Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments and Amendments
	The rejection of claims 7 and 8 under 35 USC § 112 is withdrawn as moot however the removal of claim 8 leaves the “rationales” of claim 9 as a disconnected concept in the claim.

	Regarding claim 1: Applicant argued in substance that:
	While Martin et al. disclose using past data to build a machine learning model for prediction, this is different than what is recited in claim 1. The difference is what data is used and what is predicted. Claim 1 recites using past remediation decisions for vulnerabilities and predicts future remediation actions. This is found in the following limitation:
	said software adapted to learn past remediation decisions for past vulnerabilities to create a learned model; and
said learned model is used to predict future remediation actions.
Martin, on the other hand, teaches using other data to predict a dynamic risk threshold. This is shown in the Office Action by citing [0046] of the reference as cited in the Office Action. Thus, Martin does not anticipate claim 1.
	Examiner respectfully disagrees with Applicant’s assessment. Firstly the claims are read in light of the specification however the specification in not read into the claim. Secondly if the specification was being read into the claims either interpretation would be supported by Applicant’s specification as presently claimed.
	Based on how claim 1 is argued and the Present Application’s specification, Applicant appears to be trying to read claim one as stating “said learned model is used to predict future remediation actions based on the properties of the vulnerability and the properties of the asset that has the vulnerability”

	Regarding Claim 3 Applicant argued in substance:


	 A special definition for vulnerability was not found in Applicants Specification and the Present Application Specification paragraph [0005] is viewed as holding to similar scope the distinction between vulnerabilities and security threats is seen as being only a lexicographic distinction not a functional difference.  

	Regarding Claim 4 Applicant argued in substance:
	Claim 4 requires that the vulnerability feature includes one or more of the following: CVSS score, where the attack is from, attack complexity, privileges required, user interaction, confidentiality metric, integrity metric, availability metric, exploitability, remediation level, and report confidence. None of these are disclosed in Martin. This makes Claim 4 patentable.

	Examiner Respectfully disagrees:
	Martin et al., Paragraph [0009] shows consideration where the attack is from “possible security threat and containing an asset identification tag identifying a computer at which the possible security threat originated“  
	Martin et al., Paragraph [0024] shows consideration of privilege level and user interaction “anomalies in privileged user account activity”
exploitability
	Martin et al., Paragraph [0030] – [0031] use of risk level score demonstrate consideration of exploitability and confidence level.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.



The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 9-11 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
	Claim 9 introduces “rationales” in a manner disconnected from the rest of the claims.
	Claims 10-11 are depend on and inherit the indefinite issues of claim 8 based on their dependency.
	With the elements being introduced without clarity on how they are attached and function in the invention the scope of the claims cannot be properly determined. 

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1-6 and 9 is/are rejected under 35 U.S.C. 102(a)(2) as being antedated by United States Patent Application Publication No.: US 2018/0004948 A1 (Martin et al.).

As Per Claim 1: Martin et al. teaches: A system for implementing a machine learning-based software for electric utilities that can automatically recommend a remediation action for a security vulnerability, the system comprising:

- a processor programmed to implement said machine learning-based software,


- said software adapted to learn past remediation decisions for past vulnerabilities to create a learned model; and
- said learned model is used to predict future remediation actions. 
	(Martin et al., Paragraph [0046], “The system can implement a static risk threshold (e.g., "75/10"), such as a static risk threshold set manually by human security personnel through a security portal, to trigger an action in Block S140. Alternatively, the system can implement a dynamic risk threshold to execute an action in Block S140. For example, the system can implement machine learning techniques to derive a risk threshold from past composite alerts and their corresponding composite risks, human-initiated investigations in response to past composite alerts and corresponding composite risk scores, 

