DETAILED ACTION
This Action is in consideration of the Applicant’s response on July 26, 2022.  Claims 2, 9, 16, and 22 are amended by the Applicant.  Claims 1 – 22, where Claims 1, 8, 15, and 22 are in independent form, are presented for examination.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
	Applicant’s arguments filed July 26, 2022 have been fully considered but they are not persuasive.  Applicant argued:
a)	Regarding Claims 1, 8, 15, and 22, Abdine does not disclose or suggest the “applying [a] set of patches” in a priority order.
b)	Regarding Claims 1, 8, 15, and 22, Abdine does not disclose or suggest of “a score that quantifies a remediation cost.”
c)	Regarding Claims 1, 8, 15, and 22, Abdine does not disclose or suggest of “determining a priority order of applying the set of patches.”
d)	Regarding Claims 1, 8, 15, and 22, Abdine does not disclose or suggest of “applying the set of patches…according to the priority order.”
e)	Regarding Claims 2, 9, and 16, Abdine does not disclose or suggest of “prioritizes for install at least one patch…that is associated with a high severity vulnerability but that has a low remediation cost over a similar high severity vulnerability with higher remediation cost.”
f)	Regarding Claims 3, 10, and 17, Abdine does not disclose or suggest of patch management aspects.
g)	Regarding Claim 22, Abdine does not disclose or suggest the claimed limitations.
h)	Regarding Claims 1, 8, and 15, the combination of Abdine and El Maghraoui is improper.
i)	Regarding Claims 7, 14, and 20, the combination of Abdine and El Maghraoui does not disclose of “wherein the remediation cost for the given patch is also based in part on the patch application history.”
The Office respectfully disagrees with Applicant’s assertions.
1.	With regards to a), the Office reminds the Applicant that the pending claims must be "given the broadest reasonable interpretation consistent with the specification" [In re Prater, 162 USPQ 541 (CCPA 1969)] and "consistent with the interpretation that those skilled in the art would reach" [In re Cortright, 49 USPQ2d 1464 (Fed. Cir. 1999)].   The Applicant’s specification states that “[p]atch management is a strategy for managing patches or upgrades for software applications and technologies” [Para. 0002].
	The Applicant attempts to oversimplify the disclosure of Abdine from an example provided within it [See Remarks, Pg. 8-9].  The Applicant opines that only a single patch is disclosed and not a set of patches [See Remarks, Pg. 8].  As the Applicant acknowledges, the example provided indicates that the SR tool determines details of a vulnerability and provided two solutions to this vulnerability: software patches and a firewall [See Remarks, Pg. 8, citing Abdine, Para. 0030-31].
	Foremost, the firewall is applied to a gateway 118 of the network and comprises software [See Abdine, Fig. 2; Para. 0023, 0030].  Therefore, the firewall being applied to the existing gateway is a “patch” according to the Applicant’s specification; the firewall is a software upgrade for the existing gateway.  The example provided in Abdine, expressly compares the two “patches” to determine which one best meets the constraints provided to the system [Para. 0028, 0031].
Additionally, Abdine discloses that a plurality of vulnerabilities can be addressed simultaneously, such as software bugs, out-of-date software, etc. [See Para. 0027, 0048-49].  The example provided in Abdine which the Applicant tries to pick apart details how one vulnerability can be addressed.  It is clear from Abdine’s disclosure how each of the plurality of vulnerabilities that are found can have their own “patches” that results in a plurality of patches being applied to a system that has a plurality of vulnerabilities even if only one patch is applied for each of the vulnerabilities.  Furthermore, Abdine discloses the these “patches” can be prioritized based on how efficient or effective they are and if they remediate or mitigate more critical vulnerabilities [Para. 0027].  Therefore, Abdine provides patch management and determines a priority order of applying a set of patches.
Also, the claim limitation “receiving a set of patches for install” does not specifically indicate a sequential or temporal relationship with computing a score for a set of patches or of applying the set of patches.  It is not clearly recited that “a set of patches for install” are the same as “a set of patches” that are used to compute the claimed score [See Claim 1, lines 3-5].  
Additionally, “receiving a set of patches for install” does not specifically result in actually installing the set of patches or installing all of the set of patches.  The claim merely recites the “applying [of] the set of patches to the set of computer systems” which may nor may not include installing a portion of the set of patches, disregarding a portion of the set of patches, or performing other functions, such as receiving a set of patches or obtaining authorization or manual interaction from a user [e.g., See PGPub. 2021/0273968, Para. 0053].  There is no positive recitation of installing being performed within the claims.  In other words, “applying the set of patches” may be interpreted as a variety of functions other than actually installing the set of patches.  Therefore, the context the Applicant alleges is not present in the claims; that the entire set of patches are installed in the set of computer systems [See Remarks, Pg. 9, 3rd Para.].
