DETAILED ACTION
The following is final office action in response to applicant’s amendments filed on 11/02/2020 for response of office action mailed on 07/31/2020. Claim 1, 2, 3, 6, 8, 9, 11, 12, 15, 17 and 18 are amended. No claim is added. Claim 4 is cancelled. Claims 1-3 and 5-20 are pending.
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s amendment to claim 3, filed on 11/02/2020, with respect to claim objection has been considered and the objection have been withdrawn.
Applicant’s amendment to claim 8, filed on 11/02/2020, with respect to rejection under 35 U.S.C 112 indefinite (indefinite) has been considered and the amendment overcame the rejection. The rejection has been withdrawn. 
Applicant’s amendment to claim 9, filed on 11/02/2020, with respect to rejection under 35 U.S.C 112 indefinite (indefinite) has been considered and the amendment did not overcome the rejection. The rejection has been sustained. 
Regarding the arguments on independent claim 1, on page 11-15, independent claim 1 has been amended to incorporate the new limitation: wherein the third application executes after execution of the second application has completed execution, wherein the second application is placed into a wait state until the first application has completed execution, and wherein the third application is placed into a wait state until the first application has completed execution and the second application has completed execution. Independent claims 11 and 17 have a similar added limitation. Applicant’s amendments to claims, filed on 11/02/2020, necessitated the new grounds of rejection presented in this office action. Hence, applicant’s arguments have been considered but are moot in view of the new grounds of rejection. 
Applicant presents no further arguments.
For the above reasons, it is believed that the rejections should be sustained. Accordingly, THIS
ACTION IS MADE FINAL. See MPEP 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 9 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention
Regarding claim 9, the scope of “exiting one of the fourth application or the fifth application that has not executed based on one of a status command or expiration of a predetermined amount of time” is not clear. If the application has not been executed, not clear why need exiting. For the examination purpose, examiner interprets the limitation as “exiting one of the fourth application or the fifth application based on one of a status command or expiration of a predetermined amount of time”.  


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:

2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim 1-3, 10-13, and 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Chesla (US20160021056) in view of Jones et al. (US20150288712, hereinafter Jones), and further in view of Imanishi (US20070033651).
Regarding claim 1, 11 and 17, Chesla teaches a system for improved cybersecurity intelligence by launching applications ahead of time (Chesla: Abstract: a system and method for adaptively securing a protected entity against cyber-threats), comprising: a non-transitory memory; one or more hardware processors coupled to the non-transitory memory and configured to read instructions from the non-transitory memory to cause the system to perform operations (Chesla: Para. 0016: The system comprises: a processor; and a memory) comprising: receiving, over a communications network, signals about potential cyber-threat and security/risk intelligent feed (Chesla: Para. 0016: receiving a plurality of signals from the plurality of security services, wherein each signal of the plurality of signals is generated with respect to a potential cyber-threat; Para. 0060: The north bound interface 240 interfaces between the security stack module 111 and one or more external systems (not shown). The external systems may include, for example, third party security analytics systems, security intelligence feeds, security portals, datacenter orchestration control systems, identity management systems, or any other system that can provide information to the security stack module 111; Para. 0121: At S740, various feeds received during the runtime of the application are received and analyzed. Such feeds may include signals (e.g., SoAs) generated by security services, risk intelligence feeds, and the like. The risk intelligence feeds may be provided by a security service configured to detect new threats or from external systems communicatively connected to the cyber-security system); determining whether a performance of an orchestrated response is triggered based on the at least one threat model, wherein the orchestrated response includes a plurality of applications to be executed in a predetermined sequence (Chesla: Para. 0016: generating at least one security event respective of the plurality of received signals; determining if the at least one security event satisfies the at least one workflow rule; Para. 0077: the correlation of various feeds is performed by a set of workflow (or correlation) rules which are processed and applied by a controller of a security application…… The workflow rules are set respective of the attacks that the cyber-security system 100 can handle. That is, in an exemplary implementation, a set of workflow rules is defined for each different type of threat; Para. 0073: the cyber-security system 100 is designed to activate/deactivate, and correlate between security applications in unit 210 and security services in the unit 220, in order to define, create, or otherwise program a robust solution for detecting and mitigating attacks against the protected entity. The sequence for activating, deactivating, and correlating the various functions and modules of the cyber-security system 100, is based on one or more workflow rules. In an