Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This action is in response to the claims filed on 6/11/2019.  Claims 27-46 are pending.  Claims 27 (a method), 34 (a machine), and 41 (a non-transitory CRM) are independent.

Response to Arguments
Applicant’s arguments, see argument filed 1/07/2021 with respect to the preliminary amendment filed on 6/11/2019 has been fully considered and are persuasive.  See the rejection below addressing the preliminary amendment.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 27-46 is/are rejected under 35 U.S.C. 103 as being unpatentable over Halperin, US 2004/0111632 (filed 2003-05), in view of Muddu et al., US 2017/0063905 (filed 2015-10).


(regarding the memory, processor, and computer readable medium of claims 34 and 41, Halperin ¶ 92 discloses: “methods and apparatus described herein may be readily implemented in hardware or software using conventional techniques.”  A software implementation inherently comprises memory/CPU to execute the software instructions; for example, in the server (108) of Halperin)
generating, by a device, a behavior profile for another device; (“one or more target behavior profiles are defined for computers 500. Each target behavior profile describes behavior that should be the subject of correlation analysis as described in greater detail hereinbelow.” Halperin ¶ 38)
detecting, by the device, one or more real-time (“if the time slot is 5 minutes, it gets all the events that took place in the past 5 minutes.” Halperin ¶ 90. A description of real-time observations. See also Halperin ¶ 59) observations; (“After collecting information regarding target behavior detected at two or more of computers 500,” Halperin ¶ 47)
comparing, by the device, the one or more real-time observations and the behavior profile; (“After collecting information regarding target behavior detected at two or more of computers 500, server 502 may then correlate the presence of target behavior detected at two or more of computers 500 in order to determine whether the correlated target behavior corresponds to a predefined suspicious behavior pattern” Halperin ¶ 47)

…
generating, by the device …, an incident alert; and (“should the server receive an invalid decoy message, or should suspicious behavior be detected for multiple computers, the buffer delay period may be increased by a predetermined amount of time, and users may be notified.” Halperin ¶ 59)
quarantining (“virus containment actions such as, but not limited to: Suspending any or all messages sent by computer 100” Halperin ¶¶ 23-24), by the device and based on the incident alert, data associated with the other device. (“During the increased delay period, should additional suspicious messages be received, or should other suspicious behavior be detected, if the user and/or system administrator who is authorized to do so has not indicated that the activity is not virus related, only then does the server perform one or more virus containment actions.” Halperin ¶ 59.  See Halperin ¶ 24, suspending all messages from a computer.)

Halperin does not disclose: 
determining, by the device, whether the one or more anomalies is associated with a particular address; 
and based on the one or more anomalies being associated with the particular address 

Muddu discloses:
determining, by the device, whether the one or more anomalies is associated with a particular address; (“FIG. 33 illustrates a use case for identifying threat indicators by enriching the anomaly data using data from external sources. A detected anomaly may provide more insight if combined with other data that indicates a malicious nature. For example, consider the detection of an anomalous connection to particular domain xyz.com” Muddu ¶ 397. “FIG. 33 involves a process that begins with identifying a particular entity associated with the anomaly data. This identification may be based on the underlying event data used to generate the anomaly. As in the last example, an anomaly may be associated with a domain xyz.com. The process continues with comparing the particular entity against data stored in an database of known security risks.” Muddu ¶ 399)
and based on the one or more anomalies being associated with the particular address (“The enriched event data from the ETL block 204 is then provided to a real-time analyzer 210 over a real-time processing path 212 for detecting anomalies, threat indicators and threats.” Muddu ¶ 160)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Halperin with Muddu by enriching the anomalies of Halperin as described in Muddu.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to enrich the anomalies of Halperin as done in Muddu in order to allow more effective use or 

As to claim 28, 35, and 42, Halperin in view of Muddu discloses the method/machine/CRM of claims 27, 34, and 41, but does not disclose:
wherein the behavior profile includes information regarding at least one of: 
a role of a particular user in a network, authorization to use the other device on the network, one or more activities the particular user performs on the other device, one or more addresses that have been connected to the other device, time durations of connections to the other device, a quantity of data transferred to the other device, a quantity of data transferred from the other device, or a total quantity of data transferred.

Muddu further discloses: 
wherein the behavior profile includes information regarding at least one of: (“FIG. 6 shows an example representation of a process of building behavior baselines to support the detection of anomalies.” Muddu ¶ 183)
a role of a particular user in a network, 
authorization to use the other device on the network, 
one or more activities the particular user performs on the other device, (“the security platform 300 can generate a baseline profile 612 for access activities of user 602, based on event data indicative of network activities of user 602. Likewise, a human administrative user 604 other than user 602 may employ the server 606 to access the data stored in the servers 608. A baseline profile 614 specific for access 
one or more addresses that have been connected to the other device, (“illustrates raw event data 900 received by the data intake and preparation stage…. uses the IP address “10.33.240.240” to communicate with an external IP address “74.125.239.107” Muddu ¶ 217)
time durations of connections to the other device, 
a quantity of data transferred to the other device, 
a quantity of data transferred from the other device, or 
a total quantity of data transferred.

