Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments with respect to claims 1-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-7, 10-14 and 16-19 are rejected under 35 U.S.C. 103 as being unpatentable over Chari et al. (Hereinafter referred to as Chari, US. Pub. No. 20170286671) and in view of KUMAR et al. (Hereinafter referred to as KUMAR, US. Pub. No.:  20130298244).

As per claim 1:
Chari discloses a computing system, comprising:
at least one computing device processor (Figure 1: 104-114);
a memory device including instructions that, when executed by the at least one computing device processor, enables the computing system to (Figure 1: 100-114):
cause at least one data store in a service provider environment to maintain at least three data sets from a plurality of data sources, each data set including information for one of assets, users, or security threats (¶0033: persistent storage stores malicious user activity detector; Malicious user activity detector monitors user activity logs corresponding to access of a set of one or more assets by a user to identify and block malicious or anomalous user behavior by generating a risk score for the access based on a profile corresponding to the user accessing the set of assets; ¶0035:  user features from user profile , such as, attributes , which are found in human resource records ; Attributes provide basic information, such as name, identification number, employer, demographic information, et cetera, corresponding to a user associated with user profile; ¶0036:  asset access privileges of the user, roles assigned to the user, and work-related groups the user belongs to. Historical asset access behavior 246 provides a record of the user's past behavior in accessing protected assets. Social networks 248 represent the networks that the user belongs to, such as work-related networks of friends and co-workers and social networks of friends and family); including 
correlate at least one entry in a first data set with a second data set of the three data sets (¶0056:  increase accuracy of detecting malicious user activity by correlating such user activity 
identify an asset, a user, or security threat associated as one of a subject (¶0054-0056: collect and aggregate static and dynamic user information; activity on each protected asset; various enterprise assets, such as protected resources and applications; external threat feeds, such as software vulnerabilities that may be exploited by a malicious user); and
execute a threat analysis service to: correlate data between an asset and a user to infer a property of a network, correlate data between an asset and a security threat to infer a property of a network, or correlate data between a user and a security threat to infer a property of a network (¶0058: analysis and correlation of malicious user activity alerts and feedback mechanisms from prior malicious user activity alerts; correlating the aggregated multiple malicious user activity alerts with static data from the comprehensive user profile; ¶0059: 
perform a security action affecting the subject and an identified one of the asset, the user, or the security threat based on the inferred property (¶0070: If malicious user activity detector determines that aggregated risk score is greater than an alert threshold, such as, for example, an alert threshold in user asset access activity alert threshold values, then malicious user activity detector may generate one or more alerts, Alerts may be, for example, malicious user activity alerts, malicious user activity detector may send alerts for analyst feedback to determine, for example, whether individual alerts in alerts are valid or invalid alerts, malicious user activity detector may display aggregated user profile view to analysts to help in providing analyst feedback; 0079-0080; 0082).
Chari does not explicitly disclose receive a query associated with the subject, the subject being at least one of an asset, a user, or a security threat. KUMAR, in analogous art however, 
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the claimed limitations disclosed by Chari to include receive a query associated with the subject, the subject being at least one of an asset, a user, or a security threat. This modification would have been obvious because a person having ordinary skill in the art would have been motivated by the desire to provide attestation architectures that perform a calculus of risk to determine a level of trust of systems that are not necessarily monolithic and made up of diverse hardware and software platforms and can be accessed by users with varying credentials and reputations that can dynamically handle complex attestation scenarios and provide more complete runtime attestation as suggested by KUMAR (0016-0018).


Chari discloses wherein the instructions, when executed by the at least one computing device processor, further enables the computing system to provide:
an interface configured to obtain the at least three data sets, wherein the at least three data sets include at least an asset data set, a user data set, and a threat data set, and wherein the asset data set includes first identification information identifying individual devices on a network, the user data set includes second identifying information identifying user accounts associated with the individual devices, and the threat data set includes third identification information identifying threats to one of a device or an user account (0027; 0034-0035: feature interface dashboard for user profiles, activity logs, alert thresholds, analysis feedback, directory and identification; 0035:aggregate profile view).

As per claim 3:
KUMAR discloses wherein the instructions, when executed by the at least one computing device processor, further enables the computing system to provide:
an asset classifier for classifying an asset as one of a physical asset or a role asset (0110: integrity profile and trust broker able to provide risk correlation and identification based clustering and classification assets; 0159; 0159-0163);
a user classifier for classifying a user as being associated with one of an employee type, a group type, or a role type (0038: generating user reputation scores for a plurality of users based on one or more of: (1) threat vectors modeled by actions of the plurality of users; (2) risk correlation with aggregation of intelligence related to accessed object (resource) attribution, 
a threat classifier for classifying a threat into one of a target threat, an actor threat, or an activity threat (0038: 0159-0163; 0235: Methods for Threat Identification and Remediation and classification; 0258).

As per claim 4:
KUMAR discloses wherein at least one of the asset classifier, the user classifier, or the threat classifier is applied to incoming data prior to storage in one of the at least three data stores (0033: dynamic image threat identification categories).

As per claim 5:
KUMAR discloses wherein at least one of the asset classifier, the user classifier, or the threat classifier is applied to data in one of the at least three data stores s (0032: static image threat identification categories).

