 19, lines 4-22]) [an asset as used herein may refer to a physical machine, a virtual machine, an application, a software program, a software program add on, and/or the like]
Thus, it would have been recognized by one of ordinary skill in the art at before the effective filing date of the claimed invention, that applying the known technique taught by Sidagni to the intrusions detection system of Ocepek would have yield predictable results and resulted in an improved system, namely, a system that would  facilitate vulnerability risk mitigation by identifying, classifying, prioritizing, patching, and/or the like with respect to security vulnerabilities in a network environment (Sidagni Col. 1])

As claim 3, the combination of Ocepek and Sidagni teaches wherein processing the collected vulnerability -26- 146148911.3information and the collected system information comprises: correlating the interpreted CVEs with the collected system in accordance with a machine learning (ML) model, the ML model being trained based on the collected system information of the computer system (Sidagni Col. 20, lines 40-60) [the base VRS for the CVE may be augmented based on malware correlation. For example, a malware program may be available that correlates with a security vulnerability described by the CVE to compromise assets. In some aspects, a database may be queried (e.g., via REST API) to retrieve a set of correlated malware associated with the CVE ID of the CVE. FIG. 2 illustrates a logic flow diagram in accordance with aspects of the present disclosure that provides additional details regarding how malware is correlated with CVE IDs. The base vulnerability risk score for the CVE may be augmented based on the retrieved set of malware]
Thus, it would have been recognized by one of ordinary skill in the art at before the effective filing date of the claimed invention, that applying the known technique taught by Sidagni to the intrusions detection system of Ocepek would have yield predictable results and resulted in an improved system, namely, a system that would  facilitate vulnerability risk mitigation by identifying, classifying, prioritizing, patching, and/or the like with respect to security vulnerabilities in a network environment (Sidagni Col. 1])
As claim 5, the combination of Ocepek and Sidagni teaches wherein the correlating comprises: performing a similarity analysis between the first computer asset and the second computer asset (Ocepek Pa. [0047]) [The vulnerability scanner detects and identifies vulnerabilities relating to mis-configured resources or flawed software that resides on a network-based asset] 

As claim 6, the combination of Ocepek and Sidagni teaches wherein the correlating comprises: determining a relevance score of the second computer asset based on the known vulnerability; and identifying the potential vulnerability based on the relevance score (Sidagni Abstract]) [A security vulnerability affecting assets associated with the network environment may be determined. A base vulnerability risk score for the security vulnerability may be determined and augmented based on calculated public exploits availability score, malware correlation score, social media mentions risk score, and overall asset risk score to determine an augmented vulnerability risk score]
Thus, it would have been recognized by one of ordinary skill in the art at before the effective filing date of the claimed invention, that applying the known technique taught by Sidagni to the intrusions detection system of Ocepek would have yield predictable results and resulted in an improved system, namely, a system that would  facilitate vulnerability risk mitigation by identifying, classifying, prioritizing, patching, and/or the like with respect to security vulnerabilities in a network environment (Sidagni Col. 1])

As claim 7, the combination of Ocepek and Sidagni teaches performing a risk classification (Ocepek Pa. [0002]) [Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities, particularly in software.] and prioritization of the potential vulnerability based on a multi-class boosted decision forests algorithm (Ocepek Pa. [0001]) [vulnerability scanning and more specifically to prioritizing vulnerability scan results corresponding to a network of data processing systems based on exploit prevalence scoring, Note: “forests algorithm” is well known in the art]

As claim 8, the combination of Ocepek and Sidagni teaches further comprising: estimating a financial risk of the potential vulnerability by performing a risk valuation of the potential vulnerability based on a Monte Carlo simulation by using a beta-PERT distribution (Sidagni Col. 19, lines 4-22]) [an asset as used herein may refer to a physical machine, a virtual machine, an application, a software program, a software program add on, and/or the like]. Note: (The use of Monte Carlo simulation by using a beta-PERT distribution relates to well-known option in the field of intrusion detection, skilled person would consider with no inventive skills)
Thus, it would have been recognized by one of ordinary skill in the art at before the effective filing date of the claimed invention, that applying the known technique taught by Sidagni to the intrusions detection system of Ocepek would have yield predictable results and resulted in an improved system, namely, a system that would  facilitate vulnerability risk mitigation by identifying, classifying, prioritizing, patching, and/or the like with respect to security vulnerabilities in a network environment (Sidagni Col. 1])

