DETAILED ACTION
This communication is in respond to applicant’s amendment filed on January 11, 2021.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of claims
Claims 1-24 are pending; of which claims 1-24 are allowed.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with applicant’s representative Elizabeth A. Almeter (Reg. # 57,019) on 02/24/2021.

The application has been amended as follows: 
The claims have been amended as follows:
1.	(Currently Amended) A cyber event analysis and control computing platform, comprising:
	at least one processor;
	a communication interface communicatively coupled to the at least one processor; and

		receive indicator of compromise (IOC) data including a plurality of indicators of compromise;
		parse the received IOC data to extract IOC parameters specific to each indicator of compromise; 
		compare the extracted IOC parameters to previously identified IOC parameters;
		identify, based on the comparing, IOC parameters for evaluation;
		identify one or more first level linkages for each IOC parameter identified for evaluation, the first level linkages including first additional parameters associated with each IOC parameter;
		evaluate each identified first level linkage of the one or more first level linkages to determine whether the identified first level linkage is associated with a previously unidentified threat;
		in response to determining that a first level linkage is associated with a previously unidentified threat:
			retrieve a listing of executed blocks;
			generate a new block related to the previously unidentified threat;
			execute the generated new block; 
			update the listing of executed blocks; and
		identify one or more second level linkages for each additional parameter associated with each IOC parameter, the one or more second level linkages including second additional parameters associated with each first additional parameter.



3. 	(Original) The cyber event analysis and control computing platform of claim 1, wherein the IOC parameters include at least one of: domain name, email address, and IP address.

4.	(Previously Presented) The cyber event analysis and control computing platform of claim 1, wherein comparing the extracted IOC parameters to previously identified IOC parameters and identifying, based on the comparing, IOC parameters for evaluation further includes:
	comparing the extracted IOC parameters to previously identified IOC parameters stored in a database;
	determining, based on the comparing, whether each extracted IOC parameter matches an IOC parameter stored in the database;
	responsive to determining that each extracted IOC parameter matches and IOC parameters stored in the database, receiving additional IOC data for analysis; and
	responsive to determining that each extracted IOC parameter does not match IOC parameters stored in the database, storing each IOC parameter not matching an IOC parameter stored in the database and identifying each IOC not stored in the database for evaluation.

5.	(Original) The cyber event analysis and control computing platform of claim 1, wherein the IOC data is received in text format.



7.	(Previously Presented) The cyber event analysis and control computing platform of claim 6, wherein determining whether each identified first level linkage is associated with a false positive is performed using machine learning.

8.	(Original) The cyber event analysis and control computing platform of claim 1, further including instructions that, when executed, cause the cyber event analysis and control computing platform to:
	predict a future IOC based on machine learning.

9.	(Currently Amended) A method, comprising:
	at a computing platform comprising at least one processor, memory, and a 	communication interface:
		receiving, by the at least one processor and via the communication interface, indicator of compromise (IOC) data including a plurality of indicators of compromise;
		parsing, by the at least one processor, the received IOC data to extract IOC parameters specific to each indicator of compromise; 
		comparing, by the at least one processor, the extracted IOC parameters to previously identified IOC parameters;

		identifying, by the at least one processor, one or more first level linkages for each IOC parameter identified for evaluation, the first level linkages including first additional parameters associated with each IOC parameter;
		evaluating, by the at least one processor, each identified first level linkage of the one or more first level linkages to determine whether the identified first level linkage is associated with a previously unidentified threat;
		in response to determining that a first level linkage is associated with a previously unidentified threat:
			retrieving, by the at least one processor, a listing of executed blocks;
			generating, by the at least one processor, a new block related to the previously unidentified threat;
			executing, by the at least one processor, the generated new block; 
			updating, by the at least one processor, the listing of executed blocks; and
		identifying, by the at least one processor, one or more second level linkages for each additional parameter associated with each IOC parameter, the one or more second level linkages including second additional parameters associated with each first additional parameter.

10.	(Original) The method of claim 9, wherein the listing of executed blocks including controls to prevent access to communication with or from at least one of: an email address, a domain name and an Internet protocol (IP) address.



12.	(Previously Presented) The method of claim 9, wherein comparing the extracted IOC parameters to previously identified IOC parameters and identifying, based on the comparing, IOC parameters for evaluation further includes:
	comparing the extracted IOC parameters to previously identified IOC parameters stored in a database;
	determining, based on the comparing, whether each extracted IOC parameter matches an IOC parameter stored in the database;
	responsive to determining that each extracted IOC parameter matches and IOC parameter stored in the database, receiving additional IOC data for analysis; and
	responsive to determining that each extracted IOC parameter does not match an IOC parameter stored in the database, storing each IOC parameters not matching an IOC parameter stored in the database and identifying each IOC not stored in the database for evaluation.

13.	(Original) The method of claim 9, wherein the IOC data is received in text format.