As Per Claim 2: The rejection of claim 1 is incorporated and further Martin et al. teaches: 
- the input to said model is a vector consisting of two parts. 
	(Martin et al., Paragraph [0009], “As shown in FIGS. 1 and 2, a first method S100 for predicting and characterizing cyber attacks includes: accessing a set of signals generated over a period of time in Block S110, each signal in the set of signals representing a possible security threat and containing an asset identification tag identifying a computer at which the possible security threat originated; assigning a risk score to each signal in the set of signals in Block S120; relating a subset of signals in the set of signals based on like asset identification tags in Block S130; compiling the subset of signals into a composite alert in Block S132; aggregating risk scores for signals in the subset of signals into a composite risk score in Block S134; in response to the risk score exceeding a threshold risk score, serving the composite alert to human security personnel in Block S140. The first method S100 can further include, in response to the risk score exceeding the threshold risk score, automatically responding to the composite risk to eliminate the security threat in Block S142.”).
	(Martin et al., Paragraph [0052], “Another variation of the second method S200 includes: receiving a first signal from a sensor implementing deep packet inspection to detect anomalous behaviors 
	The two parts consist of asset/attribute and risk scores.

As Per Claim 3: The rejection of claim 2 is incorporated and further Martin et al. teaches: 
- said first part of said vector is a feature of a vulnerability. 
	(Martin et al., Paragraph [0020], “The system thus collects a multitude of signals over time in Block S100 and then assigns a risk score to each signal in Block S120, such as by writing a preset risk score for a particular signal type to a signal of the same type or by implementing a risk algorithm to calculate a risk score for a signal based on various attributes of the signal. The system then relates a subset of all collected signals based on the attributes contained in these signals. In this example application, the system: relates the first signal, second signal, and third signal based on a common IP address of the originating computer (i.e., the first computer) in Block S130; creates a composite alert from the related first, second, and third 

As Per Claim 4: The rejection of claim 3 is incorporated and further Martin et al. teaches: 
- said vulnerability feature includes one or more of the following: CVSS score, where the attack is from, attack complexity, privileges required, user interaction, confidentiality metric, integrity metric, availability metric, exploitability, remediation level, and report confidence. 
	(Martin et al., Paragraph [0009], “As shown in FIGS. 1 and 2, a first method S100 for predicting and characterizing cyber attacks includes: accessing a set of signals generated over a period of time in Block S110, each signal in the set of signals representing a possible security threat and containing an asset identification tag identifying a computer at which the possible security threat originated; assigning a risk score to each signal in the set of signals in Block S120; relating a subset of signals in the set of signals based on like asset identification tags in Block S130; compiling the subset of signals into a composite alert in Block S132; aggregating risk scores for signals in the subset of signals into a composite risk score in Block S134; in response to the risk score exceeding a threshold risk score, serving the composite alert to human security personnel in Block S140. The first method S100 can further include, in response to the risk score exceeding the threshold risk score, automatically responding to the composite risk to eliminate the security threat in Block S142.”).
	(Martin et al., Paragraph [0024], “In this implementation, a security device or security system connected to the network can automatically record an attempted exploitation of a vulnerability within the network in one stage of an attack as a signal, such as: presence of malware and malicious code; instances of tunneling; presence of a virus or worm; repeated unsuccessful login attempts; presence of keylogger or other spyware; and/or malicious rootkits; etc. The security device or security system can 
	(Martin et al., Paragraph [0030], “In one implementation, the system accesses a lookup table or other risk database containing preset risk scores for various signal types; as a new signal is received at an external signal feed or generated internally, the system retrieves a risk score--corresponding to a type of the new signal--from the risk database and stores this risk score with the new signal, such as in the new signal's metadata. The system can thus contain or access a risk database including a single present risk score per signal type that may be output by another detection mechanism on the network or generated internally by the system. Alternatively, for a particular signal type, the risk database can store multiple preset risk scores, wherein each preset risk score corresponds to one of various possible attribute values of a signal of the particular signal type; the system can thus select a particular risk score--from multiple preset risk scores for a given signal type--for a new signal based on one or more attributes stored in the new signal's metadata. For example, the risk database can store a high risk score (e.g., "61/100") for a particular signal type (e.g., a signal type relating to spear phishing attacks) originating at a computer assigned to an employee with a corporate title (e.g., CEO, CTO); the risk database can store a low risk 
	(Martin et al., Paragraph [0031], “Yet alternatively, the system can calculate a risk score for a new signal based on various attributes of the new signal before storing this calculated risk score with the new signal. In this implementation, the system can implement a common risk algorithm or various risk algorithms unique to each signal type output by the other detection mechanisms on the network and/or internally by the system. For example, the system can retrieve a risk algorithm specific to a type of a new signal from a risk database and then pass a total number of like actions (e.g., failed password attempts by one computer, port 3389 scan events by one computer) and/or a like action frequency (e.g., a number of failed password attempts within a five-minute interval) defined within the new signal into the selected algorithm to calculate a risk score for the new signal; the system can output a risk score that is proportional to a number or frequency of like events represented by a signal. In another example, the system can select a risk algorithm defining a correlation between the value or visibility of an employee assigned a particular computer and the risk score for a corresponding signal type originating at the particular computer; in this example, the system can calculate greater risk scores for signals originating from computers assigned to employees with corporate titles, to employees with remote desktop or remote server access (e.g., IT technicians), and to employees with access to private employee information (e.g., human resources representatives) tha signals originating from computers assigned to legal assistants, engineers, or sales people. In yet another example, the system can calculate or augment a risk score for a new signal based on an employee security threat history, such as by increasing a preset risk score--selected as described above--for a new signal if the new signal originated at a computer assigned to an employee who was the source of initial infiltration in a previous cyber attack on the network. 

