DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 10/19/2020 has been entered.
 
Response to Amendment
Acknowledgement is made of Applicant's claim amendments on 10/19/2020. The claim amendments are entered. Presently, claims 1-29 remain pending. Claims 1, 2, 12, 13, 21, and 22 have been amended.

Response to Arguments
Applicant's arguments filed on 10/19/2020 have been fully considered but they are not persuasive.

Applicant argues that the Bender allegedly does not teach the claim limitations because it does not teach an automated response (Applicant’s reply pgs. 11-12). This not persuasive Bender teaches an automated security management system that can manage, notify, and give incident responses/actions (Bender [0042]). However, the argument is moot since Bender is no longer being used to teach this limitation. 

Applicant argues that Lehr allegedly teaches away from the claim limitations due to an assignment of a second priority level (Applicant’s reply pg. 12). This is not persuasive. Lehr is being used to teach the expiration of a time period as well as a lack of implementation of an action upon a time period expiring. In that regard, Lehr teaches an expiration of a time period in correlation with a selection module, as recited in the mapping below. Once the time period has elapsed, then some other action can be taken, e.g. re-prioritizing a request. This means that the first/initial action was not implemented within the predetermined time period. The dispositive point here is that there is an expiring time period and that some first/initial action was not implemented within that predetermined time period, which is what Applicant’s claim recites. Thus, contrary to Applicant’s arguments, Lehr teaches the claimed limitations. The fact that Lehr might take some other action outside of this time period is not dispositive because Lehr is not being used to teach the automatic implementation of a first response when the time period expires. As an aside, it is noted that an assignment to a secondary priority necessitates previously having a first/initial priority, of which Lehr has taught was not implemented during a specified time period. This action, as stated above, shows that Lehr teaches the claim limitations. 

Applicant argues also that the cited references fail to cure the deficiencies because they allegedly do not teach the various newly presented amendments (Applicant’s reply pgs. 12-14). The cited references in correlation with new reference Hermanns teach the claim limitations, as shown in the updated mapping below. 
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-3, 5, 6, 10-14, 16, 17, 19, 21-23, 25, and 26 are rejected under 35 U.S.C. 103 as being unpatentable over Ahmed et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2019/0297096, hereinafter Ahmed) in view of Hermanns et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2013/0305362, hereinafter Hermanns) and Lehr et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2009/0222600, hereinafter Lehr).
Regarding claim 1, Ahmed teaches:
A system disruption detection computing platform ([0024]: “security threat detection and mitigation platforms”), comprising:
at least one processor ([0126]-[0127]: “computer system 1600 includes one or more processors”);
a communication interface communicatively coupled to the at least one processor ([0126]: describing that the “[c]omputer system 1600 further includes a network interface 1640 coupled to [an] I/O interface 1630”. Wherein the network interface comprises input/output interfaces that allow for communication with the computer system ([0129]-[0130]).); and 
memory storing computer-readable instructions that, when executed by the at least one processor, cause the system disruption detection computing platform to ([0131]-[0132]: “a computer-accessible medium configured to store program instructions”. See also [0127]: “Processors 1610 may be any suitable processors capable of executing instructions. For example, in various embodiments, processors 1610 may be general-purpose or embedded processors implementing any of a variety of instruction set architectures (ISAs)….”):
receive, via the communication interface, a first content stream associated with current conditions of a system ([0047]: “security threat detection and mitigation platform 310 may receive input data (e.g., sensor data from agents that is provided as streaming data, or other information) from any of a variety of sources”. Wherein input data can comprise network traffic data ([0038]) and/or also “various data streams or portions thereof, information about host machines, context metadata, and/or other types of system telemetry) may be fed to each of the inference engines in order to perform their respective classification operations…. [The] data [may also be] indicative of system behaviors or characteristics, such as data usable to determine that a machine, computing resource instance, droplet [e.g. a virtual machine], or network endpoint is hot (overloaded/ oversubscribed), is underutilized (lightly loaded or undersubscribed), or is failing (e.g., exhibits too many memory read errors or write errors)…. In response to detecting one of these characteristics, the platform may be configured to initiate a remediation workflow (e.g., one that takes action to prevent, mitigate, or correct a detected condition or event).” ([0039]).);
responsive to receiving the first content stream associated with the current conditions of a system ([0039]: describing the various types of content data streams that can be analyzed by the inference engine as part of the security threat detection and mitigation platforms, wherein such data stream can comprise “the memory utilization or CPU utilization for a particular droplet (overall) or for an individual instance”.), 
generate, based on the first content stream and a machine learning dataset, a likelihood of a system disruption ([0023]: describing that the “the security threat detection and mitigation platform may include a variety of data collection components, data analysis components (e.g., inference engines), and response components” for detecting, analyzing, and inferring security threats to the system based on received/collected data from a data stream ([0041]). Wherein the platform comprises machine learning techniques ([0029] and [0033]) and based on the received data content stream “(e.g., information about host machines, context metadata, or other types of system telemetry, examples of which are described herein), the security threat detection and mitigation platform … may apply machine learning techniques to classify a[n analysis of the received data content stream] as being malicious or “good” (e.g., “normal”, “benign”, or “acceptable”), and may classify malicious behavior as representing a specific type of security threat” ([0022]). The platform can infer/determine confidence levels regarding analysis of the data denoting a security threat/malicious behavior ([0044] and [0071]).); 
generate, based on the likelihood of a system disruption and the machine learning dataset, a first plurality of responses to mitigate an impact of the system disruption ([0045]: “the response layer of the security platforms described herein may support a variety of types of responses to detected (or suspected) security threats, some of which may be performed automatically in response to detection of particular types of security threats. For example, a response to one type of event may be to perform a simple atomic action (e.g. “notify customer”, or “shut down instance”), or it may include the initiation of a complex work flow that includes a series of actions.” Wherein the platform comprises machine learning techniques to help determine a malicious attack and generate a responsive action to mitigate harm to the system ([0092]-[0094]). The various types of potential responses based on a determined threat comprises: automatic responses ([0071]-[0072]), manual responses ([0073]-[0074]), or new responses ([0084]).), 
the first plurality of responses including responses of a first category and a second category ([0071]: describing that the responses to a threat can comprise automatic or manual responses, wherein the responses comprises various remediation measures ([0045] and [0049]).);
....

