DETAILED ACTION
I.	Claims 1-34 have been examined.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claim 18 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim does not fall within at least one of the four categories of patent eligible subject matter because claim 18 is directed to “computer readable medium”. On page 17, paragraph 92 of the Applicant’s Specification, examples of mediums are given, along with the language “may be realized, for example”; thus, the medium is not limited to statutory mediums and as such the “computer readable medium” is held to be non-statutory.  Amending the claim so as to designate the “computer readable medium” as non-statutory would overcome the rejection.
The broadest reasonable interpretation of a claim drawn to a computer readable medium (also called machine readable medium and other such variations) typically covers forms of non-transitory tangible media and transitory propagating signals per se in view of the ordinary and customary meaning of computer readable media, particularly when the specification is silent.  See MPEP 2111.01.  When the broadest reasonable interpretation of a claim covers a signal per se, the claim must be rejected under 35 U.S.C. § 101 as covering non-statutory subject matter.  See In re Nuijten, 500 F.3d 1346, 1356-57 (Fed. Cir. 2007) (transitory embodiments are not directed to statutory subject matter).  Appropriate correction is required.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-34 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by United States Patent Application Publication No. US 20180027006 A1 to Zimmerman et al., hereinafter Zimmerman.
Regarding claim 1, Zimmerman teaches a method for protecting a cloud computing platform against cyber-attacks, comprising: 
gathering cloud logs from a cloud computing platform (paragraph 101, “event logs, and the like of various cloud platforms”, paragraphs 108, 110, 120, 124, and 175); 

sequencing suspect indicators into attack sequences (paragraph 368); 
scoring each of the attack sequences with an attack score, wherein each attack is scored using a scoring model (paragraphs 158, 245, 426, 435, 436, and 438); 
and alerting on each attack sequence having a score higher than a predefined threshold (paragraphs 148, 149, 160, 179, 181 and 194). 
Regarding claim 2, Zimmerman teaches performing a mitigation action to mitigate a cyber-attack represented by each attack sequence having a score higher than a predefined threshold (paragraphs 148, 149, 160 and 166). 
Regarding claim 3, Zimmerman teaches wherein processing the cloud logs further comprises: normalizing the cloud logs (paragraph 424). 
Regarding claim 4, Zimmerman teaches wherein each of the plurality of detectors is configured to analyze the cloud logs to detect a different type of anomaly (paragraphs 110, 114, 128, 137, 142, 160, 172, 180, 185, 192, 194, 196, and 201). 
Regarding claim 5, Zimmerman teaches wherein analyzing the cloud logs to detect suspicious behavior further comprises: matching the cloud logs to threat intelligence information (paragraphs 114, 121, 122, 124, 131, and 181). 
Regarding claim 6, Zimmerman teaches wherein analyzing the cloud logs to detect suspicious behavior further comprises: detecting suspicious behavior using a set of preconfigured rules (paragraphs 12, 13, 110, 128, 172, 180, 185, 192, and 194). 
Regarding claim 7, Zimmerman teaches wherein analyzing the cloud logs to detect suspicious behavior further comprises: detecting suspicious behavior based on deviation from a normal behavior, wherein the normal behavior is generated based on a machine learning technique (paragraphs 128, 138, 172, 180, 185, 192, 194-196, 198 and 201). 
Regarding claim 8, Zimmerman teaches wherein the suspicious behavior is of or against a cloud entity (paragraphs 114, 121, 122, 124, 131, and 181). 
Regarding claim 9, Zimmerman teaches wherein sequencing suspect indicators into attack sequences further comprises: grouping suspect indicators related to the same suspicious activity into an activity record (paragraphs 114, 121, 123, 124, and 175). 
Regarding claim 10, Zimmerman teaches wherein the activity record includes information on the performed suspicious behaviors, the time period, and a reference to a respective suspect indicator indicative on the suspicious behavior (paragraphs 102, 116, 144, 145 and 151). 
Regarding claim 11, Zimmerman teaches wherein the scoring model is determined based on example attack sequences (paragraphs 110, 172, 175, and 180). 
Regarding claim 12, Zimmerman teaches wherein the historic example attack sequences include historic attack sequences classified as legitimate and simulated attack sequences (paragraphs 176, 211, 280, and 285). 
Regarding claim 13, Zimmerman teaches wherein the scoring model is based on at least one of: a risk score, a likelihood score, and a maliciousness score (paragraphs 158, 245 and 426). 
Regarding claim 14, Zimmerman teaches wherein the risk score relates to a sensitivity of a cloud entity, the likelihood entity defines likelihood of a suspect indicator or the whole sequence to occur in the cloud environment, the maliciousness score determines if a sequence represents a set of actions likely to be performed by an attacker (paragraphs 158, 245 and 426). 
Regarding claim 15, Zimmerman teaches wherein the scoring model is a supervised machine learning scoring model generated based on attack sequence examples (paragraphs 128, 138, 172, 180, 185, 192, 194-196, 198 and 201). 
Regarding claim 16, Zimmerman teaches wherein the attack sequence examples include labeled historic attacks sequences, wherein the labels may be any one of: 
Regarding claim 17, Zimmerman teaches wherein the attack sequence examples include simulated attacks, generated by an attack simulator (paragraphs 431 and 571). 
Regarding claim 18, Zimmerman discloses a computer readable medium having stored thereon instructions for causing processing circuitry to execute a process for cloud computing platform against cyber-attacks, the process comprising: 
gather cloud logs from a cloud computing platform (paragraph 101, “event logs, and the like of various cloud platforms”, paragraphs 108, 110, 120, 124, and 175); 
analyze, by a plurality of detectors, the cloud logs to detect at least one suspicious behavior, wherein each of the at least one suspicious behavior is identified by a suspect indicator (paragraphs 117 and 137); 
sequence suspect indicators into attack sequences (paragraph 368); 
score each of the attack sequences with an attack score, wherein each attack is scored using a scoring model (paragraphs 158, 245, 426, 435, 436, and 438); 
and alert on each attack sequence having a score higher than a predefined threshold (paragraphs 148, 149, 160, 179, 181 and 194). 
Regarding claim 19, Zimmerman discloses a system for cloud computing platform against cyber-attacks, comprising: 
a processing system (paragraph 597); 
and a memory (paragraph 597), 