As per claim 6;
KUMAR discloses wherein the query is against a classification for one of an asset, a user, or a threat (0160: Within the context of the subject integrity profile system, the trust broker is configured to query and receive responses from third party management systems regarding inventory, role, identity and logs; 0189: the subject events can be assertions about provisioned attributes, endpoint and network level activities associated with a subject, received as a response 

As per claim 7:
KUMAR discloses wherein the instructions, when executed by the at least one computing device processor, further enables the computing system to provide:
an asset to threat correlator that utilizes vulnerability definition data to correlate an asset to a threat (0067: event and behavior correlation engine configured to perform risk correlation based on continuous monitoring using a plurality of sensory inputs; 0085:  determining or performing a calculus of risk for the data center application and data silos, that receives sensory inputs from instrumentation including integrity measurement and verification scan correlation , network activity correlation and endpoint event correlation , and generate integrity metrics for security orchestration, and dispatch directives to an edge device (for example, network firewall) for user access controls, to a load balancer for session controls, or to a network fabric element (for example, a switch or router) for flow controls; 0099: Risk Correlation Matrix);
a user to threat correlator for correlating a user to a threat (0085; 0099; 0159); and
an asset to user correlator that uses at least authentication data to correlate an asset to a user (0181: event correlator and threat classifier; 00183: a user authenticated on a device through an authentication process/ceremony with an authentication service, a service provider configured to receive a service request, a managed application that the target service, a 

As per claims 10-14:
Claims 10-14 are directed to a computer-implemented method having substantially similar claimed features are as recited in corresponding claims 1-4 and 7 respectively and therefore claims 10-14 are rejected with the same rationale given above to reject claims 1-4 and 7 respectively.

As per claims 16-19:
Claims 16-19 are directed a non-transitory computer readable storage medium storing instructions that, when executed by at least one processor of a computing system having substantially similar claimed features are as recited in corresponding claims 1-3 and 7 respectively and therefore claims 16-19 are rejected with the same rationale given above to reject claims 1-3 and 7 respectively.

Claims 8-9, 15 and 20 are rejected under 35 U.S.C. 103 are rejected under 35 U.S.C. 103 as being unpatentable over Chari et al. (Hereinafter referred to as Chari, US. Pub. No. 20170286671) and in view of KUMAR et al. (Hereinafter referred to as KUMAR, US. Pub. No.:  20130298244) and in further view of Palani et al. (Hereinafter referred to as Palani, US. Pub. No.: 2018/0191781).


Chari and KUMAR does not explicitly disclose wherein the instructions, when executed by the at least one computing device processor, further enables the computing system to provide: an insight recommending component configured to generate a report including an indication of at least one of a security action or the identified one of the asset, the user, or the security threat. Palani, in analogous art however, discloses wherein the instructions, when executed by the at least one computing device processor, further enables the computing system to provide: an insight recommending component configured to generate a report including an indication of at least one of a security action or the identified one of the asset, the user, or the security threat (0032-0033: a data insights platform may include a reporting framework , and aggregation store , and data insights API , where contextual searches may be performed on the aggregated data (correlated and multi-stage evaluated) through the data insights API; 0044-0045: a data insights platform for a security and compliance environment, the data insights platform may focus and/or filter the queries on a portion of the collected and correlated signals based on a context of the query in relation to the collected and correlated signals. The data insights platform may then reply to the query with a comprehensive analysis report). Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the threat analysis service in claimed limitations disclosed by Chari and KUMAR to include wherein the instructions, when executed by the at least one computing device processor, further enables the computing system to provide: an insight recommending component configured to generate a report including an indication of at least one of a security action or the identified one of the asset, the user, or the security threat. 

As per claim 9:
Palani discloses wherein the security action includes one of locking an electronic asset; contacting an authorized user of the electronic asset; supplementing information associated with one of the electronic asset, the user, and the security threat; and suspending operation of at least one operation on the electronic asset (0030: security compliance rules; 0038: data categories, threats, security and compliance configurations, analyses results, and configuration controls, 0043).

As per claims 15 and 20:
Claim 15 is directed to a computer-implemented method and claim 20 is directed to a non-transitory computer readable storage medium storing instructions that, when executed by at least one processor of a computing system having substantially similar claimed features are as 


BRI (Broadest Reasonable Interpretation)
The above claims under examination have been given their BRI consistent with the applicant’s disclosure as it would be interpreted by one of ordinary skill in the art and the following claim words or terms or phrases or languages have been given to them the following reasonable BRI considerations in view of the applicant’s disclosure in order to construe boundary and scope of the claimed limitations. For example, for the following claim words or terms or phrases or languages, the examiner recites BRI considerations from the applicant’s disclosure as follows:

[0055: Classifiers] The data sets can be analyzed to augment the data. For example, in various embodiments, a threat analysis service can include one or more classifiers 204. The classifiers 204 may execute any suitable machine learning procedures, rule-based classification techniques, heuristic techniques, or some combination thereof. The type of classifier may vary and may depend on ease of implementation and maintenance and/or cost. Each classifier can be trained to classify or otherwise augment data in the data sets for incoming data prior to storage, after data storage, or a combination thereof, for existing and/or new data. The classifiers can include asset classifier 312, user classifier 314, and threat classifier 316, among other such classifiers. Asset classifier 312 can be trained to analyze asset data 304 to classify an asset into a 

[0021, 0062; 0048; 0052: Subject]: a query associated with a subject, the subject being at least one of an asset, a user, or a security threat; determine a correlator of a set of correlators based at least in part on the subject; identify at least one of an asset, a user, or security threat associated with the subject; and perform a security action affecting the subject and an identified one of the asset, the user, or the security threat.



[0057: Inferred properties] A threat analysis service can then supplement a particular asset's data with information such as the user's geographic location as well as inferred properties such as the user's functional role within an organization.

Conclusion
The prior arts made of record and not relied upon are considered pertinent to applicant's disclosure. See the notice of reference cited in form PTO-892 for additional prior arts.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TECHANE GERGISO whose telephone number is (571)272-3784.  The examiner can normally be reached on 9:30am to 6:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG W KIM can be reached on 5712723804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.







/TECHANE GERGISO/Primary Examiner, Art Unit 2494