DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Claim Rejections - 35 USC § 112
The previously raised rejection under 35 U.S.C. § 112(b) to claim 11 has been overcome by Applicant’s amendment and is therefore withdrawn.

Claim Rejections - 35 USC § 103
Applicant’s arguments filed on 1/8/2021, directed at the amended claims submitted on 1/8/2021 were considered, but are moot in view of new rejections made below in response to the latest amendments by applicant.
	

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the 


Claims 1, 7, 11, 13, and 15-17 are rejected under 35 U.S.C. 103 as being unpatentable over Lang (US 2015/0269383), and further in view of Potok (US 2006/0265748).

Regarding claim 1, Lang teaches A method for monitoring security policy violations in a computer network (see [0472]: “Incident Monitoring is done by CMP [component]-PMR and CMP-PDPs. CMP-PDPs generate alerts based on incidents, (e.g. requests being blocked because they violate the policy)”), the method comprising:
(a) creating a rule corresponding to a security policy (see [0467]: “Low-level rules are automatically generated (from "high-level" policy models) by CMP-MDS”. The Examiner interprets a low-level rule and a high-level policy model as a rule and a security policy recited in claim 1, respectively.  And see abstract: “receives a policy input indicating a high-level policy for the IT system where the policy input is compliant with the at least one policy function and is received in a format that is not machine-enforceable at an enforcement entity of the IT system, based on the received policy input, automatically or semi-automatically generates a machine-enforceable rule”. 
And see [1179]: “Policy 3: police users using the Police User Interface device is allowed access to resources on the Aggregation Server if within 70% temporal (requestor task time window & resource time window) and operational (i.e. requestor task's target & resource's target) proximity to the resource”. The Examiner interprets Policy 3 in [1179] as a security policy recited in claim 1. And see [1186]-[1195]: “Policy 3 is generated as follows: (Proximity.operational (requestor, resource) >70%) AND (Proximity.temporal (requestor, resource)>70%)) AND (requestor.node.name=="Police User Interface") AND (resource.node.name=="Aggregation Server"): ALLOW  (further refined to:) (CMP-CS1 (CMP-MS1 (CMP-ASS1), ASS3-item-2)<1) AND (CMP-CS3 (CMP-MS2 (CMP-MS1 (CMP-ASS1)), ASS3-item-3), "CMP-CS3.time-window-difference")<30% AND (requestor.node.name=="Police User Interface") AND  (resource.node.name=="Aggregation Server"): ALLOW”. The Examiner interprets the technical rule (CMP-CS1 (CMP-MS1 (CMP-ASS1), ASS3-item-2)<1) AND (CMP-CS3 (CMP-MS2 (CMP-MS1 (CMP-ASS1)), ASS3-item-3), "CMP-CS3.time-window-difference")<30% AND (requestor.node.name=="Police User Interface") AND  (resource.node.name=="Aggregation Server"): ALLOW in[1186]-[1195] generated from the policy “police users using the Police User Interface device is allowed access to resources on the Aggregation Server if within 70% temporal (requestor task time window & resource time window) and operational (i.e. requestor task's target & resource's target) proximity to the resource” in [1179] as a rule created corresponding to a security policy recited in claim 1.
And see [0509]: “Rule elements, for example, are refined by CMP-MDS using rule refinement templates, which describe how certain policy rule elements should be refined into other rule elements. For example, the template could specify that a rule element (proximity, numerical_operator, percentage) can be refined into a ((proximity_operational_task, numerical_operator, number of hops) AND (proximity_temporal_time_point, numerical_operator, hours difference))”. And see [1269]: “Explicitly which attribute source configurations are specified by other percentages (for example, 70% mission proximity could be defined for time and geo sources as "within 72 h" and "at least 25% area overlap")”. And see [0609] and [0613]: “access can be granted to requestors: …to all nodes that are in proximity to a node the requestor has explicit access to (e.g. if the requestor has access to a "criminal record" node, access is also granted to all nodes that have edges with properties "interacted_with" one hop from that node”. Also see [0954]-[0959], [1043]-[1044], [1047]-[1052] and Fig. 53, [1282]-[1291], [1067], [0367] and [0427]); 
(b) determining a variable from the rule (see [0281]: “In PBAC [proximity based access control] embodiments, PDPs need to support policies based on quadruples (<attr1>, <atrtr2>, <calc_fn>, <value>), i.e. calculate the distance value (result) between two attributes attr1 and attr2 using the processes the access rule, fetches attribute values, calls attribute mappers, calls calculation functions, compares the calculation result with the value in the policy, and grants/denies access”. The Examiner interprets an “attribute” contained in “the access rule” of [0281] as a variable from the rule recited in claim 1. Lang teaching fetching attribute values in [0281] inherently teaches determining an attribute (a variable) from the rule because an attribute value cannot be fetched without first determining which attribute (variable) to use), 
wherein the variable is enabled to be set to a plurality of values (see [0014]: “ABAC uses attributes to describe all the entities considered for access control, and access control rules that describe access requests using attribute key-value pairs (or key-value-value triples in PBAC, as explained below) and associated calculation functions (e.g. equal, subset, less, greater, subset, relationship/distance/proximity etc.). In yet other words, attributes associated with a subject, context, action or resource are inputs into the decision of whether that subject may access a given resource in a particular way”. And see [0261]: “COMPONENT "CMP-ASS" ( Attribute Source Services (also sometimes called Policy Information Points (PIPs)): These architectural components, which may be categorized as an example of a "Policy Feature Function" (PFF), provide attribute values. It can be implemented as a standalone data source service that takes a request--usually from a CMP-PDP--(e.g. get current time) and provide a result (e.g. current time)”. The attribute (the variable), e.g. current time, is enabled to be set to a plurality of values), and 
