DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This written Office Action is in response to a communication from the Applicant’s Representative (the “Applicant”) dated 03/02/2021.
Claims 1-11, 15-16, and 18-20 were amended.
Claims 21-24 were added.
Claims 12-14 and 17 were canceled.
Claims 1-20 were previously examined and rejected.
Claims 1-11, 15-16 and 18-24 are currently pending in the instant application.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Internet Communications
Applicant is encouraged to submit a written authorization for Internet communications (PTO/SB/439, found at http:/www.uspto.gov/sites/default/files/documents/sb0439.pdf) in the instant patent application to authorize the examiner to communicate with the applicant via email. The authorization will allow the examiner to better practice compact prosecution. The written authorization can be submitted via one of the following methods only: (1) Central Fax, which can be found in the Conclusion section of this Office action; (2) regular postal mail; (3) EFS WEB; or (4) the service window on the Alexandria campus. EFS web is the recommended way to submit the form since this allows the form to be entered into the file wrapper within the same day (system dependent). Written authorization submitted via other methods, such as direct fax to the examiner or email, will not be accepted. See MPEP § 502.03.

Information Disclosure Statement
No additional Information Disclosure Statement (IDS) has been filed by the Applicant.

Priority
The instant application, filed 05/07/2018, does not claim priority.

Response to Arguments
In response to the pending objections of Claims 13-14, Applicant cancelled the claims. Accordingly, the objections are withdrawn.
In response to the pending rejections under 35 U.S.C. 101, Applicant amended Claims 16-20. However, the claims as amended do not include at least one hardware element (e.g. physical memory, hardware processor, etc.). One possible amendment to overcome the 101 rejection is “A first computer system comprising: at least one processor implemented in hardware; and a storage [[medium]] device storing instructions…”.
Applicant submits the subject matter of Claim 16 can be said to be a "concrete thing, consisting of parts, or of certain devices and combination of devices" and that the subject matter of Claim 16 is a "mechanical device or combination of mechanical powers and devices to perform some function and produce a certain effect or result." Applicant’s Remarks, p. 8. However, the broadest reasonable interpretation of a claim drawn to a processor typically covers software per se in view of the ordinary and customary meaning of the term. The broadest reasonable interpretation of a claim drawn to a storage medium typically covers mere transient signals in view of the ordinary and customary meaning of the term. Similarly, assuming arguendo that Applicant claims a graphical user interface (which the Examiner believes does not), the broadest reasonable interpretation of a GUI covers the functions or the manner of presentation of information on the physical display. After carefully reviewing the disclosure, there appears to be no definition of the terms processor and storage medium that would construe or limit these terms exclusively to hardware components.
In response to the pending rejections under 35 U.S.C. 103, Applicant amended Claims 1-11, 15-16, and 18-20. Since the newly amended Claims changed the scope and necessitated new grounds of rejection, Applicant’s arguments are moot in view of the newly applied references.
Examiner has introduced a new ground of rejection under 35 USC § 101 as being directed to an abstract idea. Said new ground of rejection to claim 1 is neither necessitated by Applicant’s amendment of the claims, nor based on information submitted in an information disclosure statement. Accordingly this action is non-final.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-11, 15-16, and 18-24 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. 
Independent Claim 1 of the instant application asserts to be directed to at least one statutory category (a process or method), and its underlying elements include: “(1) accessing data representing a state of an investigation, wherein the investigation is associated with a potential security threat to a computer system, wherein the investigation is associated with a security analyst, wherein the data comprises a result of a current investigative step of the investigation; (2) processing the data representing the state of the investigation using a machine learning engine trained on observed investigations; (3) determining a recommendation based on the processing of the data representing the state of the investigation, wherein the recommendation is associated with a next investigative step of the investigation; and (4) communicating the recommendation for display on a graphical user interface (GUI) associated with the security analyst.”
