Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This is a non-final rejection. 
Claims 1-10 are pending 

Status of Claims 
Applicant’s amendment date 11/13/2020, amending claim 1. 

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 11/13/2020 has been entered.
 

Response to Amendment
The previously pending rejection to the claims, under 35 USC 101, will be maintained. 
Response to Arguments
Applicant’s arguments received on date 11/13/2020 have been fully considered, but they are not persuasive, moreover, any new grounds of rejection have been necessitated by applicant’s amendments to the claims. The rejection has been updated to address these amendment. 
Response to Argument under 35 USC 101: 
Applicants argue: “the claim is directed to a practical application of any alleged abstract idea, and, thus, contains patent-eligible subject matter …… the claim involves monitoring packets transmitted on network, which is something that can be done in the human mind. As a result, the claim is necessarily rooted in computer technology. See DDR Holding vs. hotels, 773 F.3d 1245”. 
Examiner respectfully disagree: 
In prong two of step 2A, an evaluation is made whether a claim recites any additional element, or combination of additional elements, that integrate the exception into a practical application of that exception. An “additional element” is an element that is recited in the claim in addition to (beyond) the judicial exception (i.e., an 
The claim recites the additional limitations of a "An incident response assisting device …. A processor for executing a program; and a memory or a hard dish for storing the program …. Network; to one or more computing devices and display interface” are recited in a high level of generality and recited as performing generic computer functions routinely used in computer applications. Adding the words "apply it" (or an equivalent)with the judicial exception, or mere instructions to implement an abstract idea on a computer, e.g., a limitation indicating that a particular function such as creating and maintaining electronic records is performed by a computer, as discussed in Alice Corp., 134 S. Ct, at 2360,110 USPQ2d at 1984 (see MPEP § 2106.05(f)).

Further, the "monitored object connected, via a network, to one or more computing devices" recitation, are merely instructions to apply the abstract idea on a 
The Examiner has therefore determined that the additional elements, or combination of additional elements, do not integrate the abstract idea into a practical application. 
with respect to integration of the abstract idea into a practical application, the additional element of using a computer system or a network contacting instruction to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply and exception using a generic computing device are facilitating the abstract concept is not enough to confer statutory subject matter eligibility. 
Response to Argument under 35 USC 103:
The argument is moot in view of the new grounds of rejection as per below.  

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful 

Claims 1-10 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. Claims 1-10 are directed to a judicial exception (i.e., a law of nature, natural phenomenon, or abstract idea) without significantly more.

PART I. 2A-PRONG ONE (IDENTIFY THE ABSTRACT IDEAS)
The Alice framework, steps 2A-Prong One (part 1 of Mayo Test), here, the claims are analyzed to determine if the claims are directed to a judicial exception. MPEP 2106.04(a). In determining, whether the claims are directed to a judicial exception, the claims are analyzed to evaluate whether the claims recite a judicial exception (Prong One of Step 2A), and whether the claims recite additional elements that integrate the judicial exception into a practical application (Prong Two of Step 2A). See 2019 Revised Patent Subject Matter Eligibility Guidance (“PEG” 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50-57 (Jan. 7, 2019)). 

Independent Claims 1, the claim, when “taken as a whole,” are directed to the abstract idea and substantially recite the limitations: acquiring incident detection information indicating that an incident has occurred in a monitored object, wherein packets transmitted or received …. Wherein the incident detection information is associated with a candidate illegal packet of the packets; acquiring log data of the monitored object, wherein the log data comprises login success and failure information over a predetermined period of time, performing an incident extraction process on the incident detection information and the log data to extract incident information that identifies the incident that has occurred in the monitored object, 20creating an incident response procedure corresponding to the incident that has occurred in the monitored object, on the basis of the incident information and a response procedure template created in advance, and  the incident response procedure, and the incident extraction process is composed of a 34 / 37 series of comparison processes in which a content of a comparison process to be subsequently performed is changed in accordance with a result of a previously performed comparison process.  

Under step 2A-Prong One (part of Mayo test), here, the claimed invention in claim 1 are directed to non-statutory subject matter because the claims(s) as a whole, considering all claim elements both individually and in combination, do not amount to significantly more than an abstract idea, and thus, the claims are directed to an abstract idea under the first prong of Step 2A.  If the claim covers mental processes concepts performed in the human mind (including an observation, evaluation, judgment, opinion), then it falls within the “mental process” grouping of abstract idea. Accordingly, the claims recite an abstract idea. 