wherein the rule is violated or not violated conditional on the value of the variable (see [0472]: “Incident Monitoring is done by CMP-PMR and CMP-PDPs. CMP-PDPs generate alerts based on incidents, (e.g. requests being blocked because they violate the policy); or based on policy rules that trigger an alert action in addition to, or instead of grant/deny access etc. (such rules are like access control rules but trigger an alert instead of an access decision)”. And see [0281]: “In PBAC [proximity policies based on quadruples (<attr1>, <atrtr2>, <calc_fn>, <value>), i.e. calculate the distance value (result) between two attributes attr1 and attr2 using the define calculation function. In the other, more elaborate architecture configurations below, the PDP acts as a central hub that processes the access rule, fetches attribute values, calls attribute mappers, calls calculation functions, compares the calculation result with the value in the policy, and grants/denies access”. The Examiner interprets an “attribute” contained in “the access rule” of [0281] as a variable recited in claim 1. Lang teaches denying access requests or triggering alerts for access requests when the access requests violate a policy based on comparing a calculation result generated from attribute (variable) values with the value in the policy. Therefore, Lang teaches wherein the rule is violated or not violated conditional on the value of the variable); 
(e) evaluating the rule conditional on the value of the variable (see [0505]: “policies consist of rules, which themselves consist of rule elements. While rule elements involve more or less complex calculations on the attributes and the comparison value, each rule element as a whole usually evaluates to a Boolean TRUE/FALSE result. To construct a rule, several elements of a rule are combined using Boolean operators e.g. AND/OR. If the entire rule of Boolean statements is determined to be TRUE, the action is triggered, e.g. ALLOW/LOG/DENY)”. The Examiner interprets an “attribute” of [0505] as a variable recited in claim 1. And see [0281]: “In PBAC [proximity based access control] embodiments, PDPs need to support policies based on quadruples (<attr1>, <atrtr2>, <calc_fn>, <value>), i.e. calculate the distance value (result) between two attributes attr1 and attr2 using the define calculation function. In the other, more elaborate architecture configurations below, the PDP acts as a central hub that processes the access rule, fetches attribute values, calls attribute mappers, calls calculation functions, compares the calculation result with the value in the policy, and grants/denies access”. And see [0514]: “In more complex cases, such as the Proximity-Based Access Control (PBAC) embodiment, proximity calculations usually require two (or more) attribute sources, and yield one distance result that is variable) values with the value in the policy. Therefore, Lang teaches evaluating the rule conditional on the value of the variable. Also see [0470], [0472], [0015], [0708]-[0712]); 
(f) identifying a rule violation corresponding to the value of the variable and the rule (see [0472]: “Incident Monitoring is done by CMP-PMR and CMP-PDPs. CMP-PDPs generate alerts based on incidents, (e.g. requests being blocked because they violate the policy); or based on policy rules that trigger an alert action in addition to, or instead of grant/deny access etc. (such rules are like access control rules but trigger an alert instead of an access decision)”. And see [0505]: “policies consist of rules, which themselves consist of rule elements. While rule elements involve more or less complex calculations on the attributes and the comparison value, each rule element as a whole usually evaluates to a Boolean TRUE/FALSE result. To construct a rule, several elements of a rule are combined using Boolean operators e.g. AND/OR. If the entire rule of Boolean statements is determined to be TRUE, the action is triggered, e.g. ALLOW/LOG/DENY)”. The Examiner interprets an “attribute” of [0505] as a variable recited in claim 1. And see [0281]: “In PBAC [proximity based access control] embodiments, PDPs need to support policies based on quadruples (<attr1>, <atrtr2>, <calc_fn>, <value>), i.e. calculate the distance value (result) between two attributes attr1 and attr2 using the define calculation function. In the other, more elaborate architecture configurations below, the PDP acts as a central hub that processes the access rule, fetches attribute values, calls attribute mappers, calls calculation functions, compares the calculation result with the value in the policy, and grants/denies access”); 
(g) generating a security event corresponding to the rule violation (see [0472]: “Incident Monitoring is done by CMP-PMR and CMP-PDPs. CMP-PDPs generate alerts based on incidents, (e.g. requests being blocked because they violate the policy); or based on policy rules that trigger an alert action in addition to, or instead of grant/deny access etc. (such rules are like access control rules but trigger an alert instead of an access decision)”. The Examiner interprets an “alert” or an “incident” generated based a request being blocked because it violates the policy taught in [0472] as a security event generated corresponding to the rule violation recited in claim 1. And see [1223]-[1226]: “A Police User Interface user requests access to historic Roadside CCTV footage covering an area inside the EU (for a 1 week time window 1 week ago) for a criminal analysis task covering the same area for a 1 week time window 4 weeks ago (assuming a per-data item labeling granularity for all data stored in the Aggregation Server): DENY, ALERT (reason: no proximity).  An Advertiser User Interface user requests license plate numbers (assumed to be PII in this example) and associated criminal records for a certain geographic area: DENY, ALERT (reason: no interaction in CMP-FDS, and no proximity). Also see [1229] and [0996]); and 
(h) recording information representing the security event to a computer-readable storage medium (see [0472]: “Incident Monitoring is done by CMP-PMR and CMP-PDPs. CMP-PDPs generate alerts based on incidents, (e.g. requests being blocked because they violate the policy); or based on policy rules that trigger an alert action in addition to, or instead of grant/deny access etc. (such rules are like access control rules but trigger an alert instead of an access decision). Alerts include information that describes the nature of the event (e.g. like Syslog events), such as caller IP, caller ID, time, called IP, called ID, parameter values etc. CMP-PDPs send generated alerts to CMP-PMR, which holds a central policy monitoring repository. CMP-PMR collects, aggregates, consolidates, and analyzes incidents. CMP-PMR also displays alerts in a dashboard. CMP-PMR also exports alerts to 3.sup.rd party products, e.g. using Syslog format (e.g. intrusion detection systems, IDS)”. The Examiner interprets “CMP-PMR, which holds a central policy monitoring repository” collecting, aggregating and consolidating received alerts which “include information that describes the nature of the event” taught in [0472] as recording information representing the security event to a computer-readable storage medium).