As claim 9, the combination of Ocepek and Sidagni teaches further comprising: estimating a financial risk of the potential vulnerability by performing a risk valuation of the potential vulnerability (Ocepek Pa. [0021]) [The vulnerability scanner detects and identifies vulnerabilities relating to mis-configured resources or flawed software that resides on a network-based asset, such as, for example, a firewall, router, web server, application server, client device, and the like]

As claim 10, the combination of Ocepek and Sidagni teaches wherein the vulnerability information comprises a file formatted in JavaScript Object Notation (JSON), Hypertext Markup Language (HTML), or Extensible Markup Language (XML) (Sidagni Col. 14, lines 41-63]) [the VRMP database may be implemented using various standard data-structures, such as an array, hash, (linked) list, struct, structured text file (e.g., XML)]
Thus, it would have been recognized by one of ordinary skill in the art at before the effective filing date of the claimed invention, that applying the known technique taught by Sidagni to the intrusions detection system of Ocepek would have yield predictable results and resulted in an improved system, namely, a system that would  facilitate vulnerability risk mitigation by identifying, classifying, prioritizing, patching, and/or the like with respect to security vulnerabilities in a network environment (Sidagni Col. 1])
As claim 11, the combination of Ocepek and Sidagni teaches wherein the publishing source comprises a public national vulnerability database (NVD) that obtains the vulnerability information from a vendor of the first computer asset (Ocepek Pa. [0034]) [software development and sharing websites, vulnerability exploitation databases, and the like]

As claim 12, the combination of Ocepek and Sidagni teaches wherein the publishing source comprises a vendor of the first computer asset and the vulnerability information is obtained directly from the vendor (Ocepek Pa. [0049]) [This information was generated when the vulnerability scanning vendor created the vulnerability definition or signature that was provided as an update to the vulnerability scanner. In cases where the vulnerability garners a great deal of attention by attackers, vulnerability scanner vendors may update select vulnerability definitions]

As claim 13, the combination of Ocepek and Sidagni teaches wherein the potential vulnerability is a first potential vulnerability, and at least some of the CVEs are in a machine-readable format, the method further comprising (Ocepek Pa. [0024]) [vulnerability scan reports; security threat information identifiers, such as Common Vulnerabilities and Exposure (CVE) identification numbers]: identifying a second potential vulnerability of a third computer asset of the computer system based on the correlation between the machine-readable CVEs and the collected system information (Sidagni Abstract]) [A security vulnerability affecting assets associated with the network environment may be determined. A base vulnerability risk score for the security vulnerability may be determined and augmented based on calculated public exploits availability score, malware correlation score, social media mentions risk score, and overall asset risk score to determine an augmented vulnerability risk score]
Thus, it would have been recognized by one of ordinary skill in the art at before the effective filing date of the claimed invention, that applying the known technique taught by Sidagni to the intrusions detection system of Ocepek would have yield predictable results and resulted in an improved system, namely, a system that would  facilitate vulnerability risk mitigation by identifying, classifying, prioritizing, patching, and/or the like with respect to security vulnerabilities in a network environment (Sidagni Col. 1])

As claim 14, the combination of Ocepek and Sidagni teaches wherein the publishing source comprises is a vendor of the first computer asset, and collecting the vulnerability information comprises: automatically obtaining vulnerability information periodically over the network from a website administered by the vendor (Ocepek Pa. [0049]) [This information was generated when the vulnerability scanning vendor created the vulnerability definition or signature that was provided as an update to the vulnerability scanner. In cases where the vulnerability garners a great deal of attention by attackers, vulnerability scanner vendors may update select vulnerability definitions]
As claim 15, the combination of Ocepek and Sidagni teaches further comprising: periodically extracting vulnerability information from an online portal (Ocepek Pa. [0062]) [The computer extracts a list of vulnerabilities from the vulnerability scan report (step 404). The computer generates an exploit prevalence score for each vulnerability in the list of vulnerabilities based on a number of current exploit references]