Part I. 2A-PRONG TWO (ADDITIONAL ELEMENTS THAT INTEGRATE THE JUDICIAL EXCEPTION INTO A PRACTICAL APPLICATION)

Under step 2A-Prong two (part 1 of Mayo test), this judicial exception is not integrated into a practical application under the second prong of Step 2A. In particular, the claims recite the additional elements beyond the recited abstract idea, “assisting device”, “processor”, “executing a program”, “network”, and “a memory or a hard disk”. Further, pursuant to the broadest reasonable interpretation, as an ordered combination, each of the additional elements are computing elements recited at high level of generality implementing the abstract idea, and thus, are no more than applying the abstract idea with generic computer components. Those additional elements are recited at a high-level of generality such that it amounts no more than mere instructions to apply the exception using computer component, or merely uses a computer as a tool to perform an abstract idea see MPEP 2106.05(f). Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. The claims are directed to an abstract idea with no significantly more elements. 

As a result, examiner asserts that claims 2-10 are similarly directed to the abstract idea. Since these claims are directed to an abstract idea, the office must determine whether the remaining limitation “go significantly more” than describe the abstract idea. 

PART III. DETERMINE WHETHER ANY ELEMENT, OR COMBINATION, AMOUNT TO “SIGNIFICANTLY MORE” THAN THE ABSTRACT IDEA ITSELF
The Alice framework, we turn to step 2B (Part 2 of Mayo) to determine if the claim is sufficient to ensure that the claim amounts to “significantly more” than the abstract idea itself. These additional elements recite conventional computer components and conventional functions of: 
Claim 1 does not include my limitations amounting to significantly more than the abstract idea, along. Claim 1 includes various elements that are not directed to the abstract idea. These elements include “assisting device”, “processor”, “executing a program”, “network” and “a memory or a hard disk”. Examiner asserts that “assisting device”, “processor”, “executing a program”, and “a memory or a hard disk” are a generic computing element performing generic computing functions. 

Therefore, the claims at issue do not require any nonconventional computer, network, or display components, or even a “non-conventional and non-generic 

In addition, ¶[0009] of the specifications detail any combination of a generic computer system program to perform the method. Generically recited computer elements do not add a meaningful limitation to the abstract idea because the Alice decision noted that generic structures that merely apply abstract ideas are not significantly more than the abstract ideas. 

The computing elements with a computing device is recited at high level of generality (e.g. a generic device performing a generic computer function of processing data). Thus, this step is no more than mere instructions to apply the exception on a generic computer. In addition, using a processor to process data has been well-understood routing, conventional activity in the industry for many years. 

Generic computer features, such as system or storage, do not amount to significantly more than the abstract idea. These limitations merely describe implementation for the invention using elements of a general-purpose system, which is not sufficient to amount to significantly more. See, e.g., Alice Corp., 134 S. Ct. 2347, 110 

Claims 2-10 are rejected as ineligible subject matter under 35 U.S.C. 101 based on a rationale similar to independent claim 1.

The dependent claims further limit the abstract idea without adding significantly more. Accordingly, the Examiner concludes that there are no meaningful limitations in the claims that transform the judicial exception into a patent eligible application such that the claim amounts to significantly more than the judicial exception itself. 
Further, Examiner notes that the addition limitations, when considered as an ordered combination, add nothing that is not already present when looking at the additional elements individually. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention 

Claims 1-3 are rejected under 35 U.S.C. 103 as being unpatentable over Satish et al. US 2016/0164909 (hereinafter Satish) in view of Sadaghiani et al. US 10,181,032 (hereinafter Sadaghiani). 