Lang fails to teach (c) receiving a log representing packets of traffic transmitted via the computer network; (d) parsing the log to determine the value of the variable.
In the same field of endeavor, Potok teaches (c) receiving a log representing packets of traffic transmitted via the computer network (see [0039] and Fig. 2 reproduced below: “FIG. 2 shows some of the data fields that may be copied from the audit log for each event and put in memory as a single event record”. And see [0032]: “Network audit log software resides outside the network firewall so that any incoming packet that is suspect, i.e., triggers a flag, gets set aside without reaching the net of computers. In a large networked computer system, there may be a million such records that get set aside each day”. 

    PNG
    media_image1.png
    630
    1002
    media_image1.png
    Greyscale

The Examiner interprets “the audit log” taught in [0039] and representing incoming packets that are suspects and set aside by network audit log software as taught in [0032] and Fig. 2 as a log representing packets of traffic transmitted via the computer network. Because Potok teaches copying the data fields from “the audit log” (a log representing packets of traffic transmitted via the computer network) for each event in [0039], Potok inherently teaches receiving a log representing packets of traffic transmitted via the computer network (“the audit log”) because the data fields from “the audit log” cannot be copied without “the audit log” being received first); 
(d) parsing the log to determine the value of the variable (see [0034]-[0039]: “Step 1 involves determining at least the following information from each entry in a network audit log: … b) The time the event occurred, c) The IP address of the potential target, and d) The IP address of the potential intruder… The data extracted from the audit log includes two important pieces of information, the source IP address and the target IP address. The source IP address identifies the computer the intrusion came from, and the target IP address identifies the networked computer under possible attack”. The Examiner interprets determining information such as the source IP address and the target IP address “from each entry in a network audit log” taught in [0034]-[0039] as parsing the log to determine the value of the variable. Using the example shown in Fig. 2, the “Source IP” is the variable. And 63.76.192.107 is the value of the variable).

Both Lang and Potok teach the value of the variable. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of Lang by adding the steps of (c) receiving a log representing packets of traffic transmitted via the computer network and (d) parsing the log to determine the value of the variable taught by Potok. It would have been obvious because doing so achieves the predictable result of obtaining the value of the variable used by the method of Lang.