Step (3) of Claim 1 recites determining a recommendation based on the processing of the data representing the state of the investigation, wherein the recommendation is associated with a next investigative step of the investigation. This step, under the broadest reasonable interpretation, covers the performance of a mental process. For example, a human security analyst expert can 
Although the claim recites an additional element in step (1) for accessing data representing a state of an investigation, step (1) is merely a data gathering process, which is a form of insignificant extra-solution activity. Step (2) recites an additional element of using a machine learning engine trained on observed investigations. However, the particular additional element is recited at such a high level of generality that it is no more than merely “applying” the mental step using a generic machine learning algorithm.  Similarly, step (3), which requires communicating the recommendation for display on a on a GUI, is also recited at high level of generality and amounts to a mere post-solution of displaying that is a form of insignificant extra-solution activity.
The additional elements are determined to be no more than insignificant extra-solution activity. In particular, the use of a GUI to display the resulting data is considered conventional and well-understood (In most cases, users rely, at least in part, on conventional, graphical user interfaces to interact with an electronic device. See U.S. PGPub No. 2018/0336894 (Graham) [¶ 4].). Similarly, the machine learning is recited at a high level of generality. As a result, the claim, as a whole, is no more than attempting to broadly cover the concept of using machine learning to implement an analysis of what a human security analyst would have performed in the mind. Consequently, Claim 1 is considered an abstract idea without significantly more than the judicial exception.
Therefore, Claim 1 does not recite patent-eligible subject matter under 35 U.S.C. 101 as the claim is directed to an abstract idea without significantly more than the judicial exception.
Claims 2-10 depend on the method of Claim 1, and as a result the rejection thereof is incorporated. Therefore, Claims 2-10 do not recite patent-eligible subject matter under 35 U.S.C. § 101.
Claim 11 is directed to at least one statutory category (article of manufacture or device). However, said Claim recites the same mental process as identified with regard to Claim 1. Thus, the instant claim under consideration is also directed to an abstract idea without significantly more than the judicial exception.

Therefore, the Claim under consideration does not recite patent-eligible subject matter under 35 U.S.C. § 101.
Claims 15 and 21-23 depend on Claim 11, and as a result the rejection thereof is incorporated. Therefore, Claims 15 and 21-23 do not recite patent-eligible subject matter under 35 U.S.C. § 101.
Claim 16 alleges to be directed to at least one statutory category (machine or computer system). However, said Claim recites the same mental process as identified with regard to Claim 1. Thus, the instant claim under consideration is also directed to an abstract idea without significantly more than the judicial exception.
For the same reasons set forth above for Claim 1, and taking all the additional claim elements individually and in combination, the instant Claim as a whole does not amount to significantly more than attempting to broadly cover the concept of using machine learning to implement an analysis of what a human security analyst would have performed in the mind. 
Therefore, the Claim under consideration does not recite patent-eligible subject matter under 35 U.S.C. § 101.
Claims 18-20 and 24 depend on Claim 16, and as a result the rejection thereof is incorporated. Therefore, Claims 18-20 and 24 do not recite patent-eligible subject matter under 35 U.S.C. § 101.
Claims 16, 18-20 and 24 are rejected under 35 U.S.C. 101 as they do not fall within at least one of the four categories of patent eligible subject matter.
Claim 16 recites a “computer system comprising: at least one processor; and a storage medium… a graphical user interface (GUI)”. However, the claimed invention does not include at least one hardware element (e.g. physical memory, hardware processor, etc.). Pending claims are interpreted as broadly as their terms reasonably allow. The broadest reasonable processor typically covers software per se in view of the ordinary and customary meaning of the term (i.e., process can be virtual entity/process). The broadest reasonable interpretation of a claim drawn to a storage medium typically covers mere transient signals in view of the ordinary and customary meaning of the term. Similarly, assuming arguendo that Applicant is claiming a graphical user interface (which the Examiner believes does not), the broadest reasonable interpretation of a GUI covers the functions or the manner of presentation of information on the physical display. After carefully reviewing the disclosure, there appears to be no definition of the terms processor and storage medium that would construe or limit these terms exclusively to hardware components.
Claims 18-20 and 24 depend on Claim 16, and as a result the rejection thereof is incorporated. Therefore, Claims 18-20 and 24 do not recite patent-eligible subject matter under 35 U.S.C. 101.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Examiner’s note: text in bold correspond to the cited prior art reference, ad verbatim. Comments in brackets { } include the Examiner’s mapping of the claimed feature to the cited reference, and observations thereof. 
