DETAILED ACTION
This office action is in response to the correspondence filed on 01/26/2021. This application has a provisional 62/965925 filed 01/26/2020. Claims 1-17 are pending and are examined.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Priority
Applicant's claim for the benefit of a prior-filed application under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged. 


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 9-13 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention. 
Regarding claims 9-13, specifically independent claim 9, “the scanner” in the second limitation was never recited before. There is insufficient antecedent basis for this limitation in the claim. 
Regarding claim 13, “the device being scanned can be identified…” is recited in the claims. Optional language lacks weight and limitations including “can be” are indefinite because it is unclear as to whether or not they are positively recited limitations. Also see MPEP § 2173.05(d).


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-8 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Hanson (US Pub No. 2011/0277034 A1, referred to as Hanson).
	Regarding claim 1, Hanson anticipates,
	1. A method for determining vulnerabilities in devices comprising:
listening to traffic, by an inspection server, between a scanner and a host computer; and
analyzing the traffic, by the inspection server, to determine vulnerabilities in the host computer. (Hanson: Fig. 3; [0010]; passive vulnerability scanners (inspection server) may be distributed at various locations in the network to monitor traffic (listening) traveling across the network, including traffic originating from the remote network and/or directed to the remote network. [0009]; active vulnerability scanners (scanner).  [0010]; hosts in network.) 


	Regarding claim 2, Hanson anticipates,
2. The method of claim 1, wherein the analyzing the traffic includes determining that the traffic is traffic of a scanning session. (Hanson: Fig. 3; [0010]; the passive vulnerability scanners may generally sniff packets traveling across, originating from, or directed to the network to identify (determining) new hosts, open ports, client/server applications, vulnerabilities, network sessions (scanning session), or information associated with the activity that occurs in the network.)


	Regarding claim 3, Hanson anticipates,
3. The method of claim 2, wherein the analyzing the traffic includes identifying features of the scanning session traffic including, one or more of:
protocols; (Hanson: [0014]; relationships between ports, vulnerabilities, Internet Protocol (IP) addresses, and/or other assets in the network. [0036]; observing a Transmission Control Protocol (TCP) SYN-ACK packet originating from a particular port on a particular device.)
source communication ports; 
destination communication ports; (Hanson: [0010]; the passive vulnerability scanners may generally sniff packets traveling across, originating from, or directed to the network to identify new hosts, open ports (source/destination ports), client/server applications, vulnerabilities, network sessions, or information associated with the activity that occurs in the network.)
scanned vulnerabilities; (Hanson: [0010]; the passive vulnerability scanners may generally sniff packets traveling across, originating from, or directed to the network to identify new hosts, open ports, client/server applications, vulnerabilities (scanned vulnerabilities), network sessions, or information associated with the activity that occurs in the network.)
number of bytes sent;
number of bytes received;
call direction; and,
response codes.


	Regarding claim 4, Hanson anticipates,
4. The method of claim 3, wherein the protocols include communication protocols. (Hanson: [0014]; relationships between ports, vulnerabilities, Internet Protocol (IP) addresses, and/or other assets in the network. [0036]; observing a Transmission Control Protocol (TCP) SYN-ACK packet originating from port twenty-five on a particular device.))


	Regarding claim 5, Hanson anticipates,
5. The method of claim 3, wherein the analyzing the traffic of the scanning session includes selecting one or more of the identified features from the scanning session traffic. (Hanson: [0011]; the log correlation engine may aggregate the normalized events with information describing the snapshot of the network obtained by the active vulnerability scanners and/ or the network traffic observed by the passive vulnerability scanners. As such, the log correlation engine may analyze and correlate the events contained in the logs, the information describing the observed network traffic, and/or the information describing the snapshot of the network to automatically detect statistical anomalies, correlate intrusion events or other events with the vulnerabilities and assets in the network.)


	Regarding claim 6, Hanson anticipates,
6. The method of claim 5, wherein the analyzing the traffic of the scanning session additionally comprises:
applying an algorithm to the selected one or more identified features to determine whether there are vulnerabilities in the devices. (Hanson: [0036]; observing a Transmission Control Protocol (TCP) SYN-ACK packet originating from port twenty-five on a particular device. From analyzing SYN and SYN-ACK packets in the packet stream (identified features), the passive vulnerability scanner may determine a status, identity, or other information describing devices and services that participate in the sessions observed in the network (an algorithm is used to determine/identify).)