Regarding claim 7, Lang further teaches wherein the variable represents an IP address (see [1227]: “Runtime policy decision making and enforcement by CMP-OSC (for the example scenario) supports Microsoft Windows firewall (as previously described). CMP-OSC generates Windows firewall rules that allow network connections between all interactions specified in the functional system description (cf. FIG. 43) Rule generation for all interactions has already been discussed above in the "Rule Generation" section. This is analogous, except the rule format is different, and the nodes are mapped to their IP addresses (this is trivial) so they can be enforced on the network layer”).

Regarding claim 11, Lang further teaches collecting statistical information related to a plurality of security events (see [0326]: “It is also noted that some of the analysis features provided by this component can also be used for statistical purposes (e.g. access statistics, incident statistics, emergent properties etc.)”. And see [0344]).

Regarding claim 13, Lang further teaches wherein the information representing the security event comprises an IP address or a host name (see [0472]: “Alerts include information that describes the nature of the event (e.g. like Syslog events), such as caller IP, caller ID, time, called IP, called ID, parameter values etc.”), and wherein recording the information comprises adding the information to a relational database (see [0472]: “Incident Monitoring is done by CMP-PMR and CMP-PDPs. CMP-PDPs generate alerts based on incidents, (e.g. requests being blocked because they violate the policy); or based on policy rules that trigger an alert action in addition to, or instead of grant/deny access etc. (such rules are like access control rules but trigger an alert instead of an access decision). Alerts include information that describes the nature of the event (e.g. like Syslog events), such as caller IP, caller ID, time, called IP, called ID, parameter values etc. CMP-PDPs send generated alerts to CMP-PMR, which holds a central policy monitoring repository. CMP-PMR collects, aggregates, consolidates, and analyzes incidents. CMP-PMR also displays alerts in a dashboard. CMP-PMR also exports alerts to 3.sup.rd party products, e.g. using Syslog format (e.g. intrusion detection systems, IDS)”).

Regarding claim 15, Lang further teaches receiving a network topology identifying one or more segments of the network (see [0312]: “COMPONENT "CMP-FDS" (Functional Description Sources): This component can provide a "functional system description", i.e. information about the functional features of the Protected SoS, to the MDS System. Examples of such information include software application interfaces, network addresses, instance identifiers, application information, network topology information”).

Regarding claim 16, Lang further teaches querying the security event against one or more classifying queries (see [1235]: “CMP-RAA uses several approaches to detect attacks: Firstly, it interacts with CMP-PMR to analyze the frequency and nature of alerts/incidents, in this case incidents caused by repeated "access denied" accesses to the same resource (indicating DoS/DDoS attacks or hacking attempts on a machine), and by repeated "access denied" accesses from the same resource (indicating hacking attempts from a machine). Furthermore, CMP-RAA monitors the frequency of accesses for each link by producing logging rules (like access rules, but with a "log" action instead of "allow" or "deny") for CMP-PDPs on all PII-marked Protected SoS nodes. In addition, CMP-RAA produces logging rules that collect useful attributes about requestors (e.g. geolocation, task, identity) and resource (e.g. type of requested information, geolocation associated with the requested information). It builds a model of "normal behavior" over time based on the collected information, and flags an alarm if any of the collected information is outside the "normal behavior"”. The Examiner interprets the collected information being outside the "normal behavior" as one or more classifying queries).

Regarding claim 17, Lang further teaches taking one or more specified actions based on the classifying query, wherein the one or more specified actions comprise sending an alert related to the security event (see [1235]: “CMP-RAA uses several approaches to detect attacks: Firstly, it interacts with It builds a model of "normal behavior" over time based on the collected information, and flags an alarm if any of the collected information is outside the "normal behavior"”).

Claims 2-4 and 6 are rejected under 35 U.S.C. 103 as being unpatentable over Lang (US 2015/0269383), further in view of Potok (US 2006/0265748), and further in view of Chandrasekaran (US 2012/0109985).

Regarding claim 2, Lang modified in view of Potok fails to teach wherein the security event comprises a plurality of security events.
In the same field of endeavor, Chandrasekaran teaches wherein the security event comprises a plurality of security events (see [0064]: “A compound event definition (also referred to herein as a "compound event") specifies conditions that correlate multiple base events. According to the techniques described herein, a compound event may be used to represent a policy, where the policy is represented by the correlation conditions specified in the compound event and where the correlation conditions are evaluated to determine whether certain events are in compliance with the policy”. And see [0068]: “The attributes of a compound event are populated with attributes from the base events specified therein”. The Examiner interprets a compound event specifying conditions that correlate multiple base events as a security event comprising a plurality of security events recited in claim 2).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to let the security event taught by Lang modified in view of Potok comprise a plurality of security events, as taught by Chandrasekaran. It would have been obvious because Chandrasekaran teaches in [0065]: “In a compound event, the correlation of a base event with one or more base events that may have happened in the past, or one or more base events that have not yet occurred, may be of interest”.