Claims 1, 2, 8, 9, 10, 11, 16, 18, 19, 21 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. PGPub No. 20180367549 (Jang) in view of U.S. PGPub No. 2018/0367561 (Givental).
Referring to independent Claims 1, 11 and 16
Regarding Claim 1, Jang teaches a method comprising:
accessing data representing a state of an investigation, wherein the investigation is associated with a potential security threat to a computer system, wherein the investigation is associated with a security analyst, wherein the data comprises a result of a current investigative step of the investigation (In light of the disclosure, the featured "accessing" is interpreted as being performed by a machine learning engine, in contrast to a human performing the data access. Specification ¶¶ 21, 53 and 54. Similarly, the state of a given investigation of a potential security threat is interpreted as data representing a host internet protocol (IP) under investigation, steps already taken by the security analyst in the investigation, queries already submitted in the investigation, comparative analyses that have been performed, data gathered during the investigation, time lines considered, filtering parameters used, field sets considered and so forth. Specification ¶ 21. Jang discloses  an interactive (human-driven) investigation that is designed generally to encode into a domain knowledge model a security analyst's approach to investigating an offense {i.e. investigation is associated with a potential security threat to a computer system}}, and to understand the analyst's methodology of how to expand the offense context graph {i.e. the investigation is associated with a security analyst}. [FIG. 7; ¶ 69]. [T]he security analyst's investigative steps... are captured {i.e. accessing data representing the state of an investigation} and encoded as a set of security analyst domain knowledge 712 {i.e. data comprises a result of a current investigative step}. [¶ 70].); 
processing the data representing the state of the investigation using a machine learning engine [[trained on observed investigations]] (Jung discloses the security analyst's investigative steps... are captured and encoded {i.e. processing the data} as a set of security analyst domain knowledge 712. [¶ 70]. [B]lock 702 indicates... machine-driven investigation (that preferably is machine learning-based)... [¶ 73]. [T]he system 702 explores the knowledge graph 716 influenced at least in part by the security analyst domain knowledge 712. To this end, the domain knowledge 712 is processed at step 720 by the machine learning system {i.e. processing the data representing the state of the investigation using machine learning}... [¶ 74].); and
determining a recommendation based on the processing of the data representing the state of the investigation, wherein the recommendation is associated with a next investigative step of the investigation (Jang discloses system 702 generates the guided search {i.e. determining a recommendation based on the processing of the data, see FIG. 7} comprising the one or more investigate paths 718 for the graph. At step 724, the guided search 718 is then taken up as the prioritized cognitive analysis for the graph. [¶ 75]. [T]he machine learning operations have suggested a guided search comprising one or more investigation paths 718, and that feedback is captured at step 708 and provided to the security analyst as an input {i.e. the recommendation is associated with a next investigative step}. As a result, the security analyst can take advantage of both his or her knowledge, as well as the intelligence gained or gleaned from the machine learning side. [¶ 70].);
displaying the recommendation on a graphical user interface (GUI) associated with the security analyst (Jang discloses feedback is captured at step 708 and provided to the security analyst as an input. [¶ 70]. Display 214 provides a mechanism to display information to a user. [¶ 29]. As noted above, the platform console provides a user interface to facilitate this workflow... the platform provides a search results page as a default page on an interface display tab. [¶ 39]. In one embodiment, security event data is being processed in association with a cybersecurity knowledge graph (“KG”)... and an initial offense context graph is built {i.e. suggests a graphical user interface GUI}. [¶ 45]. The techniques herein provide for improvements to... automation-based knowledge graph-based analytics {i.e. implies a graphical user interface GUI}. [¶ 100].).
explicitly teach the following feature that Givental teaches:
[[using a machine learning engine]] trained on observed investigations (Givental discloses using the historical information on how this alert has been handled previously {i.e. trained on observed investigations}. This enrichment is provided by the machine learning/training sub-system 516... [¶ 56]. FIG. 10 depicts a representative alert screen provided to an analyst. In this example, the TDS is displayed via two values—“recommended action” and “recommended action confidence.” These values work together to suggest to the analyst the recommended action for the Alert under investigation, based on the historically-trained model {i.e. machine learning trained on observed investigations}, together with the confidence of this recommendation. [¶ 64].).