14.	(Previously Presented) The method of claim 9, wherein evaluating each identified first level linkage of the one or more first level linkages to determine whether the identified first level linkage is associated with a previously unidentified threat further includes determining whether each identified first level linkage is associated with a false positive.



16.	(Original) The method of claim 9, further including predicting, by the at least one processor, a future IOC based on machine learning.	

17.	(Currently Amended) One or more non-transitory computer-readable media storing instructions that, when executed by a computing platform comprising at least one processor, memory, and a communication interface, cause the computing platform to:
	receive indicator of compromise (IOC) data including a plurality of indicators of compromise;
	parse the received IOC data to extract IOC parameters specific to each indicator of compromise; 
	compare the extracted IOC parameters to previously identified IOC parameters;
	identify, based on the comparing, IOC parameters for evaluation;
	identify one or more first level linkages for each IOC parameter identified for evaluation, the first level linkages including first additional parameters associated with each IOC parameter;
	evaluate each identified first level linkage of the one or more first level linkages to determine whether the identified first level linkage is associated with a previously unidentified threat;
	in response to determining that a first level linkage is associated with a previously unidentified threat:
		retrieve a listing of executed blocks;

		execute the generated new block; 
		update the listing of executed blocks; and
	identify one or more second level linkages for each additional parameter associated with each IOC parameter, the one or more second level linkages including second additional parameters associated with each first additional parameter.

18.	(Original) The one or more non-transitory computer-readable media of claim 17, wherein the listing of executed blocks including controls to prevent access to communication with or from at least one of: an email address, a domain name and an Internet protocol (IP) address.

19. 	(Original) The one or more non-transitory computer-readable media of claim 17, wherein the IOC parameters include at least one of: domain name, email address, and IP address.

20.	(Previously Presented) The one or more non-transitory computer-readable media of claim 17, wherein comparing the extracted IOC parameters to previously identified IOC parameters and identifying, based on the comparing, IOC parameters for evaluation further includes:
	comparing the extracted IOC parameters to previously identified IOC parameters stored in a database;
	determining, based on the comparing, whether each extracted IOC parameter matches an IOC parameter stored in the database;

	responsive to determining that each extracted IOC parameter does not match IOC parameters stored in the database, storing each IOC parameter not matching an IOC parameter stored in the database and identifying each IOC not stored in the database for evaluation.

21.	(Original) The one or more non-transitory computer-readable media of claim 17, wherein the IOC data is received in text format.

22.	(Previously Presented) The one or more non-transitory computer-readable media of claim 17, wherein evaluating each identified first level linkage of the one or more first level linkages to determine whether the identified first level linkage is associated with a previously unidentified threat further includes determining whether each identified first level linkage is associated with a false positive.

23.	(Previously Presented) The one or more non-transitory computer-readable media of claim 22, wherein determining whether each identified first level linkage is associated with a false positive is performed using machine learning.

24.	(Original) The one or more non-transitory computer-readable media of claim 17, further including instructions that, when executed, cause the computing platform to:
predict a future IOC based on machine learning.


REASON FOR ALLOWANCE
The following is an examiner’s statement of reasons for allowance:
In interpreting the currently amended claims, in light of the specification as well as arguments presented in the response filed on 01/11/2021, the examiner finds the claimed invention to be patentably distinct from the prior art of record. None of the prior arts of record individually or in combination explicitly teach or fairly suggest the each and every claimed limitation of the current invention as amended by the applicant.
 The closest prior art of record, Neumann (US Pat. No. 9,654,485 A1) disclosed a method and system for detecting and analyzing network security events. The system detects behavioral characteristics from event logs received from network devices, and identifies behavioral fragments composed of related behavioral characteristics, identifies an attack by correlating the behavioral fragments against patterns of known malicious attacks, and performs a learning process to enhance further detection of attacks and perform one or more remedial actions when an attack is identified.
Freedman et al. (US Pat. No. 9,942,253 B2) disclosed a method and system for collecting live operational data from network devices including variety of data types, categories and protocols, and correlates them to form a multi-dimensional picture of network activity and health. The system is implemented in a lossless manner, meaning that it retains all raw data rather than summarizing or aggregating prior to storage. In this way, KDE provides a combination of precise, actionable information in real-time as well as a complete forensic data store for detailed exploratory analysis.
Powers (US Pat. No. 9,083,741 B2) disclosed a network defense system that provides network sensor infrastructure and a framework for managing and executing advanced cyber security algorithms. The system manages the collection and storage of filtered network traffic information, application of algorithms to the collected data, visualization of the results and alteration of network security policies in response to identified threats. 
.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Linglan Edwards whose telephone number is (571)270-5440.  The examiner can normally be reached on 8:00am - 4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok B Patel can be reached on 5712723972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from 






/LINGLAN E EDWARDS/Primary Examiner, Art Unit 2491