While Ahmed teaches the limitations of claim 1, Ahmed does not explicitly teach: “prioritize the generated first plurality of responses based on a category of each response of the first plurality of responses; … a first priority response of the prioritized first plurality of responses; and …, automatically implement a first priority response of the prioritized first plurality of responses to mitigate the impact of the system disruption” on lines 15-21. Hermanns discloses the claim limitations, teaching: 
“prioritize the generated first plurality of responses based on a category of each response of the first plurality of responses (Hermanns [0032]: describing that a message can comprise “threat mitigation information [which] may include one or more parameters that describe a device type, a traffic characteristic, a mitigation action, a priority, a severity, other information for mitigating threat 12, or any suitable combination of any of the preceding.” Wherein such traffic data characteristic (Hermanns [0032]), priority information (Hermanns [0033]), and severity information (Hermanns [0034]) can help determine a priority related to which mitigation action parameter (Hermanns [0035]) to implement in response to the attack.); 
… a first priority response of the prioritized first plurality of responses (see the previous Hermanns mapping above for the priority and mitigation action responses.); and …, 
automatically implement a implementing a first priority response of the prioritized first plurality of responses to mitigate the impact of the system disruption (Hermanns [0041]: describing that the operation center comprising a controller and a network device can analyze and detect a threat and generate a message with various priority and mitigation action data whereupon the “network device 40 may convert the mitigation action stored in the content of message 14 into device-specific operations using locally stored rules. Network device 40 may [automatically] perform the device-specific operations to mitigate threat 12” (Hermanns [0043]).)
Thus, it would have been obvious to Person Having Ordinary Skill in the Art (PHOSITA) before the effective filing date (EFD) to modify the system in Ahmed to include the prioritized response in Hermanns. Doing so would enable a mechanism for “[m]itigating threats in a network [that] includes receiving a message at a network device. The message includes device-independent parameters generated in response to a threat. The network device converts the parameters into one or more device-specific operations and then performs the operations to mitigate the threat.” (Hermanns Abstract).

While the cited references teach the limitations of claim 1, they do not explicitly teach: “determine that a predetermined time period has expired without implementation of …; … responsive to determining that the predetermined time period has expired” on lines 17-19. Lehr discloses the claim limitations, teaching: a “timing module may determine 816 whether a predetermined time period selected by the selection module 506 has elapsed. If the predetermined time period has elapsed, then the reassignment module 406 may assign a second priority level to the dummy request [rather than a first priority]….” (Lehr [0069]). See also Lehr [0045]: describing an “expiration module” that can give an “expiration identifier may include a specified date and time for expiration”. Wherein the assignment to a second priority denotes lack of implementation of a first priority. 
Thus, it would have been obvious to Person Having Ordinary Skill in the Art (PHOSITA) before the effective filing date (EFD) to modify the system in the cited references to include the time considerations in Lehr. Doing so would enable “enqueue prioritization is provided with a plurality of modules configured to functionally execute the steps of holding one or more queued requests in a queue, sorting the queued requests according to a first priority identifier associated with each of the queued requests, and assigning a second priority identifier to a delayed request in response to a determination that the delayed request has resided in the queue for a predetermined length of time…” (Lehr Abstract) with a priority that can be assigned (Lehr [0044]). 

Regarding claim 2, Ahmed teaches: 
The system disruption detection computing platform of claim 1, wherein the first category is tactical responses ([0045]: “shut down instance” of the network and/or computing resources.) and the second category is strategic responses ([0049]: “notify[ing the] customer” of the security threat.).