Jang and Givental are from a similar field of technology. Prior to the instant application’s effective filing date, there was a need to reduce the time required for security analyst alert investigation, preferably by enriching threat data with additional contextual information. [Givental; ¶ 6].
Therefore, it would have been obvious to include the threat disposition analysis technique of Givental in the feedback-based prioritized cognitive analysis of Jang to thereby increas[e] the predictive benefit.
Claim 11 is storage medium claim that corresponds to method Claim 1, and is therefore rejected with the same rationale and motivation as applied above.
Claim 16 is system claim that corresponds to method Claim 1, and is therefore rejected with the same rationale and motivation as applied above.
Referring to Claims 2, 21 and 24
Regarding Claim 2, the combination of Jang and Givental teaches the method of Claim 1.
The previous combination further teaches:
wherein processing the data using the machine learning engine comprises determining a next action to be taken by the security analyst in the investigation (Jang discloses system 702 generates the guided search {i.e. determining a recommendation based on the processing of the data, see FIG. 7} comprising the one or more investigate paths 718 for the graph. At step 724, the guided search 718 is then taken up as the prioritized cognitive analysis for the graph. [¶ 75]. [T]he machine learning operations have suggested a guided search comprising one or more investigation paths 718, and that feedback is captured at step 708 and provided to the security analyst as an input {i.e. the recommendation is associated with a next investigative step}. As a result, the security analyst can take advantage of both his or her knowledge, as well as the intelligence gained or gleaned from the machine learning side. [¶ 70]. Givental discloses “recommended action” {i.e. next action} and “recommended action confidence.” These values work together to suggest to the analyst the recommended action for the Alert under investigation... [¶ 64].).
Regarding Claim 21, the rejection of Claim 11 is incorporated. In addition, Claim 21 is storage medium claim that corresponds to method Claim 2, and is therefore rejected with the same rationale and motivation as applied above.
Regarding Claim 24, the rejection of Claim 16 is incorporated. In addition, Claim 24 is system claim that corresponds to method Claim 2, and is therefore rejected with the same rationale and motivation as applied above.
Referring to Claim 8
Regarding Claim 8, the combination of Jang and Givental teaches the method of Claim 1.
The previous combination further teaches:
further training the machine learning engine based on an action taken by the security analyst in response to the recommendation (Jung discloses the security analyst… begins his or her interactive offense investigation... At step 706, the security analyst seeks evidences in support of one or more observables in the graph and, as depicted, preferably this operation is informed at least in part from feedback from the machine learning side {i.e. action taken by the security analyst in response to the recommendation}. In particular… here the machine learning operations have suggested a guided search comprising one or more investigation paths… provided to the security analyst as an input. [FIG. 7; ¶ 70]. The analysts' feedback {i.e. referring to the action taken by the security analyst in response to the recommendation}… helps the learning system tune {i.e. training} weighting and preferences of nodes, edges and graph traversal depths with respect to the automatic (machine-based) investigation {i.e. training the machine learning engine based on an action taken by the security analyst in response to the recommendation}. [¶ 76]. Givental discloses a “recommended action” and “recommended action confidence.” These values work together to suggest to the analyst the recommended action {i.e. action taken by the security analyst in response to the recommendation} for the Alert under investigation... [¶ 64]. [T]he ML algorithm(s) create the prediction model 518 by taking into account... what action the SOC analyst took on an alert... {i.e. training the machine learning engine based on an action taken by the security analyst}... The system then continuously learns (e.g., from new inputs) to improve and update its training model 518 on a regular basis... this feedback loop is enhanced further by evaluating an effectiveness of a calculated TDS in comparison to a remediation action taken by the SOC analyst {i.e. training the machine learning engine based on an action taken by the security analyst} and vetted by feedback on alert handling (e.g., from L2 or L3 analysts)... As another example, when a higher level analyst responds to an escalated alert and determines a correct alert disposition (e.g. a L2 or L3 analyst affirms the alert is an actual threat or requests to close the alert even though it was escalated (i.e. false positive)), this valuable feedback is provided to the machine learning and reflected in an updated prediction model, thereby further improving the accuracy of the predicted alert disposition as indicated by the TDS. [¶ 56].).
