DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Election/Restrictions
Applicant’s election without traverse of Group I in the reply filed on 1/12/21 is acknowledged.  Although Applicant did not specifically state the election is without traverse, the lack of an argument dictates the election is without traverse.  
Applicant elected claims 1-8 and 16-20, canceled non-elected claims 9-15, and added claims 21-27.  The claims 1-8 and 16-27 are pending.

Information Disclosure Statement
	The information disclosure statement (IDS) submitted on 6/22/18 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

	
	Examiner’s Notes
	Claim 16 limitations “a system” and “a processor” has not been interpreted under 35 U.S.C. 112, sixth paragraph, because the non-structural term are preceded by a structural modifier or known by one skilled in the art as denoting a type of structural device. 



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-8 and 16-27 are rejected under 35 U.S.C. 103 as being unpatentable over Jordan et al. (US Pub No. 2015/0088868 – Published 3/26/2015) in view of Baikalov et al. (US Pub No. 2016/0226905 – Published 8/4/2016).

With respect to claim 1, Jordan teaches a method comprising: 
receiving a record in a first timeframe (e.g., receiving event in a current sliding window ¶ 0049-0043); 
establishing a plurality of threat [vectors] for the record (e.g., having a plurality of attributes or tags such as a “Kazy” attacks for identifying threats to the record ¶ 0044 & 0048); 
merging the plurality of threat [vectors] to the record (e.g., superimposing the attributes to the event ¶ 0044-0046); 
generating a risk valuation for the record based on the plurality of threat [vectors] (e.g., having a plurality of attributes or tags for teaching of risk valuation, such as an “Exploit Kit” ¶ 0044 & 0048); 
merging the risk valuation to the record to form a risk event (e.g., superimposing the attributes to the event ¶ 0048 & Fig. 5); and 
storing the risk event in a computer-readable data store (e.g., storing the event, each having unique attribute collection of cross relationship ¶ 0046).  
Jordan teaches the receiving and analyzing of event records with a plurality of threat but does not explicitly disclose a plurality of threat vectors.  However, Baikalov, in the same field of endeavor, teaches a plurality of threat vectors (i.e., applying thread indicator and threat scores @ Figs 2-3 and Risk Score with different categories of risk score and risk factor @ Fig. 9 and ¶ 0027-0028).  Therefore, based on Jordan in view of Baikalov, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Baikalov to the system of Jordan in order to reliably identify threats and evaluate threat risks within an organization’s IT infrastructure while minimizing false positive alerts (¶ 0007).  Jordan in combination with Baikalov teaches the claim limitations as a whole.

	With respect to claim 2, Jordan further teaches wherein the record comprises a derived key (e.g., event record with matching derived keys (tuples) ¶ 0030).  

	With respect to claim 3, Jordan further teaches wherein the derived key is a source IP, a destination IP, a protocol, or a combination thereof (e.g., derived tuple fields may be a source address/port, destination address/port, and protocol combination or a subset of the tuple ¶ 0038).  

	With respect to claim 4, Jordan further teaches wherein the record comprises a plurality of events and attribute-value pairs in the first timeframe which share the derived key (e.g., all messages may be parsed into pairing of attribute and its data into an attribute-value pairing ¶ 0037-0038).  



	With respect to claim 6, Jordan further teaches further comprising notifying a user of the risk event if the risk valuation of the risk event is above a predetermined threshold value (e.g., presenting the view to the user ¶ 0048-0049 and after a message is parsed, creating a threshold, the attribute-value pairings of that message may be added into the summary window for viewing by the user ¶ 0044).  

	With respect to claim 7, Baikalov further teaches further comprising optimizing each threat vector of the plurality of threat vectors based on machine learning (e.g., dynamically updating a risk score @ Col. 9, lines 61-67).  

	With respect to claim 8, Baikalov further teaches wherein the risk valuation corresponds to a joint-distribution probability of the threat vectors merged to the record (e.g., applying probability to the threat vectors ¶ 0027-0028).  

With respect to claim 16, Jordan teaches a device comprising: 
a system that receives or retrieves a plurality of events in a sliding window (e.g., a system for receiving event in a current sliding window ¶ 0049-0043); 
a processor (e.g., ¶ 0025-0026) that forms a plurality of security events by: 
merging each event sharing an IP-couple-pair into a record to form a plurality of records (e.g., normalization and merging of events ¶ 0037-008 with each event sharing a derived key tuple such as source address/port and destination address ¶ 0030 & 0038); 
merging a plurality of threat factors to each record of the plurality of records (e.g., superimposing attributes to the event ¶ 0044-0046); and 
merging a risk [score] to each record of the plurality of records based on the threat factors present in the respective record of the plurality of records to form the plurality of security events event (e.g., having a plurality of attributes or tags for teaching of risk being merge with the events, such as an “Exploit Kit” ¶ 0044, and superimposing the attributes to the event ¶ 0048 & Fig. 5); and 
a computer readable data store that stores the plurality of security events (e.g., storing the event, each having unique attribute collection of cross relationship ¶ 0046).  
Jordan teaches the receiving and analyzing of event records with a plurality of threat and risk in general but does not explicitly disclose a risk score.  However, Baikalov, in the same field of endeavor, teaches a risk score (i.e., applying thread indicator and threat scores @ Figs 2-3 and Risk Score with different categories of risk score and risk factor @ Fig. 9 and ¶ 0027-0028).  Therefore, based on Jordan in view of Baikalov, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Baikalov to the system of Jordan in order to reliably identify threats and evaluate threat risks within an organization’s IT infrastructure while minimizing false positive alerts (¶ 0007).  Jordan in combination with Baikalov teaches the claim limitations as a whole.