	Regarding claim 7, Hanson anticipates,
7. The method of claim 6, wherein the vulnerabilities include known vulnerabilities. (Hanson: [0037]; the passive vulnerability scanners performing simple banner analysis to identify known vulnerability signatures.)


	Regarding claim 8, Hanson anticipates,
8. The method of claim 7, wherein the devices include host computers. (Hanson: [0010]; hosts in network.)


Claims 9-17 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Schmidt (US Pub No. 2002/0199120 A1, referred to as Schmidt).
	Regarding claim 9, Schmidt anticipates,
9. A method for detecting the location of vulnerabilities in devices along a network, comprising:
determining the existence of vulnerabilities in at least one device from the traffic of a scanning session; (Schmidt: Fig. 1; [0028]; the bridge 20, continuously (continuous scanning session) determines if suspicious activity (vulnerabilities) is present in or indicated by the network traffic it is receiving from the ISP12 and/or the user network 14. [0015]; the user network comprises one or more network servers and client computer devices 18.)
determining the zone direction of the scanner that detected the vulnerability, the zone direction including one of a trusted zone or an untrusted zone. (Schmidt: Fig. 1; [0028]; Claim 5; analyzing incoming and outgoing network data traffic to determine if the network data traffic relates to at least one of unauthorized access to the bridge from the public computer network, unauthorized access to the bridge from the private computer network, unauthorized access to the private computer network from the public computer network, a port scan performed on the bridge, execution of an attack script originating from the public computer network and targeting a computer on the private computer network, execution of an attack script originating on the private network and targeting a computer on the public computer network (suspicious activity direction is determined between the public/untrusted network/zone and private/trusted network/zone).)


	Regarding claim 10, Schmidt anticipates,
10. The method of claim 9, wherein the zone direction is determined based on one or more parameters including:
Internet Protocol (IP) address of a scanner;
network subnet/net range of the scanner; or,
knowledge of the network architecture associated with the device being scanned resides in a trusted or untrusted zone. (Schmidt: Fig. 1; [0028]; Claim 5; analyzing incoming and outgoing network data traffic to determine if the network data traffic relates to at least one of unauthorized access to the bridge from the public computer network, unauthorized access to the bridge from the private computer network, unauthorized access to the private computer network from the public computer network, a port scan performed on the bridge, execution of an attack script originating from the public computer network and targeting a computer on the private computer network, execution of an attack script originating on the private network and targeting a computer on the public computer network (network architecture is known, i.e. public/untrusted network/zone vs. private/trusted network/zone).)


	Regarding claim 11, Schmidt anticipates,
11. The method of claim 10, wherein if the scanner resides in an untrusted zone, the device being scanned is open to vulnerabilities outside of the trusted zone. (Schmidt: Fig. 1; [0028]; Claim 5; continuously determines if suspicious activity is present in or indicated by the network traffic it is receiving from the internet service provider (ISP) 12 and/or the user network 14. Suspicious activity is defined as any unauthorized or undesired access or attempted access to the bridge 20 and/or the network 14 by others via ISP 12 (if suspicious activity is found in an untrusted zone/internet, the device is open to vulnerabilities outside of the trusted zone).)


	Regarding claim 12, Schmidt anticipates,
12. The method of claim 11, wherein outside of the trusted zone includes the Internet. (Schmidt: Fig. 1; [0015]; an internet service provider (ISP) 12 that provides a connection by which a user network 14 is able to access the internet (internet is outside user the network 14/trusted zone).) 


	Regarding claim 13, Schmidt anticipates,
13. The method of claim 10, wherein if the scanner resides in a trusted zone, the device being scanned can be identified as being open to vulnerabilities. (Schmidt: Fig. 1; [0028]; Claim 5; continuously determines if suspicious activity is present in or indicated by the network traffic it is receiving from the ISP12 and/or the user network 14. Suspicious activity is defined to include any unauthorized or undesired activity by users of the network 14 with respect to sending data to and/or receiving data from the ISP12 via bridge 20 or any unauthorized or undesired activity by user's of the network 14 with respect to the bridge 20, itself (if suspicious activity is found in a trusted zone/user network, the device can be identified as being open to vulnerabilities).)