Referring to Claim 9
Regarding Claim 9, the combination of Jang and Givental teaches the method of Claim 8.
The previous combination further teaches:
wherein training the machine learning engine based on the action taken by the security analyst comprises training the machine learning engine based on whether the recommendation was accepted or rejected (Givental discloses a “recommended action” and “recommended action confidence.” These values work together to suggest to the analyst the recommended action for the Alert under investigation... [¶ 64]. As the richness of historical data grows, the ML algorithms in the machine learning/training sub-system 516 themselves evolve... this feedback loop is enhanced further by evaluating an effectiveness of a calculated TDS in comparison to a remediation action taken by the SOC analyst and vetted by feedback on alert handling (e.g., from L2 or L3 analysts)... when a higher level analyst responds to an escalated alert {i.e. the recommendation} and determines a correct alert disposition (e.g. a L2 or L3 analyst affirms the alert is an actual threat {i.e. the recommendation was accepted}... this valuable feedback is provided to the machine learning and reflected in an updated prediction model {i.e. training the machine learning based on the recommendation was rejected or accepted}... [¶ 56].).
Referring to Claims 10 and 18
Regarding Claim 10, the combination of Jang and Givental teaches the method of Claim 8.
The previous combination further teaches:
wherein training the machine learning engine based on the action taken by the security analyst comprises training the machine learning engine based on the security analyst modifying the recommendation (Givental discloses a “recommended action” and “recommended action confidence.” These values work together to suggest to the analyst the recommended action for the Alert under investigation... [¶ 64]. As the richness of historical data grows, the ML algorithms in the machine learning/training sub-system 516 themselves evolve... this feedback loop is enhanced further by evaluating an effectiveness of a calculated TDS in comparison to a remediation action taken by the SOC analyst and vetted by feedback on alert handling (e.g., from L2 or L3 analysts)... when a higher level analyst responds to an escalated alert {i.e. the recommendation} and determines... to close the alert even though it was escalated (i.e. false positive) {i.e. modifying the recommendation}), this valuable feedback is provided to the machine learning and reflected in an updated prediction model {i.e. training the machine learning based on the analyst modifying the recommendation}... [¶ 56].).
Regarding Claim 18, the rejection of Claim 16 is incorporated. In addition, Claim 18 is a system claim that corresponds to method Claim 10 and is therefore rejected using the same rationale and motivation as above.
Referring to Claim 19
Regarding Claim 19, the combination of Jang and Givental teaches the system of Claim 16.
The previous combination further teaches:
to train the machine learning engine based on an observed analyst response to the recommendation (Givental discloses a “recommended action” and “recommended action confidence.” These values work together to suggest to the analyst the recommended action for the Alert under investigation... [¶ 64]. As the richness of historical data grows, the ML algorithms in the machine learning/training sub-system 516 themselves evolve... this feedback loop is enhanced further by evaluating an effectiveness of a calculated TDS in comparison to a remediation action taken by the SOC analyst and vetted by feedback on alert handling (e.g., from L2 or L3 analysts)... when a higher level analyst responds to an escalated alert {i.e. the recommendation} and determines a correct alert disposition (e.g. a L2 or L3 analyst affirms the alert is an actual threat {i.e. analyst response to the recommendation}... this valuable feedback is provided to the machine learning and reflected in an updated prediction model {i.e. train the machine learning based on an observed analyst response to the recommendation}... [¶ 56].).
Claims 3, 7, 20 and 22 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. PGPub No. 20180367549 (Jang) in view of U.S. PGPub No. 2018/0367561 (Givental) and further in view of U.S. PGPub No. 2017/0063912 (Muddu).
Referring to Claims 3 and 22
Regarding Claim 3, the combination of Jang and Givental teaches the method of Claim 1.
The previous combination does not explicitly teach the following feature limitation that Muddu teaches:
wherein processing the data using the machine learning engine comprises determining a timeline for a chart displayed on the GUI (Muddu discloses FIG. 40E is an illustrative view of a “Threat Anomalies Timeline,” “Threat Anomalies Trend,” and “Threat Anomalies” listing, which are generated upon clicking the “Details” tab in the “Threats Review” screen of FIG. 40A... [¶ 56].).