	With respect to claim 17, Jordan further teaches wherein each of the events has a source IP and a destination IP, and wherein events having the same source IP and the same destination IP have a same 

	With respect to claim 18, the references above further teach further comprising a monitor adapted to display the plurality of security events (e.g., presenting to the user @ Jordan ¶ 0048 and Baikalov ¶ 0035 & Fig. 9).

	With respect to claim 19, the references above further teaches wherein the monitor displays a predetermined number of the security events of the plurality of security events, each of the predetermined number of the security events having the highest risk score and being sorted by risk score (e.g., Baikalov ¶ 0035 & Figs. 8-9).  

With respect to claim 20, the references above further teach wherein the monitor displays the record, the IP- couple-pair, the risk score, the plurality of threat factors, or a combination thereof for each security event of the predetermined number of the security events. (e.g., displaying the fetched results to the user @ Jordan ¶0048-0049 and Baikalov ¶ 0035 & Figs. 8-9)  

With respect to claim 21, Jordan teaches a method comprising: 
receiving a record (e.g., receiving event in a current sliding window ¶ 0049-0043); 
establishing a threat [vector] for the record (e.g., having an plurality of attributes or tags such as a “Kazy” attacks for identifying threats to the record ¶ 0044 & 0048);  
merging the threat [vector] to the record (e.g., superimposing the attributes to the event ¶ 0044-0046);
FLU-oo2Page 3 of 5generating a risk valuation for the record based on the threat [vector] (e.g., having a plurality of attributes or tags for teaching of risk valuation, such as an “Exploit Kit” ¶ 0044 & 0048);  
merging the risk valuation to the record to form a risk event (e.g., superimposing the attributes to the event ¶ 0048 & Fig. 5); and
providing a notification if the risk valuation is above a threshold value (e.g., presenting the view to the user ¶ 0048-0049 and after a message is parsed, creating a threshold, the attribute-value pairings of that message may be added into the summary window for viewing by the user ¶ 0044).    
Jordan teaches the receiving and analyzing of event records with a plurality of threat but does not explicitly disclose a plurality of threat vectors.  However, Baikalov, in the same field of endeavor, teaches a plurality of threat vectors (i.e., applying thread indicator and threat scores @ Figs 2-3 and Risk Score with different categories of risk score and risk factor @ Fig. 9 and ¶ 0027-0028).  Therefore, based on Jordan in view of Baikalov, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Baikalov to the system of Jordan in order to reliably identify threats and evaluate threat risks within an organization’s IT infrastructure while minimizing false positive alerts (¶ 0007).  Jordan in combination with Baikalov teaches the claim limitations as a whole.

	With respect to claim 22, Jordan further teaches comprising storing the risk event in a computer-readable data store (e.g., data may be stored in a document-based datastore ¶ 0028).  

	With respect to claim 23, Jordan further teaches receiving a first event; and deriving a key for the first event, the key comprising a first source IP and a first destination IP, wherein the record comprises the first event and the key (e.g., deriving keys (tuple) prior to indexing and storage ¶ 0030-0038).  

	With respect to claim 24, Jordan further teaches receiving a second event; deriving the key for the first event, the key comprising the first source IP and the first destination IP; and superimposing the second event into the record (e.g., deriving keys for subsequent new events ¶ 0040-0041).  

	With respect to claim 25, Jordan further teaches wherein the record comprises a plurality of events and attribute-value pairs which share a derived key, the derived key comprising at least one of a source IP, a destination IP, or a protocol (e.g., plurality of events sharing the derived key containing source address/port, destination address/port, and protocol combination or a subject of the tuple ¶ 0038).  

	With respect to claim 26, the references above further teach comprising: increasing a count when an attribute is detected in the record; and establishing the threat vector when the count reaches a second threshold value (e.g., keeping a count to establish a threat when the count is above a certain threshold @ Baikalov ¶ 0036).  

	With respect to claim 27, Jordan further teaches comprising: increasing a count when an attribute is detected in the record; and altering the threat vector based on the count (e.g., using a count to correlate threat indicator ¶ 0036).
 
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.


Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, CARL COLIN can be reached on (571) 272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/CHAU LE/Primary Examiner, Art Unit 2493