	Regarding claim 14, Schmidt anticipates,
14. A system for determining vulnerabilities in devices comprising:
a memory; (Schmidt: [0016].)
a processor coupled to the memory, the processor programmed with executable instructions (Schmidt: [0016], [0018].) to determine whether detected traffic is that of a scanning session and if so, determining vulnerabilities in devices; (Schmidt: Fig. 1; [0028]; the bridge 20, continuously (there is a continuous scanning session) determines if suspicious activity (vulnerabilities) is present in or indicated by the network traffic it is receiving from the ISP12 and/or the user network 14.)
a listener for listening to the traffic of the scanning session; (Schmidt: Fig. 1; [0028]; Claim 1; a bridge (receiver/listener in the bridge) receives (listening) incoming network data traffic.)
a feature extractor for extracting features from the traffic of the scanning session; and, (Schmidt: [0037]; extracting or locating select header information of the e-mail (features can be extracted from traffic. [0038]; the bridge 20 executes one or more virus scan programs).) 
a feature aggregator for selecting extracted features and applying an algorithm for the features to detect vulnerabilities in the devices. (Schmidt: [0038]; the bridge 20 executes one or more virus scan programs to scan the incoming e-mail in an effort to identify any viruses within the e-mail using a pattern matching algorithm or the like.)


	Regarding claim 15, Schmidt anticipates,
15. The system of claim 14, wherein the extracted features include one or more of:
protocols;
source communication ports; (Schmidt: [0037]; the select header information can include, e.g., the sender, path, subject, etc. In a step 62'-e, the bridge 20 compares the select header information with a list of known header values that indicate a malicious or potentially malicious e-mail or simply undesirable e-mail such as e-mail originating from or that has been forwarded by a domain that indicates adult content.)
destination communication ports;
scanned vulnerabilities; (Schmidt: [0038]; the bridge 20 executes one or more virus scan programs to scan the incoming e-mail in an effort to identify any viruses (scanned vulnerabilities) within the e-mail using a pattern matching algorithm or the like.) 
number of bytes sent;
number of bytes received;
call direction; and,
response codes.


	Regarding claim 16, Schmidt anticipates,
16. The system of claim 14, additionally comprising: a zone direction detector for detecting the zone direction of a scanner associated with the scanning session for the traffic. (Schmidt: Fig. 1; [0028]; Claim 5; analyzing incoming and outgoing network data traffic to determine if the network data traffic relates to at least one of unauthorized access to the bridge from the public computer network, unauthorized access to the bridge from the private computer network, unauthorized access to the private computer network from the public computer network, a port scan performed on the bridge, execution of an attack script originating from the public computer network and targeting a computer on the private computer network, execution of an attack script originating on the private network and targeting a computer on the public computer network (suspicious activity direction is determined between the public and private network).)


	Regarding claim 17, Schmidt anticipates,
17. The system of claim 16, wherein the zone direction detector analyzes parameters including one or more of: the Internet Protocol (IP) address of the scanner, network subnet/net range of the scanner, or, previous knowledge of the specific network architecture of where the device being scanned resides. (Schmidt: Fig. 1; [0028]; Claim 5; analyzing incoming and outgoing network data traffic to determine if the network data traffic relates to at least one of unauthorized access to the bridge from the public computer network, unauthorized access to the bridge from the private computer network, unauthorized access to the private computer network from the public computer network, a port scan performed on the bridge, execution of an attack script originating from the public computer network and targeting a computer on the private computer network, execution of an attack script originating on the private network and targeting a computer on the public computer network (network architecture is known, i.e. public network vs. private network).)


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Gupta; Rajarshi				US-PGPUB		US 20200412728 A1		Selectively protected devices and public network.
Jeyaraman; Sundararaman et al.	USPAT			US 10855700 B1	network traffic transits into a trusted zone established by the enterprise network from an untrusted network such as a public network (e.g., the Internet).
Willebeek-LeMair, Marc  et al.		US-PGPUB		US 20030204632 A1	Network security system integration.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to KA SHAN CHOY whose telephone number is (571) 272-1569.  The examiner can normally be reached on MON - FRI: 9AM-5:30PM EST Alternate Fridays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571) 272-3685.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/KA SHAN CHOY/Examiner, Art Unit 2435