DETAILED ACTION
This Office Action is in response to application 17/222,345 filed on April 05, 2021.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claims 1-20 are pending and herein considered.

Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 04/05/2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-4, 7-8, 11-13, 16 and 18 are rejected under 35 U.S.C. 102(a)(1)/(a)(2) as being anticipated by Joshi et al. (Joshi) U.S. Pub. Number 2014/0337974.
Regarding claim 1; Joshi discloses a system, comprising:
a processor that executes the following computer-executable components stored in memory:
a knowledge induction component that populates a package ontology for a range of packages with relationship data extracted from a plurality of disparate package- related sources (para. [0058] data is received from data sources, which can be traditional data sources 120 and/or nontraditional data sources 130. Then, at step 410, relevant information is extracted from the data received. Next, at step 420, the information extracted is asserted using terms in the ontology. At step 430, the asserted information is accumulated); and
a vulnerability component that identifies an implicit vulnerability impacting the range of packages using the package ontology and a vulnerability record regarding an explicit vulnerability for a package within the range of packages (para. [0063] reasoning logic module 110B, which receives data from the traditional data sources 120 and/or the nontraditional data sources 130, receives knowledge …and receives reasoning logic rules to determine the possibility of a threat or attack; para, [0076] the reasoning logic rule…consists of some `vulnerability terms`, mentions some `security exploit`, has a text mentioning a certain product (with some specific version)).

Regarding claim 2; Joshi discloses the system of claim 1, wherein the plurality of disparate package-related data sources comprises unstructured data (para. [0015] detecting cyber intrusions that collaboratively utilizes information from structured and unstructured data sources).

Regarding claim 3; Joshi discloses the system of claim 1, wherein the plurality of disparate package-related sources includes package documentation data, vulnerability descriptive data, code repository data, or a combination thereof (para. [0041] Structured text data is defined herein as text data that has been categorized and/or organized based on predetermined categories and/or formats; para. [0042] provide structured text data in that they list vulnerabilities and exposures, categorize them by type and severity).

Regarding claim 4; Joshi discloses the system of claim 1, wherein the knowledge induction component populates the package ontology with the relationship data by evaluating vulnerability descriptive data to identify sentences that reference terms indicative of vulnerabilities (para. [0080] using a set of features for proper identification of concepts from the input text. Several cybersecurity-related blogs, security bulletins and CVE descriptions were analyzed, and a set of key classes that are relevant in terms of data representation of a vulnerability were identified). 

Regarding claim 7; Joshi discloses the system of claim 1, wherein the relationship data includes intra-package relationship data, inter-package relationship data, or a combination thereof (para. [0050] traditional data sources 120 and nontraditional data sources 130 can be deployed enterprise wide and also across enterprise boundaries).

Regarding claim 8; Joshi discloses the system of claim 1, wherein the relationship data includes a first knowledge graph comprising intra-package relationship data and a second knowledge graph comprising inter-package relationship data (para. [0068] Each of the classes of the ontology have properties which give important information regarding that class. For example, the `system` class has properties like `hasMaliciousProcess`, `maliciousProcessDetails`, `hasAffectedProduct`, `affectedProductDetails`, `outboundAccess`, `portDetails` etc. which map information from a network activity monitor 120A and unstructured text data from a nontraditional data source 130).

Regarding claim 11; Joshi discloses system of claim 1, further comprising:
a validation component that modifies the package ontology via a feedback mechanism (para. [0062] Data from the traditional data sources 120 and nontraditional data sources 130 are used to continuously update the knowledge base in the knowledge base module 110C via the ontology module 110A).

Regarding claims 12-13 and 16; claims 12-13 and 16 are directed to a computer implemented method which has similar scope as claims 1, 3 and 8, respectively. Therefore, claims 12-13 and 16 remain un-patentable for the same reasons.

Regarding claim 18; claim 18 is directed to a computer program product which has similar scope as claim 1. Therefore, claim 18 remains un-patentable for the same reasons.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 5 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Joshi et al. (Joshi) U.S. Pub. Number 2014/0337974, in view of Hover et al. (Hovor) U.S. Pub. Number 2016/0065599. 
Regarding claim 5; Joshi discloses the system of claim 1.
Joshi does not disclose, which Hovor discloses wherein the knowledge induction component populates the package ontology with the relationship data by evaluating sentences of vulnerability descriptive data to identify basic entities, and wherein the sentences of vulnerability descriptive data comprise terms indicative of vulnerabilities (Hovor: para. [0134] create a data construct, e.g., specific to vulnerabilities, for the particular sentence. The data construct may include information representing the sentence; para. [0135] the parser may determine that a first sentence, “The impact from vulnerabilities can expose a Denial-of-Service (DoS) condition,” in a particular document or paragraph is an indicator of compromise, using the pattern “denial of service.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Joshi to provide populates the package ontology with the relationship data by evaluating sentences of vulnerability descriptive data to identify basic entities, and wherein the sentences of vulnerability descriptive data comprise terms indicative of vulnerabilities, as taught by Hovor. The motivation would be to prevent, or reduce the likelihood, of a malicious actor exploiting the vulnerability.

Regarding claim 14; claim 14 is directed to a computer implemented method which has similar scope as claim 5. Therefore, claim 14 remains un-patentable for the same reasons.

