DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments

Applicant's arguments filed 12/9/2020 have been fully considered but they are not persuasive.
As to Applicant’s argument that, “The Office Action explicitly acknowledges that the combination of Jakobsson and Williams fails to disclose or suggest sending an indicator of compromise to a central computer for analysis…Satish makes no mention whatsoever of receiving any results data back from the central sever, much less results data that includes ‘at least one of i) results of training a global model to detect the indicator of compromise or ii) information for refining a local model to detect the indicator of compromise” (Remarks, p. 9), the Examiner respectfully disagrees. As mentioned in the Office Action, Jakobsson does mention that a central authority is used in some cases (Jakobsson, [0003]). The endpoint device of Satish sends malware fingerprints to a central server and in return the central server sends newly created malware signatures to the endpoint (Satish, 3:7-17). Therefore, the rejection is maintained.
Arguments directed to the newly added limitations concerning local and global models are addressed below.

Response to Amendment

Claims 1-24, 30, 41, and 42 have been cancelled.
Claims 25, 28, 29, 32, 33, 37, 40, and 43 have been amended.
Claims 45-47 have been added.
Claims 25-29, 31-40, and 43-47 are pending.

Claim Rejections - 35 USC § 112

In light of Applicant’s amendment and arguments, the previous 35 USC §112 rejection of claims 25-27 and 37-39 has been withdrawn.
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

Claim 46 is rejected under 35 U.S.C. 112(a) as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed 

The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


Claims 45-47 rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

As to claim 45, it is not clear why the determination of indicator of compromise relies on a behavior that is inconsistent with a first behavior profile of a first entity group and is consistent with a second behavior profile of a second entity group. Does this mean if the behavior is inconsistent with the second behavior profile of the second entity 


Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 25-44 are rejected under 35 U.S.C. 103 as being unpatentable over US PG Pub. No. 2014/0047544 to Jakobsson in view of US PG Pub. No. 2015/0254555 to Williams, Jr. et al. (hereinafter Williams) in view of US Patent No. 8,365,283 to Satish et al. (hereinafter Satish).

As to claims 25, 37, and 43, Jakobsson teaches:
a.	Creating, by a multi-tier security framework, an entity group that includes a plurality of entities, wherein each one of the plurality of entities represent one of a user, a machine, and a service (determining properties of various entities at an individual and group (cluster) level) (Jakobsson, [0021, 0022, 0035, and 0042] and fig. 6).
b.	Creating, by a multi-tier security framework, a behavior profile for each one of the plurality of entities of the entity group (collected data is analyzed to detect similarities and patterns) (Jakobsson, [0030-0032] and Fig. 4 and Fig. 6).

Jakobsson teaches detecting anomalous behavior (Jakobsson, [0006]), but does not expressly define anomalous behavior in terms of entity and that entity’s group. However, in an analogous art, Williams teaches:
d.	Detecting an indicator of compromise based on the behavior change of an entity compared with the behavior profile at least on entity of the entity group (detecting user behavior divergent of the user’s group behavior) (Williams, [0215]).
Therefore, one of ordinary skill in the art at the time the invention was made would have been motivated to implement the malware detection of Jakobsson with the detection of anomalous behavior of a user as compared to that user’s group in order to accurately classify data with respect to possible malicious intent as suggested by Williams (Williams, [0003]).
Jakobsson as modified further teaches:
e.	Responsive to detecting the indicator of compromise, identifying a portion of data related to processing of the entity (identifying malware instances and taking remedial actions) (Jakobsson, [0021]).
Jakobsson as modified mentions using a central verifier as an option (Jakobsson, [0140]) and discusses prior art that transmits data to a central authority in a hacking attack scenario (Jakobsson, [0003]), but does not expressly mention sending an 
f.	Transmitting the portion of data to the central computer (transmitting fingerprints of a file (activity connected to the file) to the central server for further analysis) (Satish, 3:3-6).
Therefore, one of ordinary skill in the art at the time the invention was made would have been motivated to implement the malware detection of Jakobsson with the sending of fingerprints of suspected malware to a central authority of Satish in order to better identify mutating malware as suggested by Satish (Satish, 1:35-55).
g.	Transmitting the indicator of compromise and the identified portion of data to a central computer for analysis (transmitting fingerprints of a file (activity connected to the file) to the central server for further analysis) (Satish, 3:3-6).
h.	Receiving, from the central computer, result data associated with the analysis, the result data including at least one of i) results of training a global model to detect the indicator of compromise (updating known malware signatures (global) at the endpoint device in response to fingerprint analysis of a file by the central server) (Satish, 3:7-17 and 5:1-9) or ii) information for refining a local model to detect the indicator of compromise (individual user behavior, interactions (local) are used to refine the local model of malware detection) (Jakobsson, [0030-0032]).