2.	With regards to b), the exact term “score” does not need to be present within the prior art to disclose of a number or value that “quantifies a remediation cost of a patching operation” as claimed.  The claim does not specify how the score is calculated or what it entails.  The claim merely indicates the “score quantifies a remediation cost of a patching operation.”  The monetary value disclosed in Abdine for a patching operation itself quantifies a remediation cost [See Para. 0031].  Without any specific limitations indicating how and with what is used to calculate the score, the claim limitation is not distinguishable over the cited reference.
3.	 With regards to c), the Applicant appears to piecemeal the earlier arguments together to allege that no score is calculated and there is no patch ordering performed based on the score [See Remarks, Pg. 10, 1st Para.].  As indicated above, Abdine discloses of calculating a score (Section 2) and of applying a set of patches in a priority order (Section 1).  The Office reiterates the rebuttals above.  Abdine discloses that the priority can be based on cost [Para. 0027].  Therefore, Abdine disclose the claimed limitation.
4.	With regards to d), the Applicant appears to piecemeal the earlier arguments together to allege that there is no teaching of applying the set of patches…according to the priority order [See Remarks, Pg. 10, 2nd Para.].  The Office reiterates the rebuttals of Section 1) above; particularly that “applying the set of patches” does not specifically indicate that they are installed.  There is no act or step of installing the set of patches recited in the claim.
5.	With regards to e), the Applicant argues that the example provided in Abdine does not prioritize high severity vulnerability [See Remarks, Pg. 12, last Para.].  However, Abdine clearly discloses that the system can rank the “patches” for critical vulnerabilities higher and also use cost, effort, and the like to rank/prioritize the “patches” [Para. 0027].  Therefore, Abdine disclose the claimed limitation.
6.	With regards to f), the Applicant appears to reiterate the arguments presented for “patch management” and “for install” [See Remarks, Pg. 13, 2nd Para.].  The Office reiterates the rebuttals of Section 1. above.
7.	With regards to g), the Applicant appears to reiterate the arguments presented for “score” and “applying the set of patches based at least in part on the scores” [See Remarks, Pg. 13, 3rd Para.].  The Office reiterates the rebuttals of Sections 1 and 2 above.
	The limitation “patch tooling” is not specifically described to perform any specific function.  There Applicant also provides no clear arguments regarding this limitation, but merely recites it [See Remarks, 3rd Para.].
	The Office also reiterates the rebuttal of Section 5 for the amended limitation that are similar in scope to the amendment of Claim 2.
8.	With regards to h), the Applicant alleges there are differences between the cited references based on Graham factual findings [See Remarks, Pg. 14, 2nd Para.].  It is unclear how the Applicant has outlined the Graham differences with respect to Abdine in any of the earlier comments [See Remarks, Pg. 14, 3rd Para.].  Graham factors are implemented for 103 rejections, not 102 rejections.  Furthermore, any alleged differences between Abdine and the claim limitations have been rebutted in the sections above.
	The Applicant further summarizes the disclose of El Maghraoui then provides no argument to the cited portions of El Maghraoui, but appears to rely on the arguments regarding Abdine [See Remarks, Pg. 15, 2nd Para.].
	The implementation of El Maghraoui into an alternative 103 rejection with Abdine was made by the Office in anticipation of any potential argument that “applying the set of patches to the set of computer systems” may be interpreted as installing the set of patches [See Non-Final Rejection, dated April 28, 2022 (hereinafter “Non-Final OA”), Pg. 7].  As indicated above in Section 1, there is no recitation of any claim limitation that requires the installation of the set of patches.  As stated in the Non-Final OA, El Maghraoui discloses of prioritizing patches and installing the at least one software patch [Fig. 5; Para. 0059-61].  Therefore, the 103 rejection is also maintained.
9.	With regards to i), in response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).  
As indicated in the Non-Final OA, the combination of Abdine and El Maghraoui was used to disclose the claimed limitation [See Non-Final OA, Pg. 7].  The Applicant concedes that El Maghraoui discloses the first portion of the claim [See Remarks, Pg. 15, last Para.].  The rejection indicates that the disputed clause is disclosed by Abdine [See Non-Final OA, Pg. 7-8].  No arguments are presented regarding Abdine by the Applicant [See Remarks, Pg. 15, last Para.]. 