Regarding claim 3, Ahmed teaches:
The system disruption detection computing platform of claim 1, wherein the first plurality of responses includes at least one of: modifying central processing unit (CPU) usage ([0039]: describing that “the platform may be configured to initiate a remediation workflow (e.g., one that takes action to prevent, mitigate, or correct a detected condition or event)” upon detection that “a machine, computing resource instance, droplet [e.g. virtual machine], or network endpoint is hot (overloaded/oversubscribed), is underutilized (lightly loaded or undersubscribed), or is failing”.), shutting down the system ([0045]: “shut down instance” of the network and/or computing resources.)
Regarding claim 5, Ahmed teaches:
The system disruption detection computing platform of claim 1, further including instructions that, when executed, cause the system disruption detection computing platform to:
determine that the likelihood of the system disruption is at or above a predetermined threshold ([0044]: describing that “multiple inferences engines may be employed (in combination) to determine a classification result with respect to those types of security threats … [wherein a] first inference engine may operate on network traffic data to make an initial classification having a particular score (e.g., with a particular confidence level)”. Whereby the confidence levels can comprise a predetermined threshold denoting a malicious behavior in the system and warranting a response ([0049] and [0071]).); and
responsive to determining that the likelihood of the system disruption is not at or above the predetermined threshold, displaying the generated first plurality of responses on a display of a computing device ([0071]: describing that when a high confidence level response is unwarranted, i.e. it should be a low confidence level designation, “a customer or administrator … [may] take steps to return the affected instances to their previous states” after being presented the option by the system. That is, the security platform can “request human intervention to verify the classification of the event, override the classification of the event, and/or perform one or more (manual) actions to mitigate the malicious behavior. In various embodiments, the security platform may also allow human review in cases in which an event or behavior is not classified as malicious, e.g., to audit the operation of the security platform and its inference engines and determine whether and when any changes should be made to the security platform or inference engines to improve the correctness of classification results” ([0045]).)
Regarding claim 6, Ahmed teaches:
The system disruption detection computing platform of claim 1, further including instructions that, when executed, cause the system disruption detection computing platform to:
receive a second content stream associated with current internal conditions of an entity ([0044]: “The additional input data may include a different data stream or a different portion of the same data stream ....”), and
wherein generating the likelihood of the system disruption is further based on the second content stream ([0044]: “The second inference engine may apply different heuristics or machine learning techniques to the output of the first inference engine and, in some cases, to additional input data to draw its own conclusion about the classification of the event that was detected by the first inference engine…. [For example, the second inference engine can receive] any other inputs suitable for further classifying the event or behavior that was detected by the first inference engine (e.g., to produce a classification result with a higher confidence level than that produced by the first inference engine)”.).

Regarding claim 10, Ahmed teaches:
The system disruption detection computing platform of claim 1, wherein a system disruption may include a system internal to an entity ([0024]: “the security threat detection and mitigation platforms described herein may be implemented by a service provider that provides virtualization services to customers. For example, the service provider may host virtual computing resource instances (e.g., virtual compute nodes and/or virtualized storage) on fleets of physical computing and storage devices. In such embodiments, data may be generated by internal services on the service provider network and/or by the virtual computing resource instances (or applications executing thereon), e.g., by (or on) a variety of droplet components, control plane services, and/or data pipeline processors.”) or a system external to an entity and having a potential impact on the entity.

Regarding claim 11, Ahmed teaches:
The system disruption detection computing platform of claim 1, further including instructions that, when executed, cause the computing platform to:
after implementing the first priority response, receive an updated content stream associated with current conditions of the system ([0044]: “The second inference engine may apply different heuristics or machine learning techniques to the output of the first inference engine and, in some cases, to additional input data to draw its own conclusion about the classification of the event that was detected by the first inference engine…. [For example, the second inference engine can receive] any other inputs suitable for further classifying the event or behavior that was detected by the first inference engine (e.g., to produce a classification result with a higher confidence level than that produced by the first inference engine)”.);
update the machine learning dataset based on implementing the first priority response ([0036]: “an inference engine may apply rules that are generated and/or updated using machine learning techniques”.);
generate, based on the updated machine learning dataset and updated content stream, a second plurality of responses to mitigate the impact of the system disruption ([0044]-[0045]: describing that “the rules and/or algorithms of two or more inference engines may be applied in series to a data stream or collection of data streams by chaining an output of one inference engine to another inference engine as an input” to generate another classification as to whether there is a system security threat or not and accordingly, generate the corresponding responsive actions.
That is, “one or more of the inference engines 440-448 may receive the event stream 434 and may (e.g., by applying machine learning techniques and a machine model generated using those techniques) infer that the behavior of a computing resource instance (represented by an event) should be classified as malicious. An inference engine that makes such a determination may provide a notification to that effect to response layer 470, which may take appropriate action to mitigate the security threat. As illustrated in this example, the inference engine may also provide the event data and classification information to the machine learning system/service 450 and may receive an updated predictor (e.g., an updated machine model) to use in subsequent classification exercises.” ([0056]). Wherein each inference engine can perform an analysis and provide a responsive action, comprising multiple analyses and responsive actions that are unique to each inference engine within the security threat detection and mitigation platform system.); and
display the generated second plurality of responses ([0112]-[0113]: describing “hardware virtualization service 1420 may provide one or more APIs [application program interfaces] 1402, for example a web services interface, via which a client network 1450 may access functionality provided by the hardware virtualization service 1420, for example via a console 1494”. Such interfaces providing a display of the potential responses for user review, audit, or enact manual responsive actions ([0071]).).


