DETAILED ACTION
This is a non-final office action in response to applicant’s communication filed on 5/1/2019.
Claims 1-20 are pending and being considered.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 5/1/2019 has been considered. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, initialed and dated copy of Applicant’s IDS form 1449 filed as stated above is attached to the instant Office Action.
Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Cousins et al (US20180322123A1). Formulations and delivery of dynamic, severity-based weather scoring based on radar weather data. 
Claim Objections
Claims 8, 15, 20 are objected to because of the following informalities:  
Claim 8 line 1, “wherein an aggregate risk score is used to one or more of create
Claim 8 line 2, “… and modify a security policy” may read as “… and modify the security policy”. Similarly claim 15 line 4, claim 20 line 4, “… and modifying a security policy …” may read as “… and modifying the security policy …”.
Claim 15 line 4, claim 20 line 4, “… and modifying … using least one …” should read as “… and modifying … using at least one …”.
Claim 15 last line, claim 20 last line, “… of an organization” may read as “… of the organization”.
Appropriate correction is required.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 7 line 1, claim 10 line 1, and claim 11 line 1, recite the limitation "further comprising the step of comparing…” and “the step of triggering…”.  There is insufficient antecedent basis for this limitation in the claim. Applicant is suggested to recite "further comprising …", for instance, "further comprising comparing …" or other appropriate form.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-20 rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.  
Claim 1, similarly claims 12, 16, recites “obtaining a plurality of individual scores …”, “obtaining an expected distribution…”, “generating, … an aggregate score …”. These would be interpreted as being analogous to concepts relating to organizing or analyzing information in a way that can be performed mentally or human mental work. Accordingly, the claim recites the abstract idea.
The limitation of obtaining, generating, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of relating to a plurality of scores. Nothing in the claim element precludes the step from practically being performed in the mind. Accordingly, the claim recites an abstract idea.
Claims 1, 12 and claim 16 recite additional limitations of “at least one processing device” and “a memory” to perform the steps of method claims discussed above. The limitation of obtaining scores and generating aggregate score, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. That is, other than reciting “at least one processing device” and “a memory”, nothing in the claim element precludes the steps from practically being performed in the mind. Accordingly, the claims recite an abstract idea.
This judicial exception is not integrated into a practical application because the claim only recites the additional limitations of “expected distribution for the plurality of individual scores”, “aggregate score for the plurality of individual scores based on a deviation of the plurality of individual scores from the obtained 10expected distribution for the plurality of 
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using computing system to perform the obtaining and generating steps amounts to no more than mere instructions to apply the exception using generic computing system. Mere instructions to apply an exception using generic computing machines cannot provide an inventive concept. The claim is not patent eligible.
                Dependent claims 2-11 recite additional limitations of “the plurality of individual scores is partitioned into a set of non-overlapping buckets that cover the range of possible values”, “comparing multiple aggregate risk scores across different vectors of an organization”, “aggregate risk score”, “security policy”, and “visualizing multiple aggregate risk scores in one or more of geographic regions and sub-networks of an organization”. Viewing the elements as a 
                Similarly dependent claims 13-15, 17-20 fall into the same deficiencies as claim 2-11 above. Therefore the claims are not patent eligible.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1-4, 6, 10, 12-13, 16-17, 19 are rejected under 35 U.S.C. 102(a)(1)  as being anticipated by Crotinger et al (US20180324199A1, hereinafter, "Crotinger").
Regarding claim 1, Crotinger teaches:
A method, comprising: 
(Crotinger, [0006] By collecting data at various times, temporal analysis may be performed on the collected data to gain insight into a relationship between certain events that occur at specific times and the properties (e.g., collected data) of monitored components during these events. Also referring to Fig. 3, 313 Metrics stream, and [0097] the anomaly detector 332 may monitor (i.e. obtaining) the stream 313 of time-series/metric data (i.e. scores)). Examiner notes the broadest reasonable interpretation of scores is data related to events;
obtaining an expected distribution for the plurality of individual scores (Crotinger, [0074] IT metric data will typically not be strictly normal, but Chebyshev's inequality theorem states that 89% of the metric observations will lie in this range, and for symmetric distributions with a single mode (peak) it can be shown that about 95% of the metric observations will lie within these bounds). Examiner notes the expected distribution is distribution as suggested by Chebyshev's inequality theorem or distribution by data as shown in Fig. 5 which is quasi-normal classification; 
and generating, using at least one processing device (Crotinger, [0063] The anomaly detection module 328 includes a time-series analyzer 330 and an anomaly detector 332), an aggregate score for the plurality of individual scores based on a deviation of the plurality of individual scores from the obtained 10expected distribution for the plurality of individual scores (Crotinger, [Abstract] anomaly detector monitors a stream of the current time-series data and identifies statistical outliers (i.e. deviation from expected distribution) of the stream of the current time-series data, based upon the statistical model and may determine an anomalous score (i.e. aggregate score) for the statistical outliers by tracking a history of the statistical outliers; wherein the anomalous score comprises a representation of a magnitude of deviation between the current time-series data and the statistical model over multiple measurements. Also [0062] Reference Set Calculator 326 may be a processor-based component that receives the resultant time-series data from the time-series database 322 and aggregates the data for subsequent use as reference data for the anomaly detection module 328, and [0098] anomalous score 339 may provide a representation of a magnitude of deviation between the current time-series data and the underlying statistical model over multiple measurements of the current time-series data…).  