Claim Rejections - 35 USC § 102
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 1 – 6, 8 – 13, 15 – 19, 21, and 22 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by PGPub. 2012/0185944 (hereinafter “Abdine”).
10.	Regarding Claims 1, 8, and 15, Abdine discloses an apparatus [Figs. 3 and 5], comprising:
a processor [Fig. 5; Para. 0055-56]; 
computer memory holding computer program instructions (Claim 15) executed by the processor for patch management in a computer network [Fig. 3 and 5; Para. 0055-56], the computer program instructions configured to (Claim 1):
receive a set of patches for install in a set of computer systems in the computer network [Fig. 4; Para. 0025, 0027, 0048-49; determine approaches based on vulnerability classes from a knowledgebase for a plurality of vulnerabilities]; 
for each of one or more patches in a set of patches, compute a score that quantifies a remediation cost of a patching operation to install the patch [Fig. 4; Para. 0027, 0030-31, 0050; prioritization for a plurality of vulnerabilities can be any type of analysis that ranks the approaches based on determined efficiency, effectiveness, cost, effort, and/or other factors; e.g., approaches ranked higher that remediate or mitigate more critical vulnerabilities]; 
determine a priority order of applying the set of patches based at least in part on the scores [Fig. 4; Para. 0027, 0030-31, 0050; rank the approaches; prioritization for a plurality of vulnerabilities can be any type of analysis that ranks the approaches based on determined efficiency, effectiveness, cost, effort, and/or other factors; e.g., approaches ranked higher that remediate or mitigate more critical vulnerabilities]; and 
apply the set of patches to the set of computer systems according to the priority order [Fig. 4; Para. 0028-29; after the approaches for a plurality of vulnerabilities are prioritized, recommending and/or selecting the one or more approaches based on comparing the approaches to received constraints and the highest prioritization].
11.	Regarding Claims 2, 9, and 16, Abdine discloses all the limitations of Claims 1, 8, and 15 above.  Abdine further discloses that the priority order prioritizes for install at least one patch in the set of patches that is associated with a high severity vulnerability but that has a low remediation cost over a similar high severity vulnerability with higher remediation cost [Para. 0023, 0027; prioritization for a plurality of vulnerabilities, each with one or more approaches; e.g., ranking the approaches higher that remediate or mitigate the more critical vulnerabilities, which can also factor in cost, effort, complexity].
12. 	Regarding Claims 3, 10, and 17, Abdine discloses all the limitations of Claims 1, 8, and 15 above.  Abdine further discloses that the remediation cost of the patching operation to install the patch is at least one of: a number of patches, a number of registry modifications, a number of system configuration changes, and a combination thereof [Para. 0031; number of patches/system configuration changes (e.g., number of systems to patch) required for remediation].
13.	Regarding Claims 4, 11, and 18, Abdine discloses all the limitations of Claims 1, 8, and 15 above.  Abdine further discloses that the priority order is based at least in part on a vulnerability severity order for a set of vulnerabilities identified for patching by the set of patches [Para. 0027; critical vulnerabilities].
14. 	Regarding Claims 5, 12, and 19, Abdine discloses all the limitations of Claims 1, 8, and 15 above.  Abdine further discloses that the remediation cost for a given patch is determined at least in part by an impact to an availability of the computer system that is a target of the patching operation for the given patch [Para. 0028-29; implementation complexity or effectiveness of the approach].
15. 	Regarding Claims 6, 13, and 20, Abdine discloses all the limitations of Claims 1, 8, and 15 above.  Abdine further discloses that the remediation cost for a given patch is determined at least in part by a criticality of the computer system that is a target of the patching operation for the given patch [Para. 0027; critical vulnerabilities].