Regarding claim 12, Ahmed teaches:
A method, comprising:
at a computing platform comprising at least one processor ([0126]-[0127]: “computer system 1600 includes one or more processors”), 
memory ([0128]: “memory”. See also [0131]-[0132]: describing “a computer-accessible medium configured to store program instructions”.), and 
a communication interface ([0126]: describing that the “[c]omputer system 1600 further includes a network interface 1640 coupled to [an] I/O interface 1630”. Wherein the network interface comprises input/output interfaces that allow for communication with the computer system ([0129]-[0130]).):
Docket No. 007 IDF 7590receiving, by the at least one processor and via the communication interface, a first content stream associated with current conditions of a system ([0047]: “security threat detection and mitigation platform 310 may receive input data (e.g., sensor data from agents that is provided as streaming data, or other information) from any of a variety of sources”. Wherein input data can comprise network traffic data ([0038]) and/or also “various data streams or portions thereof, information about host machines, context metadata, and/or other types of system telemetry) may be fed to each of the inference engines in order to perform their respective classification operations…. [The] data [may also be] indicative of system behaviors or characteristics, such as data usable to determine that a machine, computing resource instance, droplet [e.g. a virtual machine], or network endpoint is hot (overloaded/ oversubscribed), is underutilized (lightly loaded or undersubscribed), or is failing (e.g., exhibits too many memory read errors or write errors)…. In response to detecting one of these characteristics, the platform may be configured to initiate a remediation workflow (e.g., one that takes action to prevent, mitigate, or correct a detected condition or event).” ([0039]).);
responsive to receiving the first content stream associated with the current conditions of a system ([0039]: describing the various types of content data streams that can be analyzed by the inference engine as part of the security threat detection and mitigation platforms, wherein such data stream can comprise “the memory utilization or CPU utilization for a particular droplet (overall) or for an individual instance”.), 
generating, by the at least one processor and based on the first content stream and a machine learning dataset, a likelihood of a system disruption ([0023]: describing that the “the security threat detection and mitigation platform may include a variety of data collection components, data analysis components (e.g., inference engines), and response components” for detecting, analyzing, and inferring security threats to the system based on received/collected data from a data stream ([0041]). Wherein the platform comprises machine learning techniques ([0029] and [0033]) and based on the received data content stream “(e.g., information about host machines, context metadata, or other types of system telemetry, examples of which are described herein), the security threat detection and mitigation platform … may apply machine learning techniques to classify a[n analysis of the received data content stream] as being malicious or “good” (e.g., “normal”, “benign”, or “acceptable”), and may classify malicious behavior as representing a specific type of security threat” ([0022]). The platform can infer/determine confidence levels regarding analysis of the data denoting a security threat/malicious behavior ([0044] and [0071]).);
…
([0045]: “the response layer of the security platforms described herein may support a variety of types of responses to detected (or suspected) security threats, some of which may be performed automatically in response to detection of particular types of security threats. For example, a response to one type of event may be to perform a simple atomic action (e.g. “notify customer”, or “shut down instance”), or it may include the initiation of a complex work flow that includes a series of actions.” Wherein the platform comprises machine learning techniques to help determine a malicious attack and generate a responsive action to mitigate harm to the system ([0092]-[0094]). The various types of potential responses based on a determined threat comprises: automatic responses ([0071]-[0072]), manual responses ([0073]-[0074]), or new responses ([0084]).), 
the plurality of responses including responses of a first category and a second category ([0071]: describing that the responses to a threat can comprise automatic or manual responses, wherein the responses comprises various remediation measures ([0045] and [0049]).);
…. 

While Ahmed teaches the limitations of claim 12, Ahmed does not explicitly teach: “prioritizing, by the at least one processor, the generated plurality of responses based on a category of each response of the plurality of responses; … a first priority response of the prioritized plurality of responses; and…, automatically implementing, by the at least one processor, the first priority response of the prioritized plurality of responses to mitigate the Hermanns discloses the claim limitations, teaching: 
“prioritizing, by the at least one processor, the generated plurality of responses based on a category of each response of the plurality of responses (Hermanns [0032]: describing that a message can comprise “threat mitigation information [which] may include one or more parameters that describe a device type, a traffic characteristic, a mitigation action, a priority, a severity, other information for mitigating threat 12, or any suitable combination of any of the preceding.” Wherein such traffic data characteristic (Hermanns [0032]), priority information (Hermanns [0033]), and severity information (Hermanns [0034]) can help determine a priority related to which mitigation action parameter (Hermanns [0035]) to implement in response to the attack.); 
 … a first priority response of the prioritized plurality of responses (see the previous Hermanns mapping above for the priority and mitigation action responses.); and …, 
automatically implementing, by the at least one processor, a first priority response of the prioritized plurality of responses to mitigate the impact of the system disruption (Hermanns [0041]: describing that the operation center comprising a controller and a network device can analyze and detect a threat and generate a message with various priority and mitigation action data whereupon the “network device 40 may convert the mitigation action stored in the content of message 14 into device-specific operations using locally stored rules. Network device 40 may [automatically] perform the device-specific operations to mitigate threat 12” (Hermanns [0043]).)
Thus, it would have been obvious to Person Having Ordinary Skill in the Art (PHOSITA) before the effective filing date (EFD) to modify the system in Ahmed to include the prioritized Hermanns. Doing so would enable a mechanism for “[m]itigating threats in a network [that] includes receiving a message at a network device. The message includes device-independent parameters generated in response to a threat. The network device converts the parameters into one or more device-specific operations and then performs the operations to mitigate the threat.” (Hermanns Abstract).