Claims 6, 15 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Joshi et al. (Joshi) U.S. Pub. Number 2014/0337974, in view of Wentz U.S. Pub. Number 2020/0320340. 
Regarding claim 6; Joshi discloses system of claim 1.
Joshi does not disclose, which Wentz discloses wherein the knowledge induction component populates the package ontology with the relationship data by concatenating continuous sequences of noun phrases and identified basic entities within sentences of vulnerability descriptive data to build candidate N-gram entities, and wherein the sentences of vulnerability descriptive data comprise terms indicative of vulnerabilities (Wentz: para. [0073] training data 200 may include one or more elements that are not categorized… in a corpus of text, phrases making up a number “n” of compound words, such as nouns modified by other nouns, may be identified according to a statistically significant prevalence of n-grams containing such words in a particular order; such an n-gram may be categorized as an element of language such as a “word” to be tracked similarly to single words, generating a new category as a result of statistical analysis).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Joshi to provide wherein the knowledge induction component populates the package ontology with the relationship data by concatenating continuous sequences of noun phrases and identified basic entities within sentences of vulnerability descriptive data to build candidate N-gram entities, and wherein the sentences of vulnerability descriptive data comprise terms indicative of vulnerabilities, as taught by Wentz. The motivation would be to provide determining a degree of correlation between two or more variables, or the like (i.e. expressing a degree to which the safety, security, or authenticity of a process, device, or datum may be relied upon).

Regarding claim 15; claim 15 is directed to a computer implemented method which has similar scope as claim 6. Therefore, claim 15 remains un-patentable for the same reasons.

Regarding claim 19; claim 19 is directed to a computer program product which has similar scope as claim 6. Therefore, claim 19 remains un-patentable for the same reasons.

Claims 9-10, 17 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Joshi et al. (Joshi) U.S. Pub. Number 2014/0337974, in view of Salem et al. (Salem) U.S. Pub. Number 2022/0019659. 
Regarding claim 9; Joshi discloses the system of claim 8.
Joshi does not disclose, which Salem discloses wherein the vulnerability component identifies the implicit vulnerability by traversing the first and second knowledge graphs to identify another package within the range of packages that is dependent on a component of the package that is affected by the explicit vulnerability (Salem: para. [0123] Individually, each decision tree of a random forest may comprise a branching structure, wherein each branch is navigated by determining if a specific n-gram is present in the stream of bytes or each if the specific n-gram counter is greater than, less than, or equal to a specific value).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Joshi to provide identifies the implicit vulnerability by traversing the first and second knowledge graphs to identify another package within the range of packages that is dependent on a component of the package that is affected by the explicit vulnerability, as taught by Salem. The motivation would be to prevent, detect, and respond to malicious threats.

Regarding claim 10; Joshi discloses the system of claim 1. 
Joshi does not disclose, which Salem discloses further comprising:
a bootstrap component that bootstraps the package ontology using data mined from a curated knowledge graph (Salem: para. [0123] before reaching a probability determination of whether executable code is present in the code section. However, in some embodiments, shallower (i.e. less nodes) trees may be preferable because of bootstrap aggregation).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Joshi to provide a bootstrap component that bootstraps the package ontology using data mined from a curated knowledge graph, as taught by Salem. The motivation would be to provide determination of whether executable code is present in the code section (i.e. improves the stability and accuracy of a model by reducing variance and avoiding overfitting of the training data). 

Regarding claim 17; claim 17 is directed to a computer implemented method which has similar scope as claim 9. Therefore, claim 17 remains un-patentable for the same reasons.

Regarding claim 20; Joshi discloses the computer program product of claim 18, wherein the relationship data includes a first knowledge graph comprising intra-package relationship data and a second knowledge graph comprising inter-package relationship data (para. [0068] Each of the classes of the ontology have properties which give important information regarding that class. For example, the `system` class has properties like `hasMaliciousProcess`, `maliciousProcessDetails`, `hasAffectedProduct`, `affectedProductDetails`, `outboundAccess`, `portDetails` etc. which map information from a network activity monitor 120A and unstructured text data from a nontraditional data source 130).
 Joshi does not disclose, which Salem discloses wherein the processor identifies the implicit vulnerability by traversing the first and second knowledge graphs to identify another package within the range of packages that is dependent on a component of the package that is affected by the explicit vulnerability (Salem: para. [0123] Individually, each decision tree of a random forest may comprise a branching structure, wherein each branch is navigated by determining if a specific n-gram is present in the stream of bytes or each if the specific n-gram counter is greater than, less than, or equal to a specific value).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Joshi to provide identifies the implicit vulnerability by traversing the first and second knowledge graphs to identify another package within the range of packages that is dependent on a component of the package that is affected by the explicit vulnerability, as taught by Salem. The motivation would be to prevent, detect, and respond to malicious threats.

Examiner’s remarks 
Applicant is encouraged to contact the examiner to discuss propose amendment to expedite prosecution.

Related Art
The following prior art made of record and cited on PTO-892, but not relied upon, is considered pertinent to applicant’s disclosure:
Hewlett et al. U.S. Pub. No. 2021/0021611 -Hewlett teaches N-gram analysis is performed on a sequence of received packets associated with a received file. Performing the n-gram analysis includes using at least one stored sample classification model. A determination is made that the received file is malicious based at least in part on the n-gram analysis of the sequence of received packets. In response to determining that the file is malicious, propagation of the received file is prevented.

U.S. Publication No. 2008/0082380 to Stephenson-Stephenson teaches evaluating a system having at least one portal is provided, wherein the method includes examining the at least one portal to identify at least one accessible portal, performing a qualitative analysis responsive to the at least one accessible portal, performing a quantitative analysis responsive to the qualitative analysis and generating a risk profile responsive to the performing a qualitative analysis and the performing a quantitative analysis.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VU V TRAN whose telephone number is (571)270-1708.  The examiner can normally be reached on M-F, 8 AM- 4 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/VU V TRAN/               Primary Examiner, Art Unit 2491