16.	Regarding Claim 22, Abdine discloses of a patching system for a computer network [Fig. 1, 3, and 5], comprising: 
at least one hardware processor [Fig. 5; Para. 0055-56]; 
a data store holding a set of patches, the set of patches having an associated vulnerability severity order [Fig. 3, item 124; Para. 0021-25, 0027; knowledgebase includes records of known solutions to vulnerabilities; critical vulnerabilities can be identified]; and 
computer memory storing computer program instructions configured as a vulnerability scoring system [Fig. 3 and 5; Para. 0055-56], the vulnerability scoring system configured to: 
compute a vulnerability remediation complexity (VRC) score for one or more patches in the set of patches [Fig. 4; Para. 0027 0030-31, 0050; prioritization can be any type of analysis that ranks the approaches based on determined efficiency, effectiveness, cost, effort, and/or other factors; e.g., approaches ranked higher that remediate or mitigate more critical vulnerabilities]; 
adjust the vulnerability severity order based at least in part on the computed VRC score for the one or more patches [Fig. 4; Para. 0027 0030-31, 0050; prioritization can be any type of analysis that ranks the approaches based on determined efficiency, effectiveness, cost, effort, and/or other factors; e.g., approaches ranked higher that remediate or mitigate more critical vulnerabilities]; and 
output to patch tooling the adjusted vulnerability severity order [Fig. 4; Para. 0028-29; after the approaches are prioritized, recommending and/or selecting the one or more approaches based on comparing the approaches to received constraints and the highest prioritization], wherein the adjusted vulnerability severity order prioritizes for install at least one patch in the set of patches that is associated with a high severity vulnerability but that has a low remediation cost as reflected by the VRC score over a similar high severity vulnerability with higher remediation cost [Para. 0023, 0027; prioritization for a plurality of vulnerabilities, each with one or more approaches; e.g., ranking the approaches higher that remediate or mitigate the more critical vulnerabilities, which can also factor in cost, effort, complexity].
Claim Rejections - 35 USC § 103
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 1 – 6, 8 – 13, and 15 – 20 are, in the alternative, rejected under 35 U.S.C. 103 as obvious over Abdine, in view of PGPub. 2016/02459638 (hereinafter “El Maghraoui”).
17.	Regarding Claims 1, 8, and 15, in the alternative the Applicant opines Abdine does not disclose of “applying the set of patches to the set of computer systems,” the Office relies on El Maghraoui.  As stated above, this alternative rejection is based on a possible argument that “applying” includes the step of installing the set of patches.  The dependent claims are rejected under the same rational above under the 102 rejection.
El Maghraoui discloses a system and method for prioritizing software patches based on confidence scores for the patches and other considerations [Abstract; Fig. 4; Para. 0056, 0058].  El Maghraoui further discloses that once software patches are prioritized, the devices are provided at least one software patch based on a selection result and/or a prioritization result and installing the at least software patch [Fig. 5; Para. 0059-61].  It would have been obvious before the effective filing date of the current application to incorporate the teachings of El Maghraoui with Abdine since both systems prioritize software patches based on various criteria.  The combination would enable to Abdine system to actually implement the remediation measures that were prioritized for the network.  The motivation to do so is to actually implement the remediation measures to repair the network and improve security and operations (obvious to one skilled in the art). 
Claims 7, 14, and 20 are rejected under 35 U.S.C. 103 as obvious over Abdine, in view of El Maghraoui.
18.	Regarding Claims 7, 14, and 20, Abdine discloses all the limitations of Claims 1, 8, and 15 above.  Abdine further discloses of a patch application history, wherein the remediation cost for the given patch is also based at least in part on the patch application history [Para. 0024; knowledgebase has specification of known solutions from developers or vendors of the known security solutions, vulnerability class or classes addressed, cost, effectiveness, complexity, etc.].  Abdine, however, does not specifically disclose of recording a successful application of a given patch to produce the patch application history.
El Maghraoui discloses a system and method for prioritizing software patches based on confidence scores for the patches and other considerations [Abstract; Fig. 4; Para. 0056, 0058].  El Maghraoui further discloses that the prioritization result can be based sentiment analysis of users that have already implemented the software patches [Fig. 7; Para. 0070, 0078].  It would have been obvious before the effective filing date of the current application to incorporate the teachings of El Maghraoui with Abdine since both systems prioritize software patches based on various criteria.  The combination would enable to Abdine system utilize customer inputs and preferences to prioritize and recommend software patches.  The motivation to do so is to improve customer experience with vendor software and associated updates [El Maghraoui; Para. 0005-6].
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Contacts
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Tae K. Kim, whose telephone number is (571) 270-1979.  The examiner can normally be reached on Monday - Friday (10:00 AM - 6:30 PM EST).
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Jorge Ortiz-Criado, can be reached on (571) 272-7624.  The fax phone number for submitting all Official communications is (703) 872-9306.  The fax phone number for submitting informal communications such as drafts, proposed amendments, etc., may be faxed directly to the examiner at (571) 270-2979.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov.  Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free).

/TAE K KIM/Primary Examiner, Art Unit 2496