Regarding claim 3, Chandrasekaran further teaches recording a time associated with each security event of the plurality of security events (see [0143]: “most compound event definitions may specify conditions for timestamp-based ordering of base events”).

Regarding claim 4, Lang further teaches checking for an anomaly (see [1235]: “CMP-RAA uses several approaches to detect attacks: Firstly, it interacts with CMP-PMR to analyze the frequency and nature of alerts/incidents, in this case incidents caused by repeated "access denied" accesses to the same resource (indicating DoS/DDoS attacks or hacking attempts on a machine), and by repeated "access denied" accesses from the same resource (indicating hacking attempts from a machine). Furthermore, CMP-RAA monitors the frequency of accesses for each link by producing logging rules (like access rules, but with a "log" action instead of "allow" or "deny") for CMP-PDPs on all PII-marked Protected SoS nodes. In addition, CMP-RAA produces logging rules that collect useful attributes about requestors (e.g. geolocation, task, identity) and resource (e.g. type of requested information, geolocation associated with the requested information). It builds a model of "normal behavior" over time based on the collected information, and flags an alarm if any of the collected information is outside the "normal behavior"”).

Regarding claim 6, Lang further teaches wherein checking for an anomaly comprises:(a) identifying a time period; (b) dividing the time period into a plurality of time bins; (c) assigning each of the plurality of security events to a corresponding time bin; (d) determining a number of security events assigned to each of the plurality of time bins; and (e) marking the time bin as anomalous if the number of security events assigned to the time bin does not fall within a user-defined event range; otherwise marking the time bin as not anomalous (see [0340]: “attack prediction can be based on simpler deciding factors, such as the frequency and nature of alerts/incidents. For example, certain (e.g. frequent) patterns of blocked access requests from certain nodes and/or users, and the implications of the attempted access, can be used by CMP-RAA to predict that an attack is in progress”).

Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Lang (US 2015/0269383), further in view of Potok (US 2006/0265748), further in view of Chandrasekaran (US 2012/0109985), and further in view of Takemori (US 2004/0250169).

Regarding claim 5, Lang modified in view of Potok and Chandrasekaran does not explicitly teaches wherein checking for an anomaly comprises:(a) identifying a time period; (b) dividing the time period into a plurality of time bins; (c) assigning each of the plurality of security events to a corresponding time bin; (d) determining a number of security events assigned to each of the plurality of time bins; (e) generating a predicted event range for a time bin of the plurality of time bins based on the pattern of security events assigned to each of the plurality of time bins earlier than the time bin; and (f) marking the time bin as anomalous if the number of security events assigned to the time bin does not fall within the predicted event range; otherwise marking the time bin as not anomalous.
In the same field of endeavor, Takemori teaches wherein checking for an anomaly comprises:(a) identifying a time period; (b) dividing the time period into a plurality of time bins; (c) assigning each of the plurality of security events to a corresponding time bin; (d) determining a number of security events assigned to each of the plurality of time bins; (e) generating a predicted event range for a time bin of the plurality of time bins based on the pattern of security events assigned to each of the plurality of time bins earlier than the time bin; and (f) marking the time bin as anomalous if the number of security events assigned to the time bin does not fall within the predicted event range; otherwise marking the time bin as not anomalous (see [0042]: “the log analysis section may comprise a threshold learning device that calculates a short term number of events, which is the .
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to let the checking for an anomaly taught by Lang comprise (a) identifying a time period; (b) dividing the time period into a plurality of time bins; (c) assigning each of the plurality of security events to a corresponding time bin; (d) determining a number of security events assigned to each of the plurality of time bins; (e) generating a predicted event range for a time bin of the plurality of time bins based on the pattern of security events assigned to each of the plurality of time bins earlier than the time bin; and (f) marking the time bin as anomalous if the number of security events assigned to the time bin does not fall within the predicted event range; otherwise marking the time bin as not anomalous, taught by Takemori. It would have been obvious because doing so predictably detects an anomaly.

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Lang (US 2015/0269383), further in view of Potok (US 2006/0265748), and further in view of Quentin (US 2017/0255939).

Regarding claim 8, Lang modified in view of Potok fails to teach associating a geographic coordinate with the IP address.
Quentin teaches associating a geographic coordinate with the IP address (see [0049]: “The location of a place can also be obtained by using an IP address (of an electronic payment terminal, a computer etc.)”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to let the method of Lang modified in view of Potok include the step of associating a geographic coordinate with the IP address taught by Quentin. It would have been obvious because doing so predictably achieves the commonly understood benefit of determining a geographic coordinate, which may indicate an anomaly.