As to claims 26 and 38, Jakobsson as modified teaches the processing occurs at a time prior to the detection of the indicator of compromise (determining properties of 

As to claims 27 and 39, Jakobsson as modified teaches the processing occurs at a time after the detection of the indicator of compromise (determining properties of various entities at an individual and group (cluster) level) (Jakobsson, [0021, 0022, 0035, and 0042] and fig. 6).

As to claims 28 and 40, Jakobsson as modified teaches the information for refining the local model comprises at least one of: i) information specifying a feature modification of the local model, ii) a modification to an algorithm of the local model (training and updating models inherently includes removing a feature or adding a feature according to analysis results (looking at attachments, is the communication encrypted, sender/recipient, …) (Williams, [0082] and Jakobsson, [0030-0032]).

As to claims 29 and 41, Jakobsson as modified teaches the feature modification for the local model comprises at least one of: i) removing a first feature from the local model, ii) prioritizing a second feature of the local model, or iii) adding a third feature to the local model (training and updating models inherently includes removing a feature or adding a feature according to analysis results (looking at attachments, is the communication encrypted, sender/recipient, …) (Williams, [0082] and Jakobsson, [0030-0032]).



As to claims 31 and 44, Jakobsson as modified teaches creating the entity group is performed responsive to receiving input from a user that specifies the plurality of entities belonging to the entity group (collecting and analyzing data of entities) (Jakobsson, [0025-0026, and 0037]).

As to claim 32, Jakobsson as modified teaches creating the entity group is automatically performed and populated with the plurality of entities based on a set of one or more attributes common to the plurality of entities (grouping and classifying of entities based on monitored data) (Jakobsson, [0021 and 0035]).

As to claim 33, Jakobsson as modified teaches creating the entity group is automatically performed and populated with the plurality of entities based on the plurality of entities previously showing similar behavior (grouping and classifying of entities based on monitored and past data) (Jakobsson, [0021, 0022, 0033-0035, and 0055-0058]).

As to claim 34, Jakobsson as modified teaches the created behavior profile for each one of the plurality of entities of the entity group includes a set of one or more features that are used to distinguish behavior between the plurality of entities (Jakobsson, [0030-0032], and claim 9).

As to claim 35, Jakobsson as modified teaches the created behavior profile for each one of the plurality of entities of the entity group includes a set of one or more features that are used to distinguish behavior of the created entity group as compared to behavior of a different entity group (Jakobsson, [0030]-[0032], [0049]-[0050], Fig.5, and claim 9).

As to claim 36, Jakobsson as modified teaches the set of features are extracted or derived from metadata and other items of interest including one or more of: network packets propagating to/from devices, log information, and flow based connection records (log file that is used to record transactions, browser history information determining what URL’s a user has visited) (Jakobsson, [0142-0145]).

As to claim 45 as best understood, Jakobsson as modified teaches the entity group is a first entity group and the behavior profile is a first behavior profile, and wherein detecting the indicator of compromise based on the behavior change of the entity compared with the first behavior profile of the first entity group comprises determining that the behavior change is inconsistent with the first behavior profile and determining that the behavior change is consistent with a second behavior change is consistent with a second behavior profile of a second entity group (if anomalous behavior is a detectable marker for malware, it is a detectable marker for malware, just because that behavior might be normal for another entity group behavior profile does not make that behavior normal for the first entity group) (Jakobsson, [0030-0032]).

As to claim 46, 112(a) rejection of the claim preclude the ability to properly reject the limitations with prior art.

As to claim 47, Jakobsson as modified teaches detecting the indicator of compromise comprised determining that an indicator of compromise has been exceeded for the entity, and wherein identifying the portion of data related to processing of the entity comprises identifying the portion of data related to processing that occurred after a trigger threshold is exceeded, the trigger threshold being lower the compromise threshold (portions are identified and multiple thresholds can be established with regards to the indicator of compromise) (Jakobsson, [0021] and Williams, [0111-0112, 0137, and 0183]).

Double Patenting

The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 25-29, 31-40, and 43-47  are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-26 of U.S. Patent No. 10,212,176. Although the claims at the limitations of the patented application read on the limitations of the instant application. The limitaitons of the instant application are in a different order than the limitations of the parent patent. For example, dependent claim 2 of the patented application has been incorporated into claim 25 of the instant application (“creating the entity group is performed responsive to receiving input from a user that specifies the plurality of entities belonging to the entity group”).

Conclusion

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM S POWERS whose telephone number is (571)272-8573.  The examiner can normally be reached on M-F 7:30-17:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hadi Armouche can be reached on 571 270 3618.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.