Jang, Givental and Muddu are from a similar field of technology. Prior to the instant application’s effective filing date, there was a need to improve threat detection and targeted response by using a variety of threat indicators. [Muddu; ¶ 137].
Therefore, it would have been obvious to include the visual event mini-graphs feature of Muddu in the feedback-based prioritized cognitive analysis of Jang to [enable] network security administrators to respond to a detected anomaly or threat, and to take action promptly.
Regarding Claim 22, the rejection of Claim 11 is incorporated. In addition, Claim 22 is storage medium claim that corresponds to method Claim 3, and is therefore rejected with the same rationale and motivation as applied above.
Referring to Claim 7
Regarding Claim 7, the combination of Jang and Givental teaches the method of Claim 1.
The previous combination does not explicitly teach the following feature limitation that Muddu teaches:
displaying an option to accept or reject the recommendation on the GUI (In light of the disclosure, this feature limitation is being interpreted as whether a recommendation for a filtering criteria, chart selection, set of chart parameters, time line, and so forth, was accepted or rejected by the security analyst. Specification p. 9, ¶ 30. Muddu discloses FIG. 39B is an illustrative screen in the GUI of FIG. 39A, depicting an expanded view of a “Views” tab selector {i.e. displaying an option}, which enables a GUI user to select between viewing screens {i.e. to accept or reject the recommendation on the GUI, in this case for a chart selection}... [¶ 51].); and
automatically configuring the GUI based on the recommendation in response to a response received from the security analyst indicating acceptance of the recommendation (Muddu discloses [w]hen the security-related conclusion indicates that a potential security breach… has occurred, at step 2110, the model deliberation process thread can generate a user interface element to solicit an action command to activate a threat response. In one example, the user interface element triggers the action command for sending a message to the target-side computer system to demand termination of a problematic application, blocking of specific network traffic, or removal of a user account. In some embodiments, at step 2112, the model deliberation process thread can generate a user interface element to accept feedback from a user to confirm or reject the security-related conclusion. [FIG. 20; ¶ 319]. By clicking on the “Views” tab 3902 {i.e. in response to a response received from the security analyst indicating acceptance of the recommendation, in this case of a chart selection}, as shown in FIG. 39B, a GUI user can toggle the GUI {i.e. automatically configuring the GUI} between a “Threats” view 3906, “Anomalies” view 3907, “Users” view 3908, “Devices” view 3909, and “Applications” view 3910 {i.e. based on the recommendation}. [¶ 451].).
Jang, Givental and Muddu are from a similar field of technology. Prior to the instant application’s effective filing date, there was a need to improve threat detection and targeted response by using a variety of threat indicators. [Muddu; ¶ 137].
Therefore, it would have been obvious to include the visual event mini-graphs feature of Muddu in the feedback-based prioritized cognitive analysis of Jang to [enable] network security administrators to respond to a detected anomaly or threat, and to take action promptly.
Referring to Claim 20
Regarding Claim 20, the combination of Jang and Givental teaches the system of Claim 16.
The previous combination further teaches:
wherein displaying the recommendation comprises displaying a chart visualization (Muddu discloses “Threats Review” view 4000 can additionally include a status chart 4004 that provides a Timeline, list of Anomalies, list of Users, list of Devices, list of Apps, and a suggestion of “What Next.” [¶ 458].).
Jang, Givental and Muddu are from a similar field of technology. Prior to the instant application’s effective filing date, there was a need to improve threat detection and targeted response by using a variety of threat indicators. [Muddu; ¶ 137].
[enable] network security administrators to respond to a detected anomaly or threat, and to take action promptly.
Claims 4, 5 and 23 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. PGPub No. 20180367549 (Jang) in view of U.S. PGPub No. 2018/0367561 (Givental) and further in view of U.S. PGPub No. 2018/0088753 (Viégas).
Referring to Claim 4
Regarding Claim 4, the combination of Jang and Givental teaches the method of Claim 1.