As claim 16, the combination of Ocepek and Sidagni teaches wherein the second computer asset is a software asset, the method further comprising: obtaining a software patch over the network for the software asset (Ocepek Pa. [0033]) [A security patch is a set of software patches for one or more security vulnerabilities]

As claim 17, the combination of Ocepek and Sidagni teaches further comprising: receiving an indication that the potential vulnerability was validated as a vulnerability based on a manual review (Ocepek Pa. [0069]) [systems, validate which vulnerabilities are exploitable to eliminate false positives, automate prioritization of vulnerabilities based on whether a particular vulnerability exploit is weaponized by attackers and the value of the resource or asset at risk]

As to claim 18, claim 18 recites the claimed that contain similar limitations as claim 1; therefore, it is rejected under the same rationale.

Claims 4, and 19-20 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Ocepek US 20200120126 A1 in view of Sidagni US 10754958 B1 in further view of Pistoia US 20150161393 A1.
As claim 4, the combination of Ocepek and Sidagni does not explicitly disclose wherein the correlating comprises: calculating a Levenshtein distance of the known vulnerability to the second computer asset; ranking the Levenshtein distance as a measure of relevance between the known vulnerability and the second computer asset; and identifying the potential vulnerability based on the rank of the Levenshtein distance to the second computer asset.  
However, Pistoia discloses wherein the correlating comprises: calculating a Levenshtein distance of the known vulnerability to the second computer asset; ranking the Levenshtein distance as a measure of relevance between the known vulnerability and the second computer asset; and identifying the potential vulnerability based on the rank of the Levenshtein distance to the second computer asset (Pistoia Pa. [0021]) [exemplary embodiments herein target the problem of detecting vulnerable instances of information leakage at runtime, during dynamic execution of the target program. This entails using a runtime tracking method that is both efficient and accurate… the similarity is computed between x and y as, e.g., diff(x,y). The "diff(x,y)" is an identifier that signifies the distance between the data values x and y according to some metric space (e.g., Levenshtein distance). If the result shows x and y to be sufficiently similar (e.g., by a predetermined "small" distance such as a few characters or some percentage of the total characters being different, such as 10 percent difference), then the potential information leakage is reported to the user, e.g., along with a quantitative measure of how much information was (or is about to be) leaked.]
Thus, it would have been recognized by one of ordinary skill in the art at before the effective filing date of the claimed invention, that applying the known technique taught by Pistoia to the intrusions detection system of Ocepek and Sidagni would have yield predictable results and resulted in an improved system, namely, a system that would report leakage vulnerability when there is source-to-sink data flow of sensitive information (Pistoia Pa. [0006])

As claim 19, the combination of Ocepek, Sidagni and Pistoia wherein the vulnerability is identified based on a calculation of a Levenshtein distance between the known vulnerability and the computer asset (Pistoia Pa. [0021]) [The "diff(x,y)" is an identifier that signifies the distance between the data values x and y according to some metric space (e.g., Levenshtein distance). If the result shows x and y to be sufficiently similar (e.g., by a predetermined "small" distance such as a few characters or some percentage of the total characters being different, such as 10 percent difference), then the potential information leakage is reported to the user, e.g., along with a quantitative measure of how much information was (or is about to be) leaked.]
Thus, it would have been recognized by one of ordinary skill in the art at before the effective filing date of the claimed invention, that applying the known technique taught by Pistoia to the intrusions detection system of Ocepek and Sidagni would have yield predictable results and resulted in an improved system, namely, a system that would report leakage vulnerability when there is source-to-sink data flow of sensitive information (Pistoia Pa. [0006])

As to claim 20, claim 20 recites the claimed that contain similar limitations as claims 1 and 4; therefore, it is rejected under the same rationale.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EVANS DESROSIERS whose telephone number is (571)270-5438. The examiner can normally be reached Monday -Thursday 7:00 am - 5:30 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok B. Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/EVANS DESROSIERS/Primary Examiner, Art Unit 2491