Claims 9 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Lang (US 2015/0269383), further in view of Potok (US 2006/0265748), further in view of Quentin (US 2017/0255939), and further in view of Takemori (US 2004/0250169).

Regarding claim 9, Lang modified in view of Potok fails to teach (a) identifying a plurality of geographic regions; (b) associating each security event with a geographic region based on the geographic coordinate; (c) identifying a time period; (d) generating, an expected range of security events for the time period; and (e) determining that a number of security events occurring within the time period and associated with the geographic region lies outside the expected range.
However, Quentin teaches(a) identifying a plurality of geographic regions; (b) associating each security event with a geographic region based on the geographic coordinate; (c) identifying a time period; (d) generating, an expected range of security events for the time period; and (e) determining that a number of security events occurring within the time period and associated with the geographic region lies outside the expected range (see claim 1: “A method for detecting a risk of replacement, at a sales point, of an authentic electronic payment terminal by a fraudulent electronic payment terminal, receiving at least one piece of information on a location of said transaction; geographically associating said transaction with said sales point when said received information on location is substantially identical to that of said sales point, delivering a number of transactions geographically associated with said sales point; and generating an alert when the number of transactions geographically associated with said sales point is above a pre-determined threshold (Si)”. And see [0014]: “the alert indicates that, for a given period (a morning or the two hours preceding the alert), the number of transactions has exceeded a pre-determined threshold and that this can be an indication of an attempted fraud against the electronic payment terminal”. The Examiner interprets a transaction as a security event recited in claim 9 because a number of transactions geographically associated with a sales point being above a pre-determined threshold indicates a risk of replacement, at the sales point, of an authentic electronic payment terminal by a fraudulent electronic payment terminal (see abstract). In other words, a transaction is an event related to the security of the electronic payment terminal. The Examiner further interprets at or below a pre-determined threshold as an expected range of security events for the time period recited in claim 9).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to let the method of Lang modified in view of Potok include the steps of (a) identifying a plurality of geographic regions; (b) associating each security event with a geographic region based on the geographic coordinate; (c) identifying a time period; (d) generating, an expected range of security events for the time period; and (e) determining that a number of security events occurring within the time period and associated with the geographic region lies outside the expected range, taught by Quentin. It would have been obvious because Quentin teaches in abstract that “A method is provided for detecting a risk of replacement, at a sales point, of an authentic electronic payment terminal by a fraudulent electronic payment terminal. Wherein the method includes generating an alert 
Lang modified in view of Potok and Quentin fails to teach that the generated expected range of security events for the time period is generated, from a statistical distribution of past security events.
In the same field of endeavor, Takemori teaches that a generated expected range of security events for the time period is generated, from a statistical distribution of past security events (see [0042]: “the log analysis section may comprise a threshold learning device that calculates a short term number of events, which is the number of a predetermined event contained in a predetermined unit time period in the logs, and an average value of a short term number of events for a plurality of the unit time periods, and a standard deviation value of a short term number of events for a plurality of the unit time periods, and determines whether or not an abnormality has occurred using a result obtained by dividing a difference between the short term number of events of a subject being investigated and the average value by the standard deviation value”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to let the generated expected range of security events for the time period taught by Lang modified in view of Potok and Quentin be generated, from a statistical distribution of past security events, as taught by Takemori. It would have been obvious because Takemori teaches in [0017] that “because statistical analysis is performed on logs output successively in a large quantity from an intrusion detection system, it is possible to objectively evaluate the logs, for example, by taking the difference between characteristics of a short time period of the logs relative to characteristics (for example, an average value or the like) of a long time period of the logs as an abnormality value”.
When the above modification is made, Lang modified in view of Potok, Quentin and Takemori would teach (d) generating, from a statistical distribution of past security events associated with a geographic region of the plurality of geographic regions, an expected range of security events for the time period.

Regarding claim 10, Lang modified in view of Potok fails to teach generating a security alert indicating that the number of security events occurring within the time period and associated with the geographic region lies outside the expected range.
However, Quentin teaches generating a security alert indicating that the number of security events occurring within the time period and associated with the geographic region lies outside the expected range (see claim 1: “A method for detecting a risk of replacement, at a sales point, of an authentic electronic payment terminal by a fraudulent electronic payment terminal, wherein the method comprises the following acts for at least one transaction made: receiving at least one piece of information on a location of said transaction; geographically associating said transaction with said sales point when said received information on location is substantially identical to that of said sales point, delivering a number of transactions geographically associated with said sales point; and generating an alert when the number of transactions geographically associated with said sales point is above a pre-determined threshold (Si)”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to let the method of Lang modified in view of Potok include the step of generating a security alert indicating that the number of security events occurring within the time period and associated with the geographic region lies outside the expected range taught by Quentin. It would have been obvious because Quentin teaches in [0014]: “the alert indicates that, for a given period (a morning or the two hours preceding the alert), the number of transactions has exceeded a pre-determined threshold and that this can be an indication of an attempted fraud against the electronic payment terminal”. 

Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Lang (US 2015/0269383), further in view of Potok (US 2006/0265748), and further in view of Frascadore (US 2014/0331277).

Regarding claim 12, Lang modified in view of Potok fails to teach generating a report based on the statistical information, wherein the report reflects at least one of a response rate, a number of security events per security policy, a number of security alerts per security policy, or a percentage of policies covered by rules.
In the same field of endeavor, Frascadore teaches generating a report based on the statistical information, wherein the report reflects … a response rate (see [0040]: “the results prioritizer 306 may prioritize the first and second defects accordingly (e.g., the first defect flagged to be addressed before the second defect) based on, for example, previous responses or rates of responses to similar defects”.  The rates of responses to similar defects is statistical information. And see [0047]: “At block 408, the example reporter 318 (FIG. 3) generates a report based on the compliance policy assessment”. And see [0039]: “The example compliance monitor 218 of FIG. 3 includes the example compliance measurer 304 to measure the extent to which a computing resource is adhering to compliance policies during operation. By measuring compliance, the example compliance measurer 304 may use a compliance policy as a metric for measuring the configuration quality of a computing resource. In addition, the example compliance measurer 304 may use a detected event, categorized as a gain or loss of compliance, to determine a normalized compliance score”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to let the method of Lang modified in view of Potok include the step of generating a report based on the statistical information, wherein the report reflects a response rate, .

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Lang (US 2015/0269383), further in view of Potok (US 2006/0265748), and further in view of Li (US 2015/0264008).

Regarding claim 14, Lang modified in view of Potok fails to teach wherein the relational database indicates which IP addresses or host names were identified in each of a plurality of days.
However, Li teach wherein the relational database indicates which IP addresses or host names were identified in each of a plurality of days (see [0067]: “in the event that 30 days of IP geographic coordinate data are collected, and a particular IP address geographic coordinate data occurs 5 times on day 1 (e.g., the Internet is accessed by a terminal using the particular IP address from a particular location 5 times on day 1) and once each on day 5 and day 26, the occurrence day count for the particular IP address geographic coordinate data will be recorded as 3 days”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to let the relational database of Lang modified in view of Potok indicate which IP addresses or host names were identified in each of a plurality of days, as taught by Li. It would have been obvious because Li teaches in [0067] that “the occurrence of an access event for accessing the Internet from a particular location of one or more pieces of IP address geographic coordinate data corresponding to each collected IP address may be counted to obtain a day count for all IP address geographic coordinate data corresponding to a particular IP address”.  

Claims 18 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Lang (US 2015/0269383), further in view of Potok (US 2006/0265748), and further in view of Hitt (US 2015/0229662).

Regarding claim 18, Lang modified in view of Potok fails to teach comparing the statistical information with one or more sets of statistical information relating to other networks.
In the same field of endeavor, Hitt teaches comparing the statistical information with one or more sets of statistical information relating to other networks (see abstract: “A system and method for identifying a threatening network is provided. The system comprises … a statistical network anomaly ranking algorithm that provides as output a ranked list of the networks”. And see [0149]: Table 5, row 3: the algorithm “Statistical anomaly scoring” “outputs an anomaly ranking of the networks based on their change in communication behavior”, “Analysts are given which networks are most likely to be threatening, as automatically determined by the algorithm”. And see [0023]: “the transactional data may be cell phone records, IP addresses, or usernames or links in social media. Graphs provide a natural means for representing information found in communications, social media, and cyber data, including information about terrorists, insurgents, computer networks and other entities that may be of interest”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to add to the method of Lang modified in view of Potok the step of comparing the statistical information with one or more sets of statistical information relating to other networks taught by Hitt.  It would have been obvious because Hitt teaches in [0147] that “these results demonstrate that suspicious networks can be identified as anomalous by visualizing the movement of their network metric clusters over time, by ranking them according to their calculated suspiciousness score, and by plotting their anomaly scores over time. There is stability in the results, despite varying 

Regarding claim 19, Lang modified in view of Potok fails to teach ranking the network in relation to the other networks based on one or more statistical categories.
In the same field of endeavor, Hitt teaches ranking the network in relation to the other networks based on one or more statistical categories (see abstract: “A system and method for identifying a threatening network is provided. The system comprises … a statistical network anomaly ranking algorithm that provides as output a ranked list of the networks”. And see [0149]: Table 5, row 3: the algorithm “Statistical anomaly scoring” “outputs an anomaly ranking of the networks based on their change in communication behavior”, “Analysts are given which networks are most likely to be threatening, as automatically determined by the algorithm”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to add to the method of Lang modified in view of Potok the step of ranking the network in relation to the other networks based on one or more statistical categories taught by Hitt.  It would have been obvious because Hitt teaches in [0147] that “these results demonstrate that suspicious networks can be identified as anomalous by visualizing the movement of their network metric clusters over time, by ranking them according to their calculated suspiciousness score, and by plotting their anomaly scores over time. There is stability in the results, despite varying choices in parameters the analyst can select, which suggests a robustness against human bias when using the tool”.