embodiment, the detection, investigation and/or mitigation functions are performed in the system 100 based on at least one workflow rule defined to handle a certain threat; Para. 0099: An application checks if one and/or any combination of the received signals satisfy at least one event rule. The event rules are further correlated to check if they satisfy a workflow rule. Events that satisfy at least one workflow rule will trigger an action such as, but not limited to, a mitigation action, an investigation action, and so on); and launching, when the performance of the orchestrated response is triggered, a first application,  a second application, and a third application of the plurality of applications of the orchestrated response, wherein the second application executes after execution of the first application has completed execution, wherein the third application executes after execution of the second application has completed execution (Chesla: Para. 0016: upon determining that the at least one security event satisfies the workflow rule, generating at least one action with respect to the potential cyber-threat; Para. 0106: The security events 630 are correlated by the security application 521 using the workflow rule 640. As noted above, security events 630 that satisfy at least one workflow rule 640 will trigger an action such as, but not limited to, a mitigation action, an investigation action, and so on. As an example, a workflow rule 640 can correlate between a reputation event and a user anomaly event. In an embodiment, the workflow rules 640 can be defined for the different phases of the operation of the system security application 521, i.e., a detection phase, an investigation phase, and a mitigation phase; Para. 0129: As a non-limiting example for the operation of the method disclosed herein, a security application includes a first security service configured to detect an abnormal activity, a second service configured to investigate the abnormal activity, and a third security service configured to mitigate an attack. Specifically, the first security service is configured to detect a range of source IP addresses from the Internet that are acting in an anomaly manner (e.g., seems like a “user-password” cracking brute force activities). A workflow rule defines that the first service is configured with indicates that, when suspicious sources are detected, the second security service is triggered; Para. 0130: the second service evaluates the sources according to their most relevant reputation DB and finds a match with a high score (e.g., some of the sources are known to be bad-reputation bot sources). The trigger for the third service, as defined by the workflow rule, is a detection of such high score. The third service provides a mitigation action such as, for example, via implementation of Distributed ACLs; Para. 0107: A conditional workflow rule may be defined using the following exemplary syntax: IF <event <network-entities> <attributes>> <exp.p> <logical operator> <event [attributes]> <exp.p> <scope> . . . THEN <action(s)>; Para. 0110: The rule can further defines one or more Boolean operators, such as OR, AND, NOT, AND-THEN (AND-THEN which defines a time dependency between events). The action parameter defines at least one action to be performed if the rule is satisfied. The action may be, for example, a start service, a stop service; Para. 0094: The security applications unit 210 includes a plurality of security applications 511-1 through 511-n (hereinafter referred to collectively as security applications 511)(detection, investigation and mitigation are launched one after another).
Yet, Chesla does not explicitly teach a non-transitory memory configured to store at least threat model data and receiving at least a threat model.
However, in the same field of endeavor, Jones teaches a non-transitory memory configured to store at least threat model data (Jones: Para. 0012: the memory of the apparatus may store further executable instructions that in response to execution by the processor cause the apparatus to further implement a reporter. In this regard, the reporter may be configured to generate a report from the threat analysis, and including an organized arrangement of at least some of the attributes of at least some of the components, data flows or cybersecurity threat; Para. 0065: The threat-model DFD storage may be resident with the threat analyzer, or may be separate from and in communication with the threat analyzer, and in some examples may correspond to threat-model DFD storage 310)—the threat-model DFD and its metadata again being formatted and stored in any of a number of different manners; Para. 0071: the reporter 500 may include a report generator 502 coupled to one or more storage such as a DFD storage 504, threat-model DFD storage 506 and/or threat analysis storage 508) and receiving at least a threat model (Jones: Para. 0027: The DFD level establishment system 104 may be configured to assess various criteria of the information system to identify an appropriate level of threat model—threat-model data flow diagram (DFD); Para. 0065: The threat-DFD applicator may also be configured to receive a level n threat-model DFD for the information system—or in some examples the metadata attributes of the information system and cybersecurity threats for a level n threat-model DFD, such as from a threat-model DFD storage 412). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by Chesla to include a non-transitory memory configured to store at least threat model data and receiving at least a threat model as disclosed by Jones. One of ordinary skill in the art would have been motivated to make this modification in order to perform modeling and analysis of cybersecurity threats as suggested by Jones (Jones: Para. 0001). 