Regarding Claim 1: 
An incident response assisting device for assisting a user who performs response work when a security 5incident has occurred, the incident response assisting device comprising: 
a processor for executing a program; and a memory or a hard disk for storing the program, (at least Satish Figs. 1& 6 [0050], “processing circuitry 605 comprises microprocessor and other circuity that retrieves and executes operating software 607 from memory device”.) 
wherein 10the following operation is performed by the program executed by the processor, (at least Satish Fig. 6 [0050], “operating software 607 comprises computer programs …. Machine readable processing instruction”) 
acquiring incident detection information indicating that an incident has occurred in a monitored object connected, via a network, to one or more computing devices, wherein packet transmitted or received by the monitoring object and via the network are monitored, wherein the incident detection information is associated with a candidate [security threat] packet of the monitored packet (Satish [0024], “segregate, monitor, or provide other similar actions on the identified threat”), and  (at least Satish Figs. 2-6 [0017], “intrusion detection systems and intrusion prevention system (IDS/IDP)”. Satish [0023]-[0023], “SIEM system 120 receives information from a plurality of network assets 110-116 and identifies security threats based on the information … advisement system 130 identifies the security threat or incident within computing environment 100 (201), identify properties or traits of the incident …. Or any other threat information specific to the security incident”.) 
15acquiring log data of the monitored object, (at least Satish [0023], “in  response to identifying the incident, gathers enrichment information about the incident”)
performing an incident extraction process on the incident detection information and the log data to extract incident information that identifies the incident that has occurred in the monitored object, (at least Satish [0023], “advisement system 130 may identify properties or traits of the incident, such as the internet protocol (IP) address for the incident, the firewall associated with the incident, the computing device for the incident, the host, the user, any uniform resource locators (URLs) associated with the incident, or any other threat information specific to the security incident.”)
20creating an incident response procedure corresponding to the incident that has occurred in the monitored object, on the basis of the incident information and a response procedure template created in advance, and (at least Satish [0024], “advisement system 130 identifies action recommendations for an administrator based on the rule set (204). The rule sets identified by the advisement system may be associated with particular action recommendations that eliminate, segregate, monitor, or provide other similar actions on the identified threat”.) 
displaying the incident response procedure, and (at least Satish [0037], “advisement system 420 may provide a workflow, which directs the administrator with the necessary steps and processes to implement the desired action within the environment”. Satish Figs. 2-4 [0034]-[0034], “recommendation interfaces 440-441 further include recommendations 431-433”.) 
the incident extraction process is composed of a 34 / 37 series of comparison processes in which a content of a comparison process to be subsequently performed is changed in accordance with a result of a previously performed comparison process.  (at least Satish [0017], “machine learning algorithms may be implemented that can compare information for various threats and define threats as similar. Satish [0032], “the unknown application may be compared to the identified malware applications of the database to determine a rule set for the unknown application”. Satish [0033], “advisement system 320 uses previous actions 327 to determine the effectiveness of previous actions against the same or similar threat”.) but, specifically fails to disclose wherein the incident detection information is associated with a candidate illegal packet of the monitored packet, wherein the log data comprises login success and failure information over a predetermined period of time,

connected, via a network, to one or more computing devices, wherein packet transmitted or received by the monitoring object and via the network are monitored, wherein the incident detection information is associated with a candidate illegal packet of the monitored packet, and (Sadaghiani Col. 2 Lines 35-50 ”an advanced technology platform that is capable of ingesting billions of digital events and/or transactions over the internet, the web, web applications, mobile applications, from external (third-party) data sources, and the like and dynamically implemented digital threat mitigation implementations that car capable of detecting malicious activities (e.g, a candidate illegal packet), fraudulent activities (e.g., candidate illegal packet), digital abuses and generate digital threat mitigation recommendation and responses that operate to mitigate and/or eliminate the digital fraud and abuse threats stemming from the malicious or fraudulent activities”. Also, see Sadaghiani Col. 3 lines 8-11, and SadaghianiCol. 5 lines 10-16 .) 
wherein the log data comprises login success and failure information over a predetermined period of time, (Sadaghiani Col. 8 Lines 7-12, “a beginning of a period or a session of user (e.g., an interactive session) of the digital account is typical determined based one or more login events involving the digital account in which a user successfully accesses (e.g. using correct account credentials, etc.) or logs into the digital account”. Sadaghiani Col. 10 Lines 45”ATO risk feature extractor may function to identify the login or attempted login by the user and whether the login or attempted login was successful or a failure. Accordingly, S230 may user the ATO risk feature extractor to associated, link or append as metadata a success or failure indication with each identified login or attempted login made with respect to the digital account”.) 

It would have been prima facie obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to have modified Satish to incorporate the teachings of Sadaghiani. Doing so would allow the system to detect/determine information is associated with a candidate illegal packet of the monitored packet (Sadaghiani Col. 2). Further, it would allow the system to the log data to comprise login success and failure information over a predetermined period of time (Sadaghiani Col. 8 lines 7-12). 