While the cited references teach the limitations of claim 12, they do not explicitly teach: “determining that a predetermined time period has expired without implementation of …; … responsive to determining that the predetermined time period has expired” on lines 15-17. Lehr discloses the claim limitations, teaching: a “timing module may determine 816 whether a predetermined time period selected by the selection module 506 has elapsed. If the predetermined time period has elapsed, then the reassignment module 406 may assign a second priority level to the dummy request [rather than a first priority]….” (Lehr [0069]). See also Lehr [0045]: describing an “expiration module” that can give an “expiration identifier may include a specified date and time for expiration”. Wherein the assignment to a second priority denotes lack of implementation of a first priority. See also [0040], [0044], [0054], and [0061]-[0063]. 
Thus, it would have been obvious to Person Having Ordinary Skill in the Art (PHOSITA) before the effective filing date (EFD) to modify the system in the cited references to include the time considerations in Lehr. Doing so would enable “enqueue prioritization is provided with a plurality of modules configured to functionally execute the steps of holding one or more queued requests in a queue, sorting the queued requests according to a first priority identifier associated with each of the queued requests, and assigning a second priority identifier to a delayed request in response to a determination that the delayed request has resided in the queue for a predetermined length of time…” (Lehr Abstract) with a priority that can be assigned (Lehr [0044]).

Regarding claim 13, claim 13 is substantially similar to claim 2 and therefore is rejected on the same ground as claim 2. Claim 13 is a method claim that corresponds to system claim 2.

Regarding claim 14, claim 14 is substantially similar to claim 3 and therefore is rejected on the same ground as claim 3. Claim 14 is a method claim that corresponds to system claim 3.

Regarding claim 16, claim 16 is substantially similar to claim 5 and therefore is rejected on the same ground as claim 5. Claim 16 is a method claim that corresponds to system claim 5.

Regarding claim 17, claim 17 is substantially similar to claim 6 and therefore is rejected on the same ground as claim 6. Claim 17 is a method claim that corresponds to system claim 6.

Regarding claim 21, Ahmed teaches:
One or more non-transitory computer-readable media storing instructions that, when executed by a computing platform ([0131]-[0132]: “a computer-accessible medium configured to store program instructions”. See also [0127]: “Processors 1610 may be any suitable processors capable of executing instructions. For example, in various embodiments, processors 1610 may be general-purpose or embedded processors implementing any of a variety of instruction set architectures (ISAs)….”) comprising at least
([0126]-[0127]: “computer system 1600 includes one or more processors”), 
memory ([0128]: “memory”), and 
a communication interface ([0126]: describing that the “[c]omputer system 1600 further includes a network interface 1640 coupled to [an] I/O interface 1630”. Wherein the network interface comprises input/output interfaces that allow for communication with the computer system ([0129]-[0130]).), cause the computing platform to:
receive, via the communication interface, a first content stream associated with current conditions of a system ([0047]: “security threat detection and mitigation platform 310 may receive input data (e.g., sensor data from agents that is provided as streaming data, or other information) from any of a variety of sources”. Wherein input data can comprise network traffic data ([0038]) and/or also “various data streams or portions thereof, information about host machines, context metadata, and/or other types of system telemetry) may be fed to each of the inference engines in order to perform their respective classification operations…. [The] data [may also be] indicative of system behaviors or characteristics, such as data usable to determine that a machine, computing resource instance, droplet [e.g. a virtual machine], or network endpoint is hot (overloaded/ oversubscribed), is underutilized (lightly loaded or undersubscribed), or is failing (e.g., exhibits too many memory read errors or write errors)…. In response to detecting one of these characteristics, the platform may be configured to initiate a remediation workflow (e.g., one that takes action to prevent, mitigate, or correct a detected condition or event).” ([0039]).);
([0039]: describing the various types of content data streams that can be analyzed by the inference engine as part of the security threat detection and mitigation platforms, wherein such data stream can comprise “the memory utilization or CPU utilization for a particular droplet (overall) or for an individual instance”.), 
generate, based on the first content stream and a machine learning dataset, a likelihood of a system disruption ([0023]: describing that the “the security threat detection and mitigation platform may include a variety of data collection components, data analysis components (e.g., inference engines), and response components” for detecting, analyzing, and inferring security threats to the system based on received/collected data from a data stream ([0041]). Wherein the platform comprises machine learning techniques ([0029] and [0033]) and based on the received data content stream “(e.g., information about host machines, context metadata, or other types of system telemetry, examples of which are described herein), the security threat detection and mitigation platform … may apply machine learning techniques to classify a[n analysis of the received data content stream] as being malicious or “good” (e.g., “normal”, “benign”, or “acceptable”), and may classify malicious behavior as representing a specific type of security threat” ([0022]). The platform can infer/determine confidence levels regarding analysis of the data denoting a security threat/malicious behavior ([0044] and [0071]).);
generate, based on the likelihood of a system disruption and the machine learning dataset, a plurality of responses to mitigate an impact of the system disruption ([0045]: “the response layer of the security platforms described herein may support a variety of types of responses to detected (or suspected) security threats, some of which may be performed automatically in response to detection of particular types of security threats. For example, a response to one type of event may be to perform a simple atomic action (e.g. “notify customer”, or “shut down instance”), or it may include the initiation of a complex work flow that includes a series of actions.” Wherein the platform comprises machine learning techniques to help determine a malicious attack and generate a responsive action to mitigate harm to the system ([0092]-[0094]). The various types of potential responses based on a determined threat comprises: automatic responses ([0071]-[0072]), manual responses ([0073]-[0074]), or new responses ([0084]).), 
the plurality of responses including responses of a first category and a second category ([0071]: describing that the responses to a threat can comprise automatic or manual responses, wherein the responses comprises various remediation measures ([0045] and [0049]).);
….