gather cloud logs from a cloud computing platform (paragraph 101, “event logs, and the like of various cloud platforms”, paragraphs 108, 110, 120, 124, and 175); 
analyze, by a plurality of detectors, the cloud logs to detect at least one suspicious behavior, wherein each of the at least one suspicious behavior is identified by a suspect indicator (paragraphs 117 and 137); 
sequence suspect indicators into attack sequences (paragraph 368); 
score each of the attack sequences with an attack score, wherein each attack is scored using a scoring model (paragraphs 158, 245, 426, 435, 436, and 438); 
and alert on each attack sequence having a score higher than a predefined threshold (paragraphs 148, 149, 160, 179, 181 and 194). 
Regarding claim 20, Zimmerman discloses wherein the system is further configured to: perform a mitigation action to mitigate a cyber-attack represented by each attack sequence having a score higher than a predefined threshold (paragraphs 148, 149, 160 and 166). 
Regarding claim 21, Zimmerman discloses wherein the system is further configured to: normalize the cloud logs (paragraph 424). 
Regarding claim 22, Zimmerman discloses wherein each of the plurality of detectors is configured to analyze the cloud logs to detect a different type of anomaly (paragraphs 
Regarding claim 23, Zimmerman discloses wherein the system is further configured to: match the cloud logs to threat intelligence information (paragraphs 114, 121, 122, 124, 131, and 181). 
Regarding claim 24, Zimmerman discloses wherein the system is further configured to: detect suspicious behavior using a set of preconfigured rules (paragraphs 12, 13, 110, 128, 172, 180, 185, 192, and 194). 
Regarding claim 25, Zimmerman discloses wherein the system is further configured to: detect suspicious behavior based on deviation from a normal behavior, wherein the normal behavior is generated based on a machine learning technique (paragraphs 128, 138, 172, 180, 185, 192, 194-196, 198 and 201). 
Regarding claim 26, Zimmerman discloses wherein the suspicious behavior is of or against a cloud entity (paragraphs 114, 121, 122, 124, 131, and 181). 
Regarding claim 27, Zimmerman discloses wherein the system is further configured to: group suspect indicators related to the same suspicious activity into an activity record (paragraphs 114, 121, 123, 124, and 175). 
Regarding claim 28, Zimmerman discloses wherein the activity record includes 
Regarding claim 29, Zimmerman discloses wherein the scoring model is determined based on example attack sequences (paragraphs 110, 172, 175, and 180). 
Regarding claim 30, Zimmerman discloses wherein the scoring model is based on at least one of: a risk score, a likelihood score, and a maliciousness score (paragraphs 158, 245 and 426). 
Regarding claim 31, Zimmerman discloses wherein the risk score relates to a sensitivity of a cloud entity, the likelihood entity define likelihood of a suspect indicator or the whole sequence to occur in the cloud environment, the maliciousness score determines if a sequence represents a set of actions likely to be performed by an attacker (paragraphs 158, 245 and 426). 
Regarding claim 32, Zimmerman discloses wherein the scoring model is a supervised machine learning scoring model generated based on attack sequence examples (paragraphs 128, 138, 172, 180, 185, 192, 194-196, 198 and 201). 
Regarding claim 33, Zimmerman discloses wherein the attack sequence examples include labeled historic attacks sequences, wherein the labels may be any one of: 
Regarding claim 34, Zimmerman discloses wherein the attack sequence examples include simulated attacks, generated by an attack simulator (paragraphs 431 and 571).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The references cited on form PTO-892 are cited to further show the state of the art with respect to protecting cloud computing platforms.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEREMIAH L AVERY whose telephone number is (571)272-8627.  The examiner can normally be reached on M-F 8:30am -5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see https://ppair-


/JEREMIAH L AVERY/Primary Examiner, Art Unit 2431