Regarding Claim 2: 
Satish in view of Sadaghiani disclose the incident response assisting device according to claim 1,
Satish further teach wherein an input from the user is received between the incident extraction process and creation of the incident response procedure, and a process is 10changed in accordance with the input.  (at least Satish [0018], “the administrator may select and action to be implemented against the incident. In response to the user selection, the administrator may be provided with a workflow to implement the necessary processes for the action”. Satish [0027][0034][0035][0037], “in response to the selection, advisement system 420 may initiate a process to implement the selected action within the computing environment”. Satish Fig. 4 shows a user input after incident extraction process “3. First user selection” and then the system provide/create the incident response procedure (i.e., 5. Second suggestion). )
Regarding Claim 3: 
Satish in view of Sadaghiani disclose the incident response assisting device according to claim 2, 
Satish further teach wherein an action instruction for instructing the user to take action required for extracting 15the incident information is displayed.  (at least Satish Figs. 2-5 [0014], “an unknow process may be identified as a security incident …. In reponse to identifying the known process, the advisement system may query a database to determine if the unknown process is malicious”. Satish Fig. 2 [0024], “advisement system 130 identifies action recommendations for an administrator based on the rule set. The rule sets identified by the advisement system may be associated with particular action recommendations that eliminate, segregate, monitor, or provide other similar actions on the identified threat”. Satish [0018], “the administrator may be provided with a workflow to implement the necessary processes for the action”.) 


Claim 4, and 6-7 are rejected under 35 U.S.C. 103 as being unpatentable over Satish et al. US 2016/0164909 (hereinafter Satish) in view of Sadaghiani et al. US 10,181,032 (hereinafter Sadaghiani). Further, in view of Jain US 2019/0108470 (hereinafter Jain)
Regarding Claim 4: 
Satish in view of Sadaghiani the incident response assisting device according to claim 1, 
Satish further teach wherein a range of the incident response procedure to be displayed is selected in accordance (Satish Figs. 3-6, [0040], “the recommendations are made available to the administrator, the administrator may select a recommendation to be implemented in the environment”.) but fails to disclose 20with a progress status of response to the incident that has occurred in the monitored object, and the incident response procedure and the progress status are displayed in combination.  
However, Jain from the same field of endeavor teaches the following limitation: 
wherein a range of the incident response procedure to be displayed is selected in accordance with a progress status of response to the incident that has occurred in the monitored object, and the incident response procedure and the progress status are displayed in combination.  (Jain [0004], “a user interface is provided that allows a user to select at least one of the one or more of the suggested action. In response to the user’s selection, the selected actions may be executed automatically”. Jain 0104], “an execution progress may be displayed on the user interface as percentage or as a graphical icon, or a combination of both. In an embodiment, the execution progress may illustrate the actual execution of each selected action performed by computing device 430”.) 
	It would have been prima facie obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to have modified Satish to incorporate the teachings of Jain. Doing so would allow the user/system select at least one suggested action (i.e., incident response procedure) and allow the execution progress to be displayed on the user interface as percentage or as a graphical icon, or a combination of bot (Jain [0004][0104]).
Regarding Claim 6: 
5 Satish in view of Sadaghiani the incident response assisting device according to claim 2, 
Satish further teach wherein a range of the incident response procedure to be displayed is selected in accordance (Satish Figs. 3-6, [0040], “the recommendations are made available to the administrator, the administrator may select a recommendation to be implemented in the environment”.) but fails to disclose with a progress status of response to the incident that has occurred in the monitored object, and the incident response 10procedure and the progress status are displayed in combination.  
However, Jain from the same field of endeavor teaches the following limitation: 
wherein a range of the incident response procedure to be displayed is selected in accordance with a progress status of response to the incident that has occurred in the monitored object, and the incident response procedure and the progress status are displayed in combination.  (Jain [0004], “a user interface is provided that allows a user to select at least one of the one or more of the suggested action. In response to the user’s selection, the selected actions may be executed automatically”. Jain 0104], “an execution progress may be displayed on the user interface as percentage or as a graphical icon, or a combination of both. In an embodiment, the execution progress may illustrate the actual execution of each selected action performed by computing device 430”.) 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to have modified Satish to incorporate the teachings of Jain. Doing so would allow the user/system select at least one suggested action (i.e., incident response procedure) and allow the execution progress to be displayed on the user interface as percentage or as a graphical icon, or a combination of bot (Jain [0004][0104]).
Regarding Claim 7: 
Satish in view of Sadaghiani the incident response assisting device according to claim 3, 
Satish further teach wherein a range of the incident 15response procedure to be displayed is selected in accordance (Satish Figs. 3-6, [0040], “the recommendations are made available to the administrator, the administrator may select a recommendation to be implemented in the environment”.) but fails to disclose with a progress status of response to the incident that has occurred in the monitored object, and the incident response procedure and the progress status are displayed in combination.  
However, Jain from the same field of endeavor teaches the following limitation: 
wherein a range of the incident response procedure to be displayed is selected in accordance with a progress status of response to the incident that has occurred in the monitored object, and the incident response procedure and the progress status are displayed in combination.  (Jain [0004], “a user interface is provided that allows a user to select at least one of the one or more of the suggested action. In response to the user’s selection, the selected actions may be executed automatically”. Jain 0104], “an execution progress may be displayed on the user interface as percentage or as a graphical icon, or a combination of both. In an embodiment, the execution progress may illustrate the actual execution of each selected action performed by computing device 430”.) 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to have modified Satish to incorporate the teachings of Jain. Doing so would allow the user/system select at least one suggested action (i.e., incident response procedure) and allow the execution progress to .