Yet, combination of Chesla and Jones does not explicitly teach wherein the second application is placed into a wait state until the first application has completed execution, and wherein the third application is placed into a wait state until the first application has completed execution and the second application has completed execution (Examiner interprets as an application is placed into a wait state until another application has completed execution).
However, in the same field of endeavor, Imanish teaches wherein the second application is placed into a wait state until the first application has completed execution, and wherein the third application is placed into a wait state until the first application has completed execution and the second application has completed execution (an application is placed into a wait state until another application has completed execution) (Imanish: Abstract: When access to a resource which is not granted to unsigned applications is requested during the execution of the application before the completion of the tamper check, the application is put in a wait state until the completion of the tamper check; Para. 0033: when the execution unit, in a process of executing the instructions included in the application program, 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein the second application is placed into a wait state until the first application has completed execution, and wherein the third application is placed into a wait state until the first application has completed execution and the second application has completed as disclosed by Imanishi. One of ordinary skill in the art would have been motivated to make this modification in order to protect the system from attack as suggested by Imanishi (Imanish: Para. 0006). 
Regarding claim 2, 12 and 18, combination of Chesla, Jones and Imanish teaches the system of claim 1. In addition, Chesla further teaches wherein receiving, over the communications network, the at least one threat model includes: receiving, over the communications network, the at least one threat model which identifies a cybersecurity threat (Chesla: Para. 0016: receiving a plurality of signals from the plurality of security services, wherein each signal of the plurality of signals is generated with respect to a potential cyber-threat; Para. 0060: The north bound interface 240 interfaces between the security stack module 111 and one or more external systems (not shown). The external systems may include, for example, third party security analytics systems, security intelligence feeds, security portals, datacenter orchestration control systems, identity management systems, or any other system that can provide information to the security stack module 111; Para. 0121: At S740, various feeds received during the runtime of the application are received and analyzed. Such feeds may include signals (e.g., SoAs) generated by security services, risk intelligence feeds, and the like. The risk intelligence feeds may be provided by a security service configured to detect new threats or from external systems communicatively connected to the cyber-security system); wherein determining whether the performance of the orchestrated response is triggered based on the at least one threat generating at least one security event respective of the plurality of received signals; determining if the at least one security event satisfies the at least one workflow rule; Para. 0077: the correlation of various feeds is performed by a set of workflow (or correlation) rules which are processed and applied by a controller of a security application…… The workflow rules are set respective of the attacks that the cyber-security system 100 can handle. That is, in an exemplary implementation, a set of workflow rules is defined for each different type of threat; Para. 0073: the cyber-security system 100 is designed to activate/deactivate, and correlate between security applications in unit 210 and security services in the unit 220, in order to define, create, or otherwise program a robust solution for detecting and mitigating attacks against the protected entity. The sequence for activating, deactivating, and correlating the various functions and modules of the cyber-security system 100, is based on one or more workflow rules. In an embodiment, the detection, investigation and/or mitigation functions are performed in the system 100 based on at least one workflow rule defined to handle a certain threat; Para. 0099: An application checks if one and/or any combination of the received signals satisfy at least one event rule. The event rules are further correlated to check if they satisfy a workflow rule. Events that satisfy at least one workflow rule will trigger an action such as, but not limited to, a mitigation action, an investigation action, and so on), and wherein launching, when the performance of the orchestrated response is triggered, the first application, the second application, and the third application of the plurality of applications of the orchestrated response includes: launching, when the cybersecurity threat triggers the performance of the orchestrated response, the first application, the second application, and the third application of the plurality of applications of the orchestrated response (Chesla: Para. 0016: upon determining that the at least one security