Regarding claim 12, Crotinger teaches:
A computer program product, comprising a tangible machine-readable storage medium having encoded therein executable code of one or more software programs (Crotinger, [Claim 11] A tangible, non-transitory, machine-readable medium), wherein the one or more software programs when executed by at least one processing device (Crotinger, see Fig. 2 Processor(s) and Memory) perform the following steps: of method steps substantially similar to the method steps of claim 1 therefore is rejected with the same reason set forth as rejection of claim 1 above20oof .  

Regarding claim 16, Crotinger teaches:
An apparatus, comprising: a memory; and at least one processing device (Crotinger, see Fig. 2 Processor(s) and Memory), coupled to the memory, operative to implement the 

Regarding claim 2, similarly claim 13, claim 17, Crotinger further teaches:
The method of claim 1, the computer program product of claim 12, the apparatus of claim 16,
wherein the aggregate score reflects how closely the individual scores follow the expected distribution (Crotinger, [0098] anomalous score 339 may provide a representation of a magnitude of deviation (i.e. how closely) between the current time-series data and the underlying statistical model over multiple measurements). 

Regarding claim 3, Crotinger further teaches:
The method of claim 1, wherein a range of possible values of the plurality of individual scores is partitioned into a set of non-overlapping buckets that cover the range of possible values (Crotinger, referring to Fig. 10 the second plot below the time series plot, for shows the average number of semaphores in use on a particular server along with its frequency distribution. The x-axis shows each bar with frequency range (i.e. bucket)).  

Regarding claim 4, Crotinger further teaches:
The method of claim 3, wherein each of the non-overlapping buckets has a corresponding expected percentile distribution indicating a percentage of the plurality of individual scores that 20should fall into each respective bucket (Crotinger, [0074] FIG. 5 is a plot 500 of the percentage of free memory for a server that does not have a strongly seasonal (hourly, daily or weekly periodic) component, along with a plot of the estimated probability density for this signal).  

Regarding claim 6, similarly claim 19, Crotinger further teaches:
The method of claim 1, the apparatus of claim 16,
wherein the step of generating the aggregate score for the plurality of individual scores further comprises the step of computing an actual distribution of the plurality of individual scores (Crotinger, [0074] FIG. 5 is a plot 500 of the percentage of free memory for a server that does not have a strongly seasonal (hourly, daily or weekly periodic) component, along with a plot of the estimated (i.e. computing) probability density for this signal).  

Regarding claim 10, Crotinger further teaches:
The method of claim 1, further comprising the step of triggering an alert based on whether an aggregate risk score satisfies one or more predefined threshold criteria (Crotinger, [0098] when the anomaly score is above a determined threshold, the anomaly detector 340 may raise events 346 by providing the events 346 to an alerts data store 348).  