Claim 5, and 8-10 are rejected under 35 U.S.C. 103 as being unpatentable over Satish et al. US 2016/0164909 (hereinafter Satish) in view of Sadaghiani et al. US 10,181,032 (hereinafter Sadaghiani). Further, in view of Hiroyuki JP 2015-121968 A (hereinafter Hiroyuki) 
Regarding Claim 5: 
Satish in view of Sadaghiani disclose the incident response assisting device35 / 37 according to claim 1, 
Satish further teach wherein when the incident information cannot be extracted, (Satish [0014], “an unknown process may be identified as a security incident for a computing asset. In response to identifying the unknown process, the advisement system may query a database to determine if the unknown process is malicious”.) but fails to disclose absence of any incident to be responded to is displayed.  
However, Hiroyuski from the same field of endeavor teaches the following limitation: 
wherein when the incident information cannot be extracted, absence of any incident to be responded to is displayed.  (see Hiroyuski page 4, “the security countermeasure search unit 105 outputs the countermeasure present/absence information 207 to the attack determination unit 107 …. Outputs the determination result 216 to the output unit 109”.) 
	It would have been prima facie obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to have modified Satish to incorporate the teachings of Hiroyuski. Doing so would allow the system to outputs the countermeasure present/absence information to the attack determination unit …. Outputs the determination result to the output unit (Hiroyuski Page 4)

Examiner Note: the facts that there is no incident is determine. Satish reference is proactive in determine an unknown process. If the system cannot extract information with regard to unknown process as disclose in Satish. It is old and well known that absence information will be displayed to IT operator (i.e., Satish [0032], “different rule set than an unknown process that cannot be confirmed to be malicious”).  To advance the prosecution of this application, Hiroyski is introduced to teach “absence of any incident to be responded to is displayed. 
Regarding Claim 8: 
Satish in view of Sadaghiani disclose the incident response assisting device according to claim 2, 
Satish further teach wherein when the incident information cannot be extracted, (Satish [0014], “an unknown process may be identified as a security incident for a computing asset. In response to identifying the unknown process, the advisement system may query a database to determine if the unknown process is malicious”.) but fails to disclose absence of any incident to be responded to is displayed.  
However, Hiroyuski from the same field of endeavor teaches the following limitation: 
wherein when the incident information cannot be extracted, absence of any incident to be responded to is displayed.  (see Hiroyuski page 4, “the security countermeasure search unit 105 outputs the countermeasure present/absence information 207 to the attack determination unit 107 …. Outputs the determination result 216 to the output unit 109”.) 
	It would have been prima facie obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to have modified Satish to incorporate the teachings of Hiroyuski. Doing so would allow the system to outputs the countermeasure present/absence information to the attack determination unit …. Outputs the determination result to the output unit (Hiroyuski Page 4)