A person of ordinary skill in the art before the effective filing date of the claimed invention would have further modified Halperin in view of Muddu with Muddu by incorporating the profile data used in Muddu.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to further modify Halperin in view of Muddu with Muddu in order to adaptively vary behavior profiles based on individual users and devices, thereby detecting individualized deviations from the historic baseline (Muddu ¶¶ 182 and 185).

As to claim 29, 36, and 43 Halperin in view of Muddu discloses the method/machine/CRM of claims 27, 34, and 41, but does not disclose:
wherein generating the behavior profile comprises: 
generating the behavior profile based on one or more of: 

behavior patterns of the other device. 

Muddu further discloses:
wherein generating the behavior profile comprises: 
generating the behavior profile based on one or more of: 
network traffic patterns, or (“illustrates raw event data 900 received by the data intake and preparation stage…. uses the IP address “10.33.240.240” to communicate with an external IP address “74.125.239.107” Muddu ¶ 217)
behavior patterns of the other device. (“the security platform 300 can generate a baseline profile 612 for access activities of user 602, based on event data indicative of network activities of user 602. Likewise, a human administrative user 604 other than user 602 may employ the server 606 to access the data stored in the servers 608. A baseline profile 614 specific for access activities of user 604 can also be generated over time by the security platform 300, based on event data indicative of network activities of user 604.” Muddu ¶ 183)


A person of ordinary skill in the art before the effective filing date of the claimed invention would have further modified Halperin in view of Muddu with Muddu by incorporating the profile data used in Muddu.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to further modify Halperin in view of Muddu with Muddu in order to adaptively vary behavior 


As to claims 30, 37, and 44, Halperin in view of Muddu discloses the method/machine/CRM of claims 27, 34, and 41, and further discloses: 
analyzing network traffic patterns; and (“Some examples of target behavior profiles include:…. Sending a file attached to a message several times from the same user;…. Attempting to contact previously unused or unknown IP addresses or IP Sockets.” Halperin ¶¶ 38-46)
wherein detecting the one or more real-time observations comprises: 
detecting the one or more real-time observations based on analyzing the network traffic patterns. (“Some examples of target behavior profiles include:…. Sending a file attached to a message several times from the same user;…. Attempting to contact previously unused or unknown IP addresses or IP Sockets.” Halperin ¶¶ 38-46)

As to claims 31 and 38, Halperin in view of Muddu discloses the method/machine/CRM of claims 27, 34, and 41, and further discloses: 
wherein the one or more anomalies include one or more of: a network anomaly (“Attempting to contact previously unused or unknown IP addresses or IP Sockets.” Halperin ¶ 46), a device anomaly (Halperin ¶¶ 40-43), or a user anomaly. (“Sending messages not as a result of a direct user interaction with the Graphic User Interface (GUI) of the message software” Halperin ¶ 40)

As to claims 32, 39, and 45, Halperin in view of Muddu discloses the method/machine/CRM of claims 27, 34, and 41, and further discloses: 
wherein the particular address is associated with at least one of: a detected malware infection (“In order to “bait” computer viruses that selectively choose for propagation addresses from address book 102 and folders 104 based on usage, such as by selecting addresses to which computer 100 most recently sent message or to which computer 100 most frequently sends messages, computer 100 preferably sends decoy messages to different decoy addresses at various frequencies in order not to distinguish the pattern of decoy messages from computer 100's normal message-sending patterns.” Halperin ¶ 33), a control-and-command activity, or a security policy (Halperin ¶ 33) (sending a message to the decoy address triggers the security assessment. It is also a security policy).

As to claims 33, 40, and 46 Halperin in view of Muddu discloses the method/machine/CRM of claims 27, 34, and 41, and further discloses: 
wherein the other device is a first other device; 
wherein the data associated with the other device is first data; and (“Forwarding messages that are addressed to a decoy address to a third party for analysis, such as a company or other body that produces anti-virus software.” Halperin ¶ 25. The second data also being the message.)
wherein the method further comprises at least one of: 

adding, based on the incident alert, a security protocol to access the first data.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892, particularly:
Bingham et al., US 20150215334, discloses generating a reputation profile based on entity behavior.
Zhao, US 20100257580, discloses behavior traffic profiliing based on access control information.  
Spalink et al., US 7996912, discloses generating anonymized behavior profiles based on user actions.
Lin, US 20100121916, discloses automatically building and adjusting user behavior profiles for anomalous activity detection.  
Albornoz, US 20050086500, discloses building application behavior profiles for anomalous behavior detection.


Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/MICHAEL W CHAO/Examiner, Art Unit 2492