While Ahmed teaches the limitations of claim 21, Ahmed does not explicitly teach: “prioritize the generated plurality of responses based on a category of each response of the plurality of responses; … a first priority response of the prioritized first plurality of responses; and …, automatically implement the first priority response of the prioritized plurality of responses to mitigate the impact of the system disruption” on lines 12-18. Hermanns discloses the claim limitations, teaching: 
“prioritize the generated plurality of responses based on a category of each response of the plurality of responses (Hermanns [0032]: describing that a message can comprise “threat mitigation information [which] may include one or more parameters that describe a device type, a traffic characteristic, a mitigation action, a priority, a severity, other information for mitigating threat 12, or any suitable combination of any of the preceding.” Wherein such traffic data characteristic (Hermanns [0032]), priority information (Hermanns [0033]), and severity information (Hermanns [0034]) can help determine a priority related to which mitigation action parameter (Hermanns [0035]) to implement in response to the attack.); 
… a first priority response of the prioritized first plurality of responses (see the previous Hermanns mapping above for the priority and mitigation action responses.); and …,
automatically implement the first priority response of the prioritized plurality of responses to mitigate the impact of the system disruption (Hermanns [0041]: describing that the operation center comprising a controller and a network device can analyze and detect a threat and generate a message with various priority and mitigation action data whereupon the “network device 40 may convert the mitigation action stored in the content of message 14 into device-specific operations using locally stored rules. Network device 40 may [automatically] perform the device-specific operations to mitigate threat 12” (Hermanns [0043]).)”. 
Thus, it would have been obvious to Person Having Ordinary Skill in the Art (PHOSITA) before the effective filing date (EFD) to modify the system in Ahmed to include the prioritized response in Hermanns. Doing so would enable a mechanism for “[m]itigating threats in a network [that] includes receiving a message at a network device. The message includes device-independent parameters generated in response to a threat. The network device converts the parameters into one or more device-specific operations and then performs the operations to mitigate the threat.” (Hermanns Abstract).
While the cited references teach the limitations of claim 21, they do not explicitly teach: “determine that a predetermined time period has expired without implementation of …; … responsive to determining that the predetermined time period has expired” on lines 13-15. Lehr discloses the claim limitations, teaching: a “timing module may determine 816 whether a predetermined time period selected by the selection module 506 has elapsed. If the predetermined time period has elapsed, then the reassignment module 406 may assign a second priority level to the dummy request [rather than a first priority]….” (Lehr [0069]). See also Lehr [0045]: describing an “expiration module” that can give an “expiration identifier may include a specified date and time for expiration”. Wherein the assignment to a second priority denotes lack of implementation of a first priority. See also [0040], [0044], [0054], and [0061]-[0063]. 
Thus, it would have been obvious to Person Having Ordinary Skill in the Art (PHOSITA) before the effective filing date (EFD) to modify the system in the cited references to include the time considerations in Lehr. Doing so would enable “enqueue prioritization is provided with a plurality of modules configured to functionally execute the steps of holding one or more queued requests in a queue, sorting the queued requests according to a first priority identifier associated with each of the queued requests, and assigning a second priority identifier to a delayed request in response to a determination that the delayed request has resided in the queue for a predetermined length of time…” (Lehr Abstract) with a priority that can be assigned (Lehr [0044]).

Regarding claim 22, claim 22 is substantially similar to claim 2 and therefore is rejected on the same ground as claim 2. Claim 22 is a media claim that corresponds to system claim 2
Regarding claim 23, claim 23 is substantially similar to claim 3 and therefore is rejected on the same ground as claim 3. Claim 23 is a media claim that corresponds to system claim 3.

Regarding claim 25, claim 25 is substantially similar to claim 5 and therefore is rejected on the same ground as claim 5. Claim 25 is a media claim that corresponds to system claim 5.

Regarding claim 26, claim 26 is substantially similar to claim 6 and therefore is rejected on the same ground as claim 6. Claim 26 is a media claim that corresponds to system claim 6.