The previous combination does not explicitly teach the following feature limitation that Viégas teaches:
wherein processing the data using the machine learning engine comprises determining a type of chart to be displayed on the GUI (In light of the disclosure, this feature is interpreted as providing guidance for a particular type of chart to be considered for a comparative analysis or a recommendation of a specific type of chart. Specification, ¶¶ 34, 43. Viégas discloses a machine learning model may be applied to the data table to… produce suggested chart types. [¶ 4]. The suggested charts may be included in a chart suggestion list that is displayed in a first portion of a user interface. As such, an improved graphic user interface may be provided that conveniently displays suggested charts in the chart suggestion list concurrently with the data table, and allows the user to select and insert a suggested chart directly from the chart suggestion list... [¶ 5]. Once trained, the machine learning model 116 may be applied to a new data table 120... to obtain one or more suggested chart types for the new data tables. [¶ 28]. The chart generation module 124A-124Z may use the machine learning model 123 and/or the rules 125A-125Z to determine chart types and create suggested charts in accordance with the chart types. [¶ 33].).
Jang, Givental and Viégas are from a similar field of technology. Prior to the instant application’s effective filing date, there was a need for an improved graphic user interface… that conveniently displays suggested charts in the chart suggestion list concurrently with the data table, and allows the user to select and insert a suggested chart directly from the chart suggestion list into an electronic document containing the data table. [Viégas; ¶ 5].
Therefore, it would have been obvious to include the improved data representation technology of Viégas in the feedback-based prioritized cognitive analysis of Jang for analyzing data in a data table to determine how various data in the data table are related to each other or to determine various patterns in the data.
Regarding Claim 23, the rejection of Claim 11 is incorporated. In addition, Claim 23 is storage medium claim that corresponds to method Claim 4, and is therefore rejected with the same rationale and motivation as applied above.
Referring to Claim 5
Regarding Claim 5, the combination of Jang and Givental teaches the method of Claim 1.
The previous combination does not explicitly teach the following feature limitation that Viégas teaches:
wherein processing the data using the machine learning engine comprises determining a layout parameter of a chart to be displayed on the GUI (In light of the disclosure, this feature is interpreted as decisions pertaining to chart parameters (e.g., the axes, filters, categories, time granularity). Specification, ¶¶ 18, 21, 22. Viégas discloses interaction with the suggested bar chart 206 may be recorded and provided to the training engine 116 for updating of the machine learning model 123. For example, if the user selects the suggested bar chart 206, modifies any axes names, fonts, colors, or the like {i.e. layout parameters of a chart}, then this information may be provided to the training engine 116 so the machine learning model 123 may be updated to produce chart types for similar data that are personally tailored {i.e. determining a layout parameters of a chart} and more likely to be selected by the user. [¶ 48].).
Jang, Givental and Viégas are from a similar field of technology. Prior to the instant application’s effective filing date, there was a need for an improved graphic user interface… that conveniently displays suggested charts in the chart suggestion list concurrently with the data table, and allows the user to select and insert a suggested chart directly from the chart suggestion list into an electronic document containing the data table. [Viégas; ¶ 5].
.
Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over U.S. PGPub No. 20180367549 (Jang) in view of U.S. PGPub No. 2018/0367561 (Givental) and further in view of U.S. PGPub No. 2018/0089269 (Pal).
Referring to Claim 6
Regarding Claim 6, the combination of Jang and Givental teaches the method of Claim 1.
The previous combination further teaches:
wherein processing the data using the machine learning engine comprises determining, for a query to be submitted in the investigation, one or more of: an internet protocol (IP) [[address associated with the query, the query is associated with incoming communications, the query is associated with outgoing communications, a time line associated with the query, filter criteria associated with the query, a host name associated with the query, and a user name associated with the query]] (Jang discloses an analyst can perform the query knowledge graph (KG) exploration step [and] receives a set of observables, such as IP {i.e. IP associated with the query}, URL, and files hashes... [¶ 62]. Referring now to block 700, during this investigation, the security analyst's investigative steps... are captured and encoded as a set of security analyst domain knowledge 712. [¶ 70]. [T]he system 702 explores the knowledge graph 716 influenced at least in part by the security analyst domain knowledge 712. To this end, the domain knowledge 712 is processed at step 720 by the machine learning system... [¶ 74].).