event satisfies the workflow rule, generating at least one action with respect to the potential cyber-threat; Para. 0106: The security events 630 are correlated by the security application 521 using the workflow rule 640. As noted above, security events 630 that satisfy at least one workflow rule 640 will trigger an action such as, but not limited to, a mitigation action, an investigation action, and so on. As an example, a workflow rule 640 can correlate between a reputation event and a user anomaly event. In an embodiment, the workflow rules 640 can be defined for the different phases of the operation of the system security application 521, i.e., a detection phase, an investigation phase, and a mitigation phase; Para. 0129: As a non-limiting example for the operation of the method disclosed herein, a security application includes a first security service configured to detect an abnormal activity, a second service configured to investigate the abnormal activity, and a third security service configured to mitigate an attack. Specifically, the first security service is configured to detect a range of source IP addresses from the Internet that are acting in an anomaly manner (e.g., seems like a “user-password” cracking brute force activities). A workflow rule defines that the first service is configured with indicates that, when suspicious sources are detected, the second security service is triggered; Para. 0130: the second service evaluates the sources according to their most relevant reputation DB and finds a match with a high score (e.g., some of the sources are known to be bad-reputation bot sources). The trigger for the third service, as defined by the workflow rule, is a detection of such high score. The third service provides a mitigation action such as, for example, via implementation of Distributed ACLs).
Regarding claim 3, 13, and 19, combination of Chesla, Jones and Imanish teaches the system of claim 2. In addition, Chesla further teaches wherein the predetermined sequence of the plurality of applications is a network's security plan for analyzing and responding to the particular cybersecurity threat (Chesla: Para. 0016: upon determining that the at least one security event satisfies the workflow rule, generating at least one action with respect to the potential cyber-threat; Para. 0106: The security events 630 are correlated by the security application 521 using the workflow rule 640. As noted above, security events 630 that satisfy at least one workflow rule 640 will trigger an action such as, but not limited to, a mitigation action, an investigation action, and so on. As an example, a workflow rule 640 can correlate between a reputation event and a user anomaly event. In an embodiment, the workflow rules 640 can be defined for the different phases of the operation of the system security application 521, i.e., a detection phase, an investigation phase, and a mitigation phase; Para. 0129: As a non-limiting example for the operation of the method disclosed herein, a security application includes a first security service configured to detect an abnormal activity, a second service configured to investigate the abnormal activity, and a third security service configured to mitigate an attack. Specifically, the first security service is configured to detect a range of source IP addresses from the Internet that are acting in an anomaly manner (e.g., seems like a “user-password” cracking brute force activities). A workflow rule defines that the first service is configured with indicates that, when suspicious sources are detected, the second security service is triggered; Para. 0130: the second service evaluates the sources according to their most relevant reputation DB and finds a match with a high score (e.g., some of the sources are known to be bad-reputation bot sources). The trigger for the third service, as defined by the workflow rule, is a detection of such high score. The third service provides a mitigation action such as, for example, via implementation of Distributed ACLs).
 Regarding claim 10, combination of Chesla, Jones and Imanish teaches the system of claim 1. In addition, Chesla further teaches providing input to the second application from the first application (Chesla: Para. 0129: As a non-limiting example for the operation of the method disclosed herein, a security application includes a first security service configured to detect an abnormal activity, a second service configured to investigate the abnormal activity, and a third security service configured to mitigate an attack. Specifically, the first security service is configured to detect a range of source IP addresses from the Internet that are acting in an anomaly manner (e.g., seems like a “user-password” cracking brute force activities). A workflow rule defines that the first service is configured with indicates that, when suspicious sources are detected, the second security service is triggered; Para. 0130: the second service evaluates the sources according to their most relevant reputation DB and finds a match with a high score (e.g., some of the sources are known to be bad-reputation bot sources). The trigger for the third service, as defined by the workflow rule, is a detection of such high score. The third service provides a mitigation action such as, for example, via implementation of Distributed ACLs).