Examiner Note: the facts that there is no incident is determine. Satish reference is proactive in determine an unknown process. If the system cannot extract information with regard to unknown process as disclose in Satish. It is old and well known that absence information will be displayed to IT operator (i.e., Satish [0032], “different rule set than an unknown process that cannot be confirmed to be malicious”).  To advance 
Regarding Claim 9: 
Satish in view of Sadaghiani disclose the incident response assisting device according to claim 3, 
Satish further teach wherein when the incident information cannot be extracted, (Satish [0014], “an unknown process may be identified as a security incident for a computing asset. In response to identifying the unknown process, the advisement system may query a database to determine if the unknown process is malicious”.) but fails to disclose absence of any incident to be responded to is displayed.  
However, Hiroyuski from the same field of endeavor teaches the following limitation: 
wherein when the incident information cannot be extracted, absence of any incident to be responded to is displayed.  (see Hiroyuski page 4, “the security countermeasure search unit 105 outputs the countermeasure present/absence information 207 to the attack determination unit 107 …. Outputs the determination result 216 to the output unit 109”.) 
	It would have been prima facie obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to have modified Satish to incorporate the teachings of Hiroyuski. Doing so would allow the system to outputs the 

Examiner Note: the facts that there is no incident is determine. Satish reference is proactive in determine an unknown process. If the system cannot extract information with regard to unknown process as disclose in Satish. It is old and well known that absence information will be displayed to IT operator (i.e., Satish [0032], “different rule set than an unknown process that cannot be confirmed to be malicious”).  To advance the prosecution of this application, Hiroyski is introduced to teach “absence of any incident to be responded to be displayed. 

Regarding Claim 10: 
Satish in view of Sadaghiani disclose the incident response assisting device according to claim 4, 
Satish further teach wherein when the incident information cannot be extracted, (Satish [0014], “an unknown process may be identified as a security incident for a computing asset. In response to identifying the unknown process, the advisement system may query a database to determine if the unknown process is malicious”.) but fails to disclose absence of any incident to be responded to is displayed.
However, Hiroyuski from the same field of endeavor teaches the following limitation: 
wherein when the incident information cannot be extracted, absence of any incident to be responded to is displayed.  (see Hiroyuski page 4, “the security countermeasure search unit 105 outputs the countermeasure present/absence information 207 to the attack determination unit 107 …. Outputs the determination result 216 to the output unit 109”.) 
	It would have been prima facie obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to have modified Satish to incorporate the teachings of Hiroyuski. Doing so would allow the system to outputs the countermeasure present/absence information to the attack determination unit …. Outputs the determination result to the output unit (Hiroyuski Page 4)

Examiner Note: the facts that there is no incident is determine. Satish reference is proactive in determine an unknown process. If the system cannot extract information with regard to unknown process as disclose in Satish. It is old and well known that absence information will be displayed to IT operator (i.e., Satish [0032], “different rule set than an unknown process that cannot be confirmed to be malicious”).  To advance the prosecution of this application, Hiroyski is introduced to teach “absence of any incident to be responded to be displayed. 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Valecha et al. US 2019/0068630: Cognitive security for workflows
Armstrong US 9,697,352: incident response management system and method. 
Reybok, JR, et al. US 2018/0324207: network security threat intelligence sharing. 
Frank et la. US 2002/0143595: Method and System for compliance management 
Gong et al. US 2016/0078229: system and method for threat risk scoring of security threats. 
Rahul U et al. US 2017/0076239: Incident management analysis. 
Dell’Amico et al. US 10,341,377: System and methods for categorizing security incident.
Hammer et al. US 9,027,121: Method and system for creating a record for one or more computer security incidents
Grace et al. US 8,266,072: incident communication interface for the knowledge management system.
Flam US 7,925,527: Process control system utilizing a database system to monitor a project’s progress and enforce a workflow of activities within the project. 
Boyer et al. US 9,680,858: annotation platform for a security risk system. 
Garay US 2018/0307756: Identifying resolutions based on recorded actions. 
Kothekar et al. US 2017/0366582: Incident response plan based on indicators of compromise. 
Veeramachaneni et al. US 2017/0169360: method and system for training a big data machine to defend. 
Honda et al. US 2015/0350193: authentication information theft detection method, authentication information theft detection device, and computer-readable recording medium storing program for the same.
Abrams et al. US 9,779,236: Risk assessment modeling.  
Nagoya et al. US 2010/0138382: communication management system, communication management method and communication control device. 
Kim KR 10-1565942: method and apparatus for detecting ID theft. 
Any inquiry concerning this communication or earlier communications from the 
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Matthew Gart can be reached on (571) 272-3955.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/HAMZEH OBAID/Examiner, Art Unit 3623   

/MATTHEW S GART/Supervisory Patent Examiner, Art Unit 3623