Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Response to Arguments
Applicant’s arguments with respect to claims 1-28 have been considered but are moot because the arguments do not apply to any of the references being used in the current rejection.

Examiner has included Gonzalez US 20160301624 to anticipate the claims as amended.

Examiner notes that the amendments made by the Applicant do not incorporate the rest of the claim limitations.  For example, the amended claim states a “capture agent” to “collect activity information on network traffic”.   None of this information is used in the rest of the claim.  The scores and threat assessments made do not use this capture agent or any portion of captured data. 


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-28 is/are rejected under 35 U.S.C. 103 as being unpatentable over Porras US 6,704,874 in view of Ahmed US 9,483,742 in view of Jordan US 2018/0375893 in view of Ryan Jr. US 10,198,667 in view of Gonzalez US 2016/0301624 


As per claims 1, 8, 15, 22. Porras teaches providing one or more scores based on one or more threat assessments that are associated with one or more anomaly classes, wherein the one or more anomaly classes are associated with one or more types of anomalous activity determined by an assessment engine ( Column 4 line 52 to Column 5 line 47)  (teaches attack type, score and threat assessment)  Porras teaches employing the one or more anomaly classes, the one or more scores, and one or more characteristics of the one or more anomaly classes to determine one or more triage model. (Column 5 lines 10-27;  line 55 to Column 6 line 32, Column 6 line 58 to Column 7 line 18, Column 8 lines 36-67)  (teaches using history of attack and reports to update user preferences)   Porras teaches modifying the one or more scores based on the one or more triage models and archival information associated with the one or more anomaly classes; associating the one or more modified scores with the one or more anomaly classes; and in response to detecting anomalous activity in one or more monitored networks, providing one or more other scores based on the anomalous activity, wherein a report that includes the one or more other scores is provided to a user.  (Column 5 lines 10-27;  line 55 to Column 6 line 32, Column 6 line 58 to Column 7 line 18, Column 8 lines 36-67)   Porras teaches providing one or more capture agents that are selectively installed on a portion of a group of entities on the one or more networks wherein the one or more capture agents collect activity information on network 

Ahmed teaches supplemental anomaly classes, scores, characteristics, to determine triage models and modifying said models based on archival information.  (Column 1 line 55 to Column 2 line 25; Column 2 lines 40-57; Column 3 lines 33-Column 4 line 25; Column 5 line 1-27; Column 6 line 10-59)   
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the properties of Ahmed with the previous system because it helps increase the accuracy and granularity of the triage model.

Jordan teaches each score for each threat assessment is based on separate triage models for each of a plurality of separately weighted factors that include two or more of a risk of harm by a threat, a sophistication of the threat, or a likelihood of occurrence of the threat. [0004][[0016][0020][0030]  (explicitly teaches that the factors include risk of harm and occurrence)
It would have been obvious to one of ordinary skill in the art to use the factors of Jordan with the previous combination because it helps customize reports for the user.


Ryan Jr teaches employing the one or more other scores to associate the report with one or more of content, a delivery method to the user or a delivery destination for the user. (Column 2 lines 4 
It would have been obvious to one of ordinary skill in the art to use the alert of Ryan Jr with the previous combination because it helps improve security.

Gonzalez teaches the agent is deactivated based on the amount of activity information that is collected. [0081][0083] (teaches deactivation of resources that are no longer needed or required)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the management of Gonzalez with the previous combination to make the system power and resource efficient.

As per claims 2, 9, 16, 23 Ahmed teaches detecting the anomalous activity, further comprises: generating anomaly information based on one or more of the anomalous activity, a portion of the monitored network traffic associated with the anomalous activity, one or more characteristics of the entities associated with anomalous activity, wherein the one or more characteristics of the entities associated with anomalous activity include one or more of one or more device properties, one or more cluster properties, one or more privilege rights, one or more users, or one or more user roles; and providing the anomaly information to one or more triage engines that perform further actions, including: determining one or more other triage models based on the anomaly information; providing the one or more other scores based on the one or more other triage models and the anomaly information; and associating the one or more other scores with the anomalous activity.  (Column 1 line 55 to Column 2 line 25; Column 2 lines 40-57; Column 3 lines 33-Column 4 line 25; Column 5 line 1-27; Column 6 line 10-59)   (Ahmed teaches using a 

As per claims 3, 10, 17, 24  Ahmed teaches monitoring user activity that is associated with the report and the one or more other scores; determining one or more user characteristics based on the monitored user activity; employing one or more of the monitored user activity or the one or more user characteristics to modify the one or more triage models associated with the anomalous activity; and employing the one or more modified triage models to provide one or more new scores for newly determined anomalous activity that is associated with the one or more modified triage models.   (Column 2 lines 30-56)  (teaches an algorithm which takes source IP/ source user into consideration when determining anomalous activity)

As per claims 4, 11, 18, 25 Ahmed teaches wherein providing the one or more other scores, further comprises: providing meta-data that includes one or more of information associated with the monitored network traffic, information associated with threat characteristics, one or more characteristics of one or more entities associated with the anomalous activity, user information associated with the anomalous activity, one or more triage policies, or one or more triage rules, wherein one or more portions of the meta-data are obtained from one or more separate services; and modifying the one or more other scores based on the meta-data.  (Column 3 line 33 to Column 4 line 26)(uses multiple sources to gather data including meta data and activity, and implementing remediation and updating triage algorithm)




As per claims 6, 13, 20, 27 Porras teaches further comprising: evaluating at least one of one or more impacts, one or more harms, or one or more costs associated with the one or more types of anomalous activity based on the archival information; and generating the one or more triage models based on the evaluation.  (Column 4 lines 40-67) (Column 5 line 55 to Column 6 line 27) (reports of past incidents)



As  per claims 7, 14, 21, 28 Ahmed teaches further comprising: monitoring other network traffic that occurs subsequent to providing the report; modifying the one or more triage models that are associated with the anomalous activity based on the monitored other network traffic; and employing the one or more modified triage models to provide one or more new scores for new anomalous activity that is associated with the one or more modified triage models.  (Column 5 


Conclusion

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER BROWN whose telephone number is (571)272-3833.  The examiner can normally be reached on M-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439