Claims 4, 15, and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Ahmed et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2019/0297096, hereinafter Ahmed), Hermanns et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2013/0305362, hereinafter Hermanns), and Lehr et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2009/0222600, hereinafter Lehr) in view of U.S. Dept. of Homeland Security, “National Cyber Incident Response Plan” (hereinafter NCIRP).

Regarding claim 4, the rejection of claim 1 is incorporated. While the cited references teach the claim limitations, they do not explicitly teach: “wherein the first plurality of responses includes at least one of: increasing staffing at a location and ordering additional cash for one or more locations”. NCIRP discloses the claim limitations, teaching: 
“wherein the first plurality of responses includes at least one of: 
increasing staffing at a location (NCIRP Section 5.2: “Necessary response resources should be readily available and should be based on each organization’s cyber response plans as informed by the NCIRP. This includes notifying and activating cyber response organizations, plans, and personnel and requesting assistance when needed…. In addition, staff may need to be deployed for physical patching and/or repair.” 
Thus, it would have been obvious to Person Having Ordinary Skill in the Art (PHOSITA) before the effective filing date (EFD) to modify the system in the cited references to include the deployment of additional personnel in NCIRP. Doing so would enable organizations to “[m]aintain incident response plans [by adopting] policies, plans, procedures and agreements [that] should allow each organization to perform essential tasks during a cyber incident….” (NCIRP pg. 27). Wherein strategies comprise: “[i]dentify, assess, and manage risks to mission-critical infrastructure and critical infrastructure generally” (NCIRP pg. 27). This includes ensuring “facilities, systems, supplies, and personnel are prepared for and ready to respond in an incident [by … identifying] critical assets, systems, networks, and functions and manage risk to these systems.” (NCIRP pg. 27).
That is, the purpose of developing such a response plan is “to establish the strategic framework for organizational roles, responsibilities, and actions to prepare for, respond to, and begin to coordinate recovery from a cyber incident. It ties various policies and doctrine together into a single tailored, strategic, cyber-specific plan designed to assist with operational execution, planning, and preparedness activities and to guide short-term recovery efforts.” (NCIRP pg. 1).) and 
ordering additional cash for one or more locations. 

Regarding claim 15, claim 15 is substantially similar to claim 4 and therefore is rejected on the same ground as claim 4. Claim 15 is a method claim that corresponds to system claim 4
Regarding claim 24, claim 24 is substantially similar to claim 4 and therefore is rejected on the same ground as claim 4. Claim 24 is a media claim that corresponds to system claim 4.

Claims 7, 8, 18, 19, 27, and 28 are rejected under 35 U.S.C. 103 as being unpatentable over Ahmed et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2019/0297096, hereinafter Ahmed), Hermanns et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2013/0305362, hereinafter Hermanns), and Lehr et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2009/0222600, hereinafter Lehr) in view of Findlay et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2017/0346846, hereinafter Findlay). 

Regarding claim 7, the rejection of claim 6 is incorporated. While the cited references teach the claim limitations, they do not explicitly teach: “further including instructions that, when executed, cause the system disruption detection computing platform to: receive a third content stream associated with current external conditions of the entity, and wherein generating the likelihood of the system disruption is further based on the third content stream.” Findlay discloses the claim limitations, teaching:
“further including instructions that, when executed, cause the system disruption detection computing platform to (Findlay [0092]: describing a reduced and complex instruction set that can be used to perform the threat assessment and analysis. The assessment and analysis being performed by “Threat Information Gathering and Incident Reporting (TIGIR) system” comprising a “Threat Risk Assessment and Analysis (TRAA) component… [which] uses a unique algorithm that considers industry ratings on threat types, threat impacts, degree of harm, macro- and micro-level asset and sector costs, as well as the incidence and prevalence of particular threats in a sector. The resulting analysis is specific to the client while providing metrics on sector impacts and costs.” (Findlay [0129]).): 
receive a third content stream associated with current external conditions of the entity (Findlay [0231]-[0235]: “The TRRD [threat reporting and response database] utilizes the data framework from the TRAA and accesses data from client input data and data from industry and academic databases; this data is normalized to ensure compatibility and relevancy to the database classes and algorithm elements and then made available for various report types and live alerts.
As depicted in FIG. 3C the TRRD provides: Automatic and manual reporting on breaches; Live reporting and alerts on all threats relevant to the client's platform, sector, assets and target vulnerabilities; Direct external feeds of active and/or reported threats from various sources….” Wherein the TRRD and TRAA comprise “the two functional components of TIGIR systems” (Findlay [0103]-[0105].), and 
wherein generating the likelihood of the system disruption is further based on the third content stream (Findlay [0237]: “Continuous updating [of the TIGIR system] from external data sources (industry and academic) and client-subscriber data[.] Collection and analysis of data from safeguards to monitor and measure effectiveness.”).”
Thus, it would have been obvious to Person Having Ordinary Skill in the Art (PHOSITA) before the effective filing date (EFD) to modify the system in the cited references to include the external content in Findlay. Doing so would enable a security management system, i.e. “the TIGIR system represent[ing] a threat-risk and reporting software system … [to p]rovide a higher level of cyber security on IT infrastructure, networks, systems and devices with through comprehensive, cyber-appropriate threat/risk assessment and in depth analysis; and [p]rovide compounded intelligence and real-time reporting of sector and platform-specific cyber threats to enhance client communication and collaboration allowing for immediate responses to new threats.
TIGIR systems may support compatibility with industry standards, methodologies, policies and processes and can be accessed by web-interfaced or enterprise systems.” (Findlay [0098] and [0100]-[0101]). 