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 5, 14, 18 are rejected under 35 U.S.C. 103 as being unpatentable over Crotinger et al (US20180324199A1, hereinafter, "Crotinger"), in view of Crowley et al (US20120143650A1, hereinafter, “Crowley”).
Regarding claim 5, Crotinger teaches:
The method of claim 3, 
While Crotinger does not explicitly teach the following limitation(s), however in the similar field of endeavor Crowley teaches:
(Crowley, [0067] Algorithm 330 in FIG. 3 is used to input and apply weights to each individual risk score calculated for an asset.  The Algorithm outputs a Composite Risk 332 in. FIG. 3 for every asset being analyzed and performs a Relative Distribution 331 in FIG. 3 of the risk of the infected assets within a network).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Crowley in the systems and methods of anomaly detection of Crotinger by applying weights to each individual risk scores associated with compromised network assets. This would have been obvious because the person having ordinary skill in the art would have been motivated to use weighted risk score calculation by Algorithm to output composited risk for infected assets to be analyzed in a relative distribution  (Crowley, [Abstract], [0067]).

Regarding claim 14, similarly claim 18, Crotinger teaches:
The computer program product of claim 12, the apparatus of claim 16, 
wherein a range of possible values of the 30plurality of individual scores is partitioned into a set of non-overlapping buckets that cover the range of possible values (Crotinger, referring to Fig. 10 the second plot below the time series plot, for shows the average number of semaphores in use on a particular server along with its frequency distribution. The x-axis shows each bar with frequency range (i.e. bucket)), and wherein each of the non-overlapping (Crotinger, [0074] FIG. 5 is a plot 500 of the percentage of free memory for a server that does not have a strongly seasonal (hourly, daily or weekly periodic) component, along with a plot of the estimated probability density for this signal), 
While Crotinger does not explicitly teach the following limitation(s), however in the similar field of endeavor Crowley teaches:
and (ii) a corresponding weight indicating one or more of how much a change in a given bucket contributes to an overall score, relative to other buckets, and whether the given bucket negatively or positively impacts the overall score (Crowley, [0067] Algorithm 330 in FIG. 3 is used to input and apply weights to each individual risk score calculated for an asset.  The Algorithm outputs a Composite Risk 332 in. FIG. 3 for every asset being analyzed and performs a Relative Distribution 331 in FIG. 3 of the risk of the infected assets within a network).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Crowley in the systems and methods of anomaly detection of Crotinger by applying weights to each individual risk scores associated with compromised network assets. This would have been obvious because the person having ordinary skill in the art would have been motivated to use weighted risk score calculation by Algorithm to output composited risk for infected assets to be analyzed in a relative distribution  (Crowley, [Abstract], [0067]).  

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Crotinger et al (US20180324199A1, hereinafter, "Crotinger"), in view of Baikalov et al (US20150066575A1, hereinafter, “Baikalov”).
Regarding claim 7, Crotinger teaches:
The method of claim 1, 
While Crotinger does not explicitly teach the following limitation(s), however in the similar field of endeavor Baikalov teaches:
further comprising the step of comparing multiple aggregate risk scores across different vectors of an organization (Baikalov, [0044] As shown in FIG. 4, server 101 may perform similar steps as those described in FIG. 3 to calculate a grade indicating each asset's level of risk for each risk vector across an enterprise.  For example, each asset (e.g., system) may comprise various risk vectors (e.g., compliance, vulnerability, malware, and the like)).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Baikalov in the systems and methods of anomaly detection of Crotinger by using asset’s risk level across various risk vector of an enterprise. This would have been obvious because the person having ordinary skill in the art would have been motivated to have server to aggregate the risk scores and assess score ranges for each risk vector for server to provide a uniform system of assessing and evaluating risk across all assets in the enterprise (Baikalov, [Abstract]).

Claims 8-9, 15, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Crotinger et al (US20180324199A1, hereinafter, "Crotinger"), in view of Levy et al (US20190319987A1, hereinafter, “Levy”).
Regarding claim 8, Crotinger teaches:
The method of claim 1, 
While Crotinger does not explicitly teach the following limitation(s), however in the similar field of endeavor Levy teaches:
wherein an aggregate risk score is used to one or more of create a 5security policy and modify a security policy (Levy, [0201] In another aspect, responding to the risk score may include adjusting a policy for the compute instance based on the risk score.  The policy may generally include any security policy or the like for the enterprise network).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Levy in the systems and methods of anomaly detection of Crotinger by using the risk score to make and adjust the security policy for an enterprise network. This would have been obvious because the person having ordinary skill in the art would have been motivated to adjust the security policy in response to risk score for network security therefore improvement in enterprise network security (Levy, [0003], [0005]).