As Per Claim 5: The rejection of claim 4 is incorporated and further Martin et al. teaches: 
- said second part of said vector is a feature of an asset. 
	(Martin et al., Paragraph [0015], “Hereinafter, an "attribute" refers to a value descriptive of a signal, such as values contained in signal metadata. For example, an external detection mechanism or the system can store: a signal type, vulnerability type, or attempted exploitation mechanism; a timestamp corresponding to generation of a signal; an asset identification tag (e.g., IP address and user ID, host name, MAC address) corresponding to an asset at which the behavior that triggered the signal originated; a department or group within the network to which the asset belongs; success of a behavior represented in the signal to exploit a vulnerability within the network; etc. in signal metadata. Each signal can thus include metadata defining various parameters of one aspect or "stage" of a possible cyber attack on the network, and the system can compare signal metadata across multiple signals to relate these signals in Block S130.”).

As Per Claim 6: The rejection of claim 5 is incorporated and further Martin et al. teaches: 
- said asset feature includes one or more of the following: asset name, asset group name, workstation user login, external accessibility, confidentiality impact, integrity impact, and availability impact. 
	(Martin et al., Paragraph [0014], “Hereinafter, an "signal" refers to an output of a detection mechanism--such as an external intrusion detection system (IDS) or an intrusion prevention systems (IPS) arranged within the network--in response to detection of an event, action, or behavior by an asset (e.g., 
	(Martin et al., Paragraph [0015], “Hereinafter, an "attribute" refers to a value descriptive of a signal, such as values contained in signal metadata. For example, an external detection mechanism or the system can store: a signal type, vulnerability type, or attempted exploitation mechanism; a timestamp corresponding to generation of a signal; an asset identification tag (e.g., IP address and user ID, host name, MAC address) corresponding to an asset at which the behavior that triggered the signal originated; a department or group within the network to which the asset belongs; success of a behavior represented in the signal to exploit a vulnerability within the network; etc. in signal metadata. Each signal can thus include metadata defining various parameters of one aspect or "stage" of a possible cyber attack on the network, and the system can compare signal metadata across multiple signals to relate these signals in Block S130.”).