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Lang (US 2015/0269383), further in view of Potok (US 2006/0265748), further in view of Hitt (US 2015/0229662), and further in view of Zaheer (US 2006/0174342).

Regarding claim 20, Lang modified in view of Potok and Hitt fails to teach wherein the one or more statistical categories comprise a triage time, a response rate, a number of security events per unit time, or a number of security alerts per unit time.
In the same field of endeavor, Zaheer teaches wherein the one or more statistical categories relating to a network comprise a number of security events per unit time (see [0041]: “The operational mode status summary shown in the port manager summary area 250 of the dashboard 46 summarizes alert events for two alerting modes of the port manager module 22, the security alerting mode and cyber event mode. In the security alerting mode, which is the default mode, the port manager module 22 sends an electronic mail (e-mail) message to a group of users (e.g., network administrators or other authorized users) each time a suspect IP address is received from the intrusion detection system 18. ... The security alerting mode is used when the frequency of events is low. If the frequency of events received by the port manager module exceeds some configurable threshold (e.g., 5 events in under 5 minutes time), the port manager module 22 transitions to a cyber event mode, in which the port manager module 22 pages a larger group of network administrators or other authorized users to notify them that a probable cyber attack is underway”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to let the one or more statistical categories taught by Lang modified in view of Potok and Hitt comprise a number of security events per unit time taught by Zaheer. It would have been obvious because Zaheer teaches in [0041] that the frequency of security events can determine whether network administrators should be emailed or paged about the security events. 
Claim 21 is rejected under 35 U.S.C. 103 as being unpatentable over Lang (US 2015/0269383), further in view of Potok (US 2006/0265748), and further in view of Tiller (US 7,167,983).

Regarding claim 21, Lang modified in view of Potok fails to teach (a) identifying a security task to be periodically performed; (b) identifying a repetition period for the security task; (c) generating, in a plurality of repetition periods, a plurality of notifications to perform the security task, at a rate of one notification per repetition period; (d) receiving user input for each of the plurality of repetition periods indicating whether the security task has been performed for that repetition period; and (e) recording to a computer-readable medium, for each of the plurality of repetition periods, information indicating whether the security task has been performed in that repetition period.
In the same field of endeavor, Tiller teaches (a) identifying a security task to be periodically performed; (b) identifying a repetition period for the security task; (c) generating, in a plurality of repetition periods, a plurality of notifications to perform the security task, at a rate of one notification per repetition period; (d) receiving user input for each of the plurality of repetition periods indicating whether the security task has been performed for that repetition period; and (e) recording to a computer-readable medium, for each of the plurality of repetition periods, information indicating whether the security task has been performed in that repetition period (see col. 5, lines 57-63: “Reporting information identifies reporting responsibility and may be associated with each part of the security policy. Security administrator 110 receives periodic reports regarding each metapolicy, and the reporting information identifies the person to make the report, the frequency of reports, and the content of reports, and includes an online report template”. The Examiner interprets a “report” produced by a security administrator as information indicating whether the security task has been performed in that repetition period. And see col. 11, lines 7-22: “A security project may be a short-term project or an ongoing project that requires substantial management. For ongoing or long-term projects, automatically generate notices and reminders of key events, for example meeting reminders, project plan milestones, reminders for periodic tasks”. And see col. 5, lines 43-51: “Enforcement information also includes a link to enforcement actions, which may be periodic, on-demand, or continuous. Periodic enforcement actions are taken on a regular basis, for example a weekly review of a firewall log”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to add to the method of Lang modified in view of Potok the steps of (a) identifying a security task to be periodically performed; (b) identifying a repetition period for the security task; (c) generating, in a plurality of repetition periods, a plurality of notifications to perform the security task, at a rate of one notification per repetition period; (d) receiving user input for each of the plurality of repetition periods indicating whether the security task has been performed for that repetition period; and (e) recording to a computer-readable medium, for each of the plurality of repetition periods, information indicating whether the security task has been performed in that repetition period; taught by Tiller. It would have been obvious because doing so achieves the commonly understood benefit of ensuring that periodic “enforcement actions are taken on a regular basis, for example a weekly review of a firewall log” (see Tiller, col. 5, lines 43-51).

	Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHIMEI ZHU whose telephone number is (571)270-7990.  The examiner can normally be reached on 10am-6pm Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.








/FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495