Regarding claim 9, Crotinger teaches:
The method of claim 1, 

wherein an aggregate risk score is dynamically generated when one or more security policies are evaluated (Levy, [0031] Another overall goal is to provide protection needed by an organization that is dynamic and able to adapt to changes in compute instances and new threats. And [0205] a system for dynamic policy management including a compute instance and a threat management facility in an enterprise network… and the threat management facility may be configured, e.g., by computer executable code, to receive an event stream including the event vector, to calculate a risk score for the compute instance based on a comparison of the event vector with the entity model, and to adjust a policy for the compute instance based on the risk score).  It is obvious that in order for policy to be adjusted with risk score, the risk score has to be generated based on the policy.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Levy in the systems and methods of anomaly detection of Crotinger by using the risk score to make and adjust the security policy for an enterprise network. This would have been obvious because the person having ordinary skill in the art would have been motivated to adjust the security policy in response to risk score for network security therefore improvement in enterprise network security (Levy, [0003], [0005]).

Regarding claim 15, similarly claim 20, Crotinger teaches:
(see Crotinger, e.g. [0098] anomalous score 339 may provide a representation of a magnitude of deviation between the current time-series data and the underlying statistical model over multiple measurements), and further comprising one or more steps of: 
(iv) triggering an alert based on whether at least one aggregate risk score satisfies one or more predefined threshold criteria (Crotinger, [0098] when the anomaly score is above a determined threshold, the anomaly detector 340 may raise events 346 by providing the events 346 to an alerts data store 348); 
While Crotinger does not explicitly teach the following limitation(s), however in the similar field of endeavor Levy teaches:
 (ii) one or more of creating a security policy and modifying a security policy using least one aggregate risk 10score (Levy, [0201] In another aspect, responding to the risk score may include adjusting a policy for the compute instance based on the risk score.  The policy may generally include any security policy or the like for the enterprise network);
(iii) dynamically generating the aggregate risk score when one or more security policies are evaluated (Levy, [0031] Another overall goal is to provide protection needed by an organization that is dynamic and able to adapt to changes in compute instances and new threats. And [0205] a system for dynamic policy management including a compute instance and a threat management facility in an enterprise network… and the threat management facility may be configured, e.g., by computer executable code, to receive an event stream including the event vector, to calculate a risk score for the compute instance based on a comparison of the event vector with the entity model, and to adjust a policy for the compute instance based on the risk score).  It is obvious that in order for policy to be adjusted with risk score, the risk score has to be generated based on the policy.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Levy in the systems and methods of anomaly detection of Crotinger by using the risk score to make and adjust the security policy for an enterprise network. This would have been obvious because the person having ordinary skill in the art would have been motivated to adjust the security policy in response to risk score for network security therefore improvement in enterprise network security (Levy, [0003], [0005]).

Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Crotinger et al (US20180324199A1, hereinafter, "Crotinger"), in view of Telang et al (US20180357422A1, hereinafter, “Telang”).
Regarding claim 11, Crotinger teaches:
The method of claim 1, 
While Crotinger does not explicitly teach the following limitation(s), however in the same field of endeavor Telang teaches:
further comprising the step of visualizing multiple aggregate risk scores in one or more of geographic regions and sub-networks of an organization (Telang, see Fig. 19 and 25, and [0422] shown in FIG. 19, a risk score of 91 is detected for IP address 248.228.158.6 at 1300 UTC.  The next two risk scores fall below the defined threshold, but the risk alert is maintained based on the user defined time period.  At 1600 UTC, the risk alert timespan continues, because a risk score of 91 is computed the next time period. And [0431] FIG. 25 shows a risk breakdown map 2500 presented after selection of country selector 2410).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Telang in the systems and methods of anomaly detection of Crotinger by using a geographic map and IP address to visualize the risk score in testing a cybersecurity system. This would have been obvious because the person having ordinary skill in the art would have been motivated to use summary pane and geographic map to show risk score associated with IP address of device organizational information and device associated with each country respectively for a simulated attack in testing of a cybersecurity system (Telang, [Abstract], Fig. 19 and Fig. 25).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


/MICHAEL M LEE/Examiner, Art Unit 2436                                                                                                                                                                                                        


/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436