As Per Claim 9: The rejection of claim 6 is incorporated and further Martin et al. teaches: 
- rationales are organized into one or more reason codes. 
	(Martin et al., Paragraph [0010], “Generally, the first method S100 can be executed in conjunction with a computer network, such as an internal network within a company, corporation, agency, administration, or other organization, to predict and classify cyber attacks based on disparate events 
	(Martin et al., Paragraph [0011], “A system can therefore execute Blocks of the first method S100 in conjunction with a computer network to relate multiple disparate signals via one or more attributes, to associate each signal with a risk, and to condense related signals into a single composite alert and composite risk score representing real risk of a security threat with greater precision than any single signal. Rather than serving all signals to human security personnel who may otherwise become overwhelmed (or "paralyzed") by an influx of disparate and seemingly-unrelated signals corresponding to various actions (or events, "behaviors," "microbehaviors") of assets throughout a network over time, the system can push only a limited number of composite alerts corresponding to sufficiently-high risk security threats--identified by linking multiple disparate signals and risk scores--to human security personnel in order to increase a rate of threat detection within the network while reducing a burden on such human security 
	The identified “risk” in Martin et al. is the reason.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 10 and 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over United States Patent Application Publication No.: US 2018/0004948 A1 (Martin et al.) in view of United States Patent Application Publication No.: US 2018/0219914 A1 (Reith et al.).

As Per Claim 10: The rejection of claim 9 is incorporated and further Martin et al. does not explicitly teach the following limitation however Reith et al. in analogous art does teach the following limitation: 
- a decision tree is used as the learning model and said one or more reason codes are derived from tree paths. 

	It would have been obvious to one of ordinary skill before the effective filing date of the claimed invention to incorporate the teachings of Reith et al. into the method of Martin et al. to as the use of decision trees is a particular interchangeable variation of machine learning which Martin et al. has already noted the use of.
	(Martin et al., Paragraph [0034], “The system can additionally or alternatively dynamically adjust a risk score or a risk algorithm for a particular signal type. For example, the system can implement machine learning techniques to increase or decrease the risk score for a particular signal type based on security threat investigation data, security breach data, and feedback received from human security personnel, such as in the form of event or signal labels, over time. For example, if signals of a particular type generated at the network over time remain unlinked to confirmed cyber attacks on the network, the system can implement machine learning techniques to reduce a preset risk score or to modify a risk algorithm for the risk type accordingly. The system can therefore implement a custom set of correlation rules, custom correlation rules, custom risk values, and/or custom risk algorithms specific to each network that is monitored by the system.”).

As Per Claim 11: The rejection of claim 10 is incorporated and further Martin et al. teaches: 
- said asset features are assigned based on asset groups.
	(Martin et al., Paragraph [0014], “Hereinafter, an "signal" refers to an output of a detection mechanism--such as an external intrusion detection system (IDS) or an intrusion prevention systems (IPS) 
	(Martin et al., Paragraph [0015], “Hereinafter, an "attribute" refers to a value descriptive of a signal, such as values contained in signal metadata. For example, an external detection mechanism or the system can store: a signal type, vulnerability type, or attempted exploitation mechanism; a timestamp corresponding to generation of a signal; an asset identification tag (e.g., IP address and user ID, host name, MAC address) corresponding to an asset at which the behavior that triggered the signal originated; a department or group within the network to which the asset belongs; success of a behavior represented in the signal to exploit a vulnerability within the network; etc. in signal metadata. Each signal can thus include metadata defining various parameters of one aspect or "stage" of a possible cyber attack on the network, and the system can compare signal metadata across multiple signals to relate these signals in Block S130.”).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

Any inquiry concerning this communication or earlier communications from the examiner should be directed to BENJAMIN A KAPLAN whose telephone number is (571)270-3170.  The examiner can normally be reached on 9:00 a.m. - 5:00 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/BENJAMIN A KAPLAN/Examiner, Art Unit 2434                                                                                                                                                                                                        /KAMBIZ ZAND/Supervisory Patent Examiner, Art Unit 2434