The previous combination does not explicitly teach the following feature limitation that Pal teaches:
determining, for a query to be submitted in the investigation, one or more of: an internet protocol (IP) address associated with the query, the query is associated with incoming communications, the query is associated with outgoing communications, a time line associated with the query, filter criteria associated with the query, a host name associated with the query, and a requesting {i.e. query} the user ids {i.e. user name associated with the query} for the entries in inverted index 1502 where the server response time is greater than “0.0900” microseconds. The search engine would use the reference values stored in inverted index 722 to retrieve the event data from the field searchable data store, filter the results {i.e. filter criteria associated with the query} based on the “response time” field values and, further, extract the user id field from the resulting event data to return to the user. In the present instance, the user ids “frank” and “carlos” would be returned {i.e. determining, for a query to be submitted in the investigation a user name associated with the query} to the user from the generated results table 722. [FIG. 15; ¶ 395]. The enterprise security application enables the security practitioner {i.e. security analyst} to investigate and explore the data to find new or unknown threats {i.e. potential security threat to a computer system}... [¶ 413].).
Jang, Givental and Pal are from a similar field of technology. Prior to the instant application’s effective filing date, there was a need for facilitating searching and analyzing large sets of data to locate data of interest. [Pal; ¶ 2].
Therefore, it would have been obvious to include the query processing of Pal in the feedback-based prioritized cognitive analysis of Jang in order to allow analysts to quickly search and analyze large set of raw machine data to visually identify data subsets of interest.
Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over U.S. PGPub No. 20180367549 (Jang) in view of U.S. PGPub No. 2018/0367561 (Givental) and further in view of U.S. PGPub No. 2017/0371954 (Kikuchi).
Referring to Claim 15
Regarding Claim 15, the combination of Jang and Givental teaches the storage medium of Claim 11.
The above combination further teaches:
to train the machine learning engine to recommend [[a query for]] an investigative step for the investigation (Givental discloses using the historical information on how this alert has been handled previously {i.e. train}. This enrichment is provided by the machine learning/training sub-system 516... [¶ 56]. FIG. 10 depicts a representative alert screen provided to an analyst. In this example, the TDS is displayed via two values—“recommended action” and “recommended action confidence.” These values work together to suggest to the analyst the recommended action for the Alert under investigation, based on the historically-trained model {i.e. train the supervised machine learning engine to recommend an investigative step}... [¶ 64].).
The combination of Jang and Givental does not explicitly teach the following feature limitation that Kikuchi teaches:
to recommend a query (Kikuchi discloses performing search queries... [¶ 14]. Within the graphical user interface 302, the alternate keyword recommendation program 110A, 110B may also display... recommended alternate keyword search queries 310 {i.e. recommend a query}... [¶ 49].).
Jang, Givental and Kikuchi are from a similar field of technology. Prior to the instant application’s effective filing date, a comprehensive search [was] desirable in order to detect as many correct characteristic patterns as possible. [Kikuchi; ¶ 16].
Therefore, it would have been obvious to include the search query recommendation features of Kikuchi in the feedback-based prioritized cognitive analysis of Jang to [assist] in the collection of a question sentence.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 10733037 B2 (Ramakrishna) teaches a machine learning model is trained using a history of observed symptoms in the network, a history of corrective actions initiated via chatbot sessions and associated with the observed symptoms, and a history of feedback regarding the corrective actions received via the chatbot sessions. The server provides the predicted corrective action to the user interface via the particular chatbot session as a suggested corrective action, in response to the received triage request.
US 20190260782 A1 (Humphrey) teaches a cyber-threat defense that system can autonomously gather research data about external hosts visited by a network entity and present that information in a format integrated with a threat-tracking graphical user interface.
US 20140358828 A1 (Phillips) teaches an action plan module provides and/or accesses a machine learning framework allowing the action plan module and/or clients to request machine learning ensembles or other predictive programs, to make analysis requests.
US 20170060868 A1 (Rais) teaches a natural language query management system may also apply additional filtering and/or prioritizing based on various criteria or filtering and prioritizing logic rules or patterns based on the user's past queries or based on machine learning techniques applied across many users.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RICHARD W CRUZ-FRANQUI whose telephone number is (313)446-6571.  The examiner can normally be reached on M-F 5:30-2:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on (571)272-8878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/RICHARD W CRUZ-FRANQUI/Examiner, Art Unit 2498             

/YIN CHEN SHAW/Supervisory Patent Examiner, Art Unit 2498