Claim 5-8, 14-16 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Chesla in view of Jones and Imanish, and further in view of Thioux et al. US20170289191, hereinafter (Thioux). 
Regarding claim 5, 14 and 20, combination of Chesla, Jones and Imanish teaches the system of claim 1. 
Yet, the combination does not teach wherein launching the plurality of applications of the orchestrated response includes launching the plurality of applications of the orchestrated response within a predetermined depth level based on the predetermined sequence of execution of the plurality of applications.
However, in the same field of endeavor, Thioux teaches wherein launching the plurality of applications of the orchestrated response includes launching the plurality of applications of the orchestrated response within a predetermined depth level based on the predetermined sequence of execution of the plurality of applications (Thioux: Para. 0243:  the threat analysis engine 1260 may include one or more analysis engines 1264 for analyzing different types of data collected in the network emulator. To analyze the data, in some implementations the threat analysis engine 1260 may receive threat intelligence 1252 from, for example, the network security community. The threat intelligence 1252 may include, for example, descriptions of current (e.g. for a given day or hour or minute) known network threats; Para. 0261: FIG. 14 illustrates an example of the operations of an analytic engine 1418. In various implementations, the analytic engine 1418 may include multiple analysis engines 1440. Each analysis engine 1440 may analyze a different type of data; Para. 0262: the analytic engine 1418 includes a network protocol analysis engine 1442, a web-based network protocol analysis engine 1444, a file activity analysis engine 1446, and a log file analysis engine 1448. As discussed in further detail below, each of these analysis engines 1440 processes a different type of data; Para. 0296: the analysis engines described in FIGS. 15-18 may be launched by the analytic engine in a predetermined sequence. FIG. 19 illustrates an example of the order or sequence in which analysis engines 1940 a-1940 f can be run, as well as a correlation engine 1982 for correlating the results from the various analysis engines 1940 a-1940 f). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein launching the plurality of applications of the orchestrated response includes launching the plurality of applications of the orchestrated response within a predetermined depth level based on the predetermined sequence of execution of the plurality of applications as disclosed by Thioux. One of ordinary skill in the art would have been motivated to make this modification in order to strengthen network defenses for harmful traffic as suggested by Thioux (Thioux: Para. 0002). 
Regarding claim 6 and 15, combination of Chesla, Jones and Imanish teaches the system of claim 1. 
In addition, Chesla teaches multiple applications (Para. 0094: The security applications unit 210 includes a plurality of security applications 511-1 through 511-n (hereinafter referred to collectively as security applications 511). 
Yet, the combination does not explicitly teach wherein the predetermined sequence of execution of the plurality of applications includes a decision in which one of a fourth application and a fifth application of the plurality of applications executes based on a result of an application that 
However, in the same field of endeavor, Thioux teaches wherein the predetermined sequence of execution of the plurality of applications includes a decision in which one of a fourth application or a fifth application of the plurality of applications executes based on a result of an application that executes before the fourth application and the fifth application in the predetermined sequence of execution of the plurality of applications (Thioux: Para. 0297: The result of the email header analysis can be provided to a file analysis engine and/or a log file analysis engine to determine whether attachments included in the suspect email are malicious. In contrast, should the email header analysis engine find nothing wrong with the email, then the file and log file analysis engines need not be run). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein the predetermined sequence of execution of the plurality of applications includes a decision in which one of a fourth application and a fifth application of the plurality of applications executes based on a result of an application that executes before the fourth application and the fifth application in the predetermined sequence of execution of the plurality of applications as disclosed by Thioux. One of ordinary skill in the art would have been motivated to make this modification in order to strengthen network defenses for harmful traffic as suggested by Thioux (Thioux: Para. 0002).