Regarding claim 8, the rejection of claim 1 is incorporated. While the cited references teach the claim limitations, they do not explicit teach: “wherein the first content stream, second content stream, and third content stream are received in real-time”. Findlay discloses the claim limitations, teaching: that the TIGIR system with “real-time reporting of sector and platform-specific security intelligence” (Findlay [0250] and [0266]) can analyze a first, second, and third data set (Findlay [0261]). Wherein the TIGIR system comprises the TRAA (Findlay [0129]) and TRRD (Findlay [0230]) for real-time data collection and analysis.  
Thus, it would have been obvious to Person Having Ordinary Skill in the Art (PHOSITA) before the effective filing date (EFD) to modify the system in the cited references to include the real-time analysis in Findlay. A motivation to combine the cited references with Findlay was previously given.

Regarding claim 18, claim 18 is substantially similar to claim 7 and therefore is rejected on the same ground as claim 7. Claim 18 is a method claim that corresponds to system claim 7.

Regarding claim 19, claim 19 is substantially similar to claim 8 and therefore is rejected on the same ground as claim 8. Claim 19 is a method claim that corresponds to system claim 8.

Regarding claim 27, claim 27 is substantially similar to claim 7 and therefore is rejected on the same ground as claim 7. Claim 27 is a media claim that corresponds to system claim 7.

Regarding claim 28, claim 28 is substantially similar to claim 8 and therefore is rejected on the same ground as claim 8. Claim 28 is a media claim that corresponds to system claim 8.

Claims 9, 20, and 29 are rejected under 35 U.S.C. 103 as being unpatentable over Ahmed et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2019/0297096, hereinafter Ahmed), Hermanns et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2013/0305362, hereinafter Hermanns), and Lehr et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2009/0222600, hereinafter Lehr) in view of Datta Ray et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2014/0380488, hereinafter Datta Ray). 

Regarding claim 9, the rejection of claim 1 is incorporated. While cited references teach the claim limitations, they do not explicitly teach: “wherein the machine learning dataset includes historical data associated with a plurality of system disruptions including internal conditions associated with the plurality of system disruptions and external conditions associated with the plurality of system disruptions”. Datta Ray discloses the claim limitations, teaching: that the “monitored and controlled element (MCE) in a particular security cycle” of an enterprise security management system “also accesses (1705) repositories within the enterprise to obtain relevant historical and real-time data” (Datta Ray [0187]). Wherein “[f]or each monitored element, in each execution cycle, the risk inference engine (614) infers, calculates, and adjusts the control postures (617) for the relevant MCE and sends the information to other subscribing MCEs.
In its inference analyses and calculations, the control inference engine (614) uses prioritized risks (613) coming from the security and business risk analysis engine along with security and business risk administration knowledge (615, 616) and the current low level control implementation (619) as inputs. To minimize computational effort, the control inference engine (614) compares the current security risks (613) to the previous [i.e. historical] security risks and skips further inference effort for the relevant MCE in the relevant execution cycle if there is no significant change.” (Datta Ray [0155]-[0156]). 
Table 1 shows an example scenario involving historical network condition data for comparison with current network condition data to determine if there is a malicious attack.   
The data conditions can also comprise external conditions (Datta Ray [0110]-[0112]), i.e. “situational awareness”, of the system in real-time and at various time scales (Datta Ray [0118]), which can comprise historical data points. 
Thus, it would have been obvious to Person Having Ordinary Skill in the Art (PHOSITA) before the effective filing date (EFD) to modify the system in the cited references to include the historical data in Datta Ray. Doing so would enable at “each execution cycle, [a] real-time state of the situational awareness (602) relevant to each relevant MCE is analyzed (606) by the security and business risk analysis engine (SBRAE) (607) together with the domain knowledge (608, 609). Domain knowledge (609) can be encoded as data concerning the operational system (610), including all business domains of the enterprise, information system (611) and security system (612).” (Datta Ray [0118]). Whereupon “[t]he cluster SBRAE sends security control posture information [i.e. responsive actions] for all subscribing MCEs” (Datta Ray [0098]) upon a determination that the system is being attacked. 

Regarding claim 20, claim 20 is substantially similar to claim 9 and therefore is rejected on the same ground as claim 9. Claim 20 is a method claim that corresponds to system claim 9.

Regarding claim 29, claim 29 is substantially similar to claim 9 and therefore is rejected on the same ground as claim 9. Claim 29 is a media claim that corresponds to system claim 9.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SELENE A HAEDI whose telephone number is (571)270-5762.  The examiner can normally be reached on M-F 11 AM - 7 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Li B Zhen can be reached on (571)272-3768.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


/S.H./Examiner, Art Unit 2121                                                                                                                                                                                                        




/Li B. Zhen/Supervisory Patent Examiner, Art Unit 2121