DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

	Claims 1-18 as submitted on 9/26/18 were considered.

Information Disclosure Statement
	The IDS submitted on 12/13/18 was considered.

Claim Objections
Claim 1 is objected to because of the following informalities:  
Claim 1 recites “correlation/alert generator” in line 7 and “correlation and alert generator” in line 19.  Applicant should choose one term or the other for consistency.  Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 14-18 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly 
In claim 14, the limitation spanning lines 9-11 appears to either be missing some words or maybe applicant had intended there to be two limitations recited instead of just one.  If it is the latter case, a semicolon is needed at the end of line 9.  Clarification is requested.
Claims not specifically addressed are rejected by virtue of dependency.
Art rejection will be applied as best understood.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1-18 is/are rejected under 35 U.S.C. 102(a)(1) and (a)(2) as being anticipated by Muddu et al (US 2017/0063900).

Claims 1 and 7:
	As per claim 1, Muddu discloses:
a computing device (abstract; paragraphs 139, 346, 742, and 743; Networked computer system having security system to detect anomalies and threats on the network.  Any of the computing device in the network can be considered the claimed computing device);
a network in communication with the computer device (abstract; paragraphs 139, 346, 742, and 743);
a baseline generation and monitoring system in communication with the network (abstract; paragraphs 346 and 348; Baseline and historical data generated so anomalies can be detected based on the baseline and historical data);
a correlation/alert generator in communication with the network (abstract; paragraphs 140, 145, 171, and 385; Detect and expose anomalies); and
a memory storing instructions that when executed (paragraph 743), cause the baseline generation and monitoring system to:
identify an employee of the enterprise that represents an elevated risk of contributing to the potential security breach where the computing device is associated with the employee (paragraphs 346-348 and 443; Employee monitored for anomalous behavior);
store a list of predetermined behaviors indicative of the potential security breach (paragraph 348; Threat indictors);
determine a baseline of the computing device behaviors (paragraphs 145 and 349; Machine learning means baseline and historical data are formed/determined so that anomalies can be detected
monitor the computing device associated with the identified employee for occurrence of a behavior that exceeds the baseline (paragraphs 346-347);
monitor the behavior of the computing device for an occurrence of a second behavior that is related to the first behavior (paragraphs 346 and 350; Actual behavior is monitored with respect to anomalous behavior as well as projected behavior.  The actual behavior can be considered the claimed second behavior while anomalous or projected behavior can be considered the claimed first behavior); and
generate an alert using the correlation and alert generator if both the first behavior and second behavior occurs (paragraphs 149, 171, 335, and 346; Alert generated if actual behavior determined to be anomalous).

The rejection of claim 1 applies, mutatis mutandis, to claim 7.

Claim 14:
	Muddu discloses:
identifying an employee of the enterprise that represents an elevated risk of contributing to the potential security breach (paragraphs 346-348 and 443; Employee monitored for anomalous behavior);
providing a list of predetermined behaviors indicative of the potential security breach (paragraph 348; Threat indictors);
storing network activity of the employee in an event log (paragraphs 346 and 443; Historical data logged
determining a baseline of the behaviors indicative of the potential security breach comprising at least one of: email activity, process activity, installations, register modifications, new proxy connections, new user agents, new user connections, new source authorizations, new attempted accesses, or new outbound data connections (paragraphs 346, 441-443, and 611);
generating a whitelist of network activities from the network activity (paragraphs 349, 564, and 611; Baseline and dynamic whitelist created); 
developing use cases based on cyber-attack methodology (paragraphs 349-350; Detect anomalies and determine security threats based on evaluation of detected anomalies); 
monitoring the network activity (abstract and paragraphs 349-350);
detecting a network activity that is not included on the whitelist of activities (paragraphs 350; Detect anomaly, i.e. activities outside of observed baseline and historical data of acceptable activities);
comparing the detected activity to the use cases (paragraphs 346 and 350-351; Compare event data to anomaly models);
upon detection of network activity that satisfies a use case, monitoring the network activity for activity that satisfies a second use case that is related to the first use case (paragraphs 346 and 350-352; Plurality of anomaly models are used to analyze event data); and
generating an alert if network activity compares to at least one second use
case (paragraphs 149, 171, 335, 346, and 349; Threat indicators)..


Claims 2, 12, and 15:
	As per claim 2, Muddu further discloses wherein the baseline of user activity is determined for at least one of: email activity, process activity, installations, register modifications, new proxy connections, new user agents, new user connections, new source authorizations, new attempted accesses, or new outbound data connections (paragraph 443 and Fig 47G).
The rejection of claim 2 applies, mutatis mutandis, to claims 12 and 15.

Claim 3:
	Muddu further discloses an event log which stores a history of computing device activity (paragraphs 346 and 443).

Claim 8:
	Muddu further discloses storing network activity associated with the employee in an event log (paragraphs 346 and 443).

Claims 4, 9, and 16-17:
	As per claim 4, Muddu further discloses instructions that when executed, cause the baseline generation and monitoring system to:
normalize the computing device activity stored in the event log (Fig 54A; paragraphs274, 524, and 540; Raw data is normalized
generate a whitelist of activities from the normalized computing device activity (paragraphs 540-541 and 611; Baseline and dynamic white list created).

The rejection of claim 4 applies, mutatis mutandis, to claims 9 and 16-17.

Claim 10:
	Muddu further discloses wherein the step of monitoring network activity associated with the employee for occurrence of any of the behaviors comprises;
monitoring the network activity (abstract); and
detecting an activity related to behaviors indicative of the potential security breach that is not included on the whitelist of activities (paragraphs 540, 541, and 611; Increased activity to site xyz.com, which is not on the list of benign entities, is detected and flagged as a possible security risk/anomaly/breach).


Claims 5, 11, and 18:
	As per claim 5, Muddu further discloses instructions that cause the baseline generation and monitoring system to:
analyze a data feed comprising asset inventory information to identify new assets (Fig 47G and paragraphs 563 and 611; New identified nodes added to graph); and
add activities related to deploying these new assets to the whitelist of activities (paragraph 611; Dynamic white list has a new site added if the new site is determined to be benign).

The rejection of claim 5 applies, mutatis mutandis, to claims 11 and 18.

Claims 6 and 13:
	Muddu further discloses wherein the baseline of user activity is determined for at least one of: email activity, process activity, installations, register modifications, new proxy connections, new user agents, new user connections, new source authorizations, new attempted accesses, or new outbound data connections (paragraphs 441-442 and 611).


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to PONNOREAY PICH whose telephone number is (571)272-7962.  The examiner can normally be reached on M-F 9am-5pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.







/PONNOREAY PICH/Primary Examiner, Art Unit 2495