Regarding claim 7 and 16, combination of Chesla, Jones, Imanish and Thioux teaches the system of claim 5. In addition, Thioux further teaches wherein the predetermined depth level is based on one or more of the plurality of applications of the orchestrated response, an amount of computing resources used by the plurality of applications, and preventing a previous application from completing before a subsequent application launches in the predetermined sequence of execution of the plurality of applications (Thioux: Para. 0270: This example network protocol analysis engine 1544 is also arranged modularly and hierarchically. A protocol analysis 1570 receives other network traffic 1524, and may conduct a first stage analysis of the network traffic 1524. For example, the protocol analysis 1570 may identify a network protocol associated with a packet or stream of packets. The protocol analysis 1570 may then invoke a sub-module designed to analyze packets for the identified network protocol. In this example, the network protocol analysis engine 1544 includes sub-modules for Simple Mail Transfer Protocol (SMTP) traffic 1572 (e.g., email), Server Message Block (SMB) traffic 1574 (e.g. resource sharing packets), and FTP traffic 1576. The sub-modules may each be assisted by one or more plugins 1582; Para. 0276: the web-based network protocol analysis engine's 1642 modules are arranged hierarchically). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein the predetermined depth level is based on one or more of the plurality of applications of the orchestrated response, an amount of computing resources used by the plurality of applications, and preventing a previous application from completing before a subsequent application launches in the predetermined sequence of execution of the plurality of applications as disclosed by Thioux. One of ordinary skill in the art would have been motivated to make this modification in order to strengthen network defenses for harmful traffic as suggested by Thioux (Thioux: Para. 0002).
Regarding claim 8, combination of Chesla, Jones, Imanish and Thioux teaches the system of claim 6. In addition, Chesla further teaches launching, when the application that executes before the fourth application and the fifth application in the predetermined sequence of execution of the plurality of applications, the one of the fourth application or fifth application based on the result of the application that executes before the fourth application and the fifth application in the predetermined sequence of execution of the plurality of application (Chesla: Para. 0129: As a non-limiting example for the operation of the method disclosed herein, a security application includes a first security service configured to detect an abnormal activity, a second service configured to investigate the abnormal activity, and a third security service configured to mitigate an attack. Specifically, the first security service is configured to detect a range of source IP addresses from the Internet that are acting in an anomaly manner (e.g., seems like a “user-password” cracking brute force activities). A workflow rule defines that the first service is configured with indicates that, when suspicious sources are detected, the second security service is triggered; Para. 0130: the second service evaluates the sources according to their most relevant reputation DB and finds a match with a high score (e.g., some of the sources are known to be bad-reputation bot sources). The trigger for the third service, as defined by the workflow rule, is a detection of such high score. The third service provides a mitigation action such as, for example, via implementation of Distributed ACLs).
Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Chesla in view of Jones, Imanish and Thioux, and further in view of Benjamin et al. (US9081611 hereinafter Benjamin).
Regarding claim 9, combination of Chesla, Jones, Imanish and Thioux teaches the system of claim 8.
Yet, the combination does not teach exiting one of the fourth application or the fifth application that has not executed based on one of a status command or expiration of a predetermined amount of time.
However, in the same field of endeavor, Benjamin teaches exiting one of the fourth application or the fifth application that has not executed based on one of a status command or expiration of a predetermined amount of time (Benjamin: Col. 3, line 42-46: the task may be put into a wait mode. In some embodiments, the task may wait a predetermined time period. In other embodiments, the task may be put into a wait queue. After the wait time period ends and/or the task exits the wait queue). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include 


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LIN CHANG whose telephone number is (571)272-9998.  The examiner can normally be reached on Monday-Thursday 9AM-6PM EST Friday: Variable.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)-272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer 


/L.C./Examiner, Art Unit 2438                                                                                                                                                                                                       /TAGHI T ARANI/Supervisory Patent Examiner, Art Unit 2438