DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
This office action is in response to the amendment filed on 03/12/2021.
Claims 1-9 and 11-21 are pending for examination. Applicant amends claims 1, 5-8, 11, and 18-20, cancels claim 10 and adds claim 21. The amendments have been fully considered and entered.

Response to Arguments
For convenience, the newly introduced limitations, as made by amendments, are marked as underlined.
Applicant's arguments in the Remarks filed on 03/12/2021 with respect to the rejection of claims 1, 11, and 18 under 35 U.S.C. § 103 have been considered but are moot in light of the new reference(s) used in the current rejection. The new reference(s) was/were necessitated by the amendment filed by the applicant. The rejection is presented below.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


Claims 1-9 and 11-21 are rejected under 35 U.S.C. 103 as being unpatentable over Seigel et al. (US 20170163650 A1; hereinafter “Seigel) in view of Allen et al. (US 20170078309 A1; hereinafter “Allen”), Raghuramu et al. (US 20190306731 A1; hereinafter “Raghuramu”), and further in view of Weingarten et al. (US 20190052659 A1; hereinafter “Weingarten”).
As per claims 1, 11, and 18, Seigel discloses: a method, computer-readable medium, and computer device for reducing computer security threats in a network, comprising:
a memory to store data and instructions (Seigel, Fig. 5, memory 504); and 
a processor in communication with the memory to execute the instructions to (Seigel, Fig. 5, processor 502): 
monitor a usage behavior for a plurality of computer devices in the network (Seigel, [0013] and [0025]-[0029], monitor usage/behavior of privileges associated with user accounts across an enterprise), wherein the usage behavior identifies applications or services that: 
the plurality of computer devices are configured to execute during a monitoring time period (Seigel, [0013] and [0025]-[0029], monitor usage/behavior of privileges associated with user accounts across an enterprise using event data collected over a period of time, wherein the user accounts correspond to a user device 104, [0017] and [0033], wherein execution of privileges include access to resources including access to and
include computer capabilities that represents a security vulnerability (Seigel, [0013], privileges include accessing resources (e.g., a server, a database, a workstation, a folder, or the like) in a computing system, [0030], where the resources (e.g., files and folders) include sensitive data);
identify attack surface reduction (ASR) parameters for each cluster, wherein the ASR parameters identify a capability of the computer devices in each clusters that is configured to be selectively disabled to improve cyber security profile (Seigel, [0058], identifying access privileges (i.e., ASR parameters) for each group/cluster for accessing resources (i.e., applications/services), wherein the access privileges for the group/cluster may be selectively removed); and 
selectively disable, based at least on the ASR parameters, the identified capability of the computer devices in each cluster (Seigel, [0058], removing privileges that are unused or seldom used for the group of users).
While Seigel discloses: wherein the usage behavior identifies applications or services that include computer capabilities that represents a security vulnerability (Seigel, [0013]), Seigel does not explicitly disclose, however, Allen teaches or suggests: monitoring software applications, system services, ports, and computer capabilities that represent a security vulnerability (Allen, [0031], state information, e.g., installed applications (i.e., applications), service settings (i.e., system services), operating system information (i.e., system services), and port settings (i.e., ports), and event information, e.g., application launch events (i.e., applications), operating system updates (i.e., 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of Seigel to include monitoring software applications, system services, ports, and computer capabilities that represent a security vulnerability as taught by Allen for the benefit of detecting actual and/or potential vulnerabilities associated with various assets (devices) connected to a computer network (Allen, [0006]).
While the combination of Seigel and Allen teaches monitoring usage behavior identifying applications or services that include software application, system services, ports, and computer capabilities that represents a security vulnerability, the combination does not explicitly disclose, however Raghuramu teaches or suggests: monitoring protocols (Raghuramu, [0045], monitoring communication using a variety of protocols, e.g., file transfer protocol (FTP) and remote desktop protocol (RDP)).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Seigel to include monitoring protocols as taught by Raghuramu for the benefit of preventing unauthorized or rogue devices from accessing network resources (Raghuramu, [0002]).
While the modified Seigel discloses removing privileges for a group of users, Seigel does not explicitly disclose, however, Weingarten teaches or suggests: clustering 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Seigel to include clustering computer devices, based on the usage behavior, into clusters as taught by Weingarten for the benefit of dynamically identifying groups of end points and automatically setting access restrictions for the groups, which enhances security, management, control, access, and supervision of computer networks that are more suitable to modern networks (Weingarten, [0166] and [0003]).

As per claims 2, 12, and 19, claims 1, 11, and 18 are incorporated, respectively, and the modified Seigel does not disclose, however, Weingarten teaches or suggests: grouping a first set of computer devices from the plurality of computer devices in a first cluster based on the usage behavior (Weingarten, [0107] and [0091], first grouping 128 of endpoints based on usage); and 
grouping a second set of computer devices from the plurality of computer devices in a second cluster based on the usage behavior (Weingarten, [0107] and [0091], second grouping 130 of endpoints based on usage). 
 It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the 

As per claims 3, 13, and 20, claims 2, 12, and 19 are incorporated, respectively, and the modified Seigel discloses: wherein the instructions to identify the ASR parameters for each of the one or more clusters, further include instructions to: 037834.00986 19Microsoft Ref. No. 404183-US-NPidentify a first set of ASR parameters to the first set of computer devices (Seigel, [0032], “supervisor group may include user accounts of supervisors with access to adding, deleting, and modifying work schedules of customer service agents to a work schedule computer”); and 
identify a second set of ASR parameters to the second set of computer devices, wherein the first ASR parameters and the second ASR parameters are different (Seigel, [0032], “manager group may include user accounts of managers with access to all components in the computing system 100, including a management computer used to store accounts payable, accounts receivable, and other information related to the business”).  

As per claims 4 and 14, claims 1 and 11 are incorporated, respectively, and the modified Seigel discloses: wherein the usage behavior further identifies nonuse applications that each of the plurality of computer devices has failed to execute during 

As per claims 5, 15, and 21, claims 1, 11, and 18 are incorporated, respectively, and the modified Seigel discloses: receiving a request from at least one computer device of the plurality of computer devices to re-enable a disabled capability (Seigel, [0021], a user with a user account for which access privileges have been removed or reduced may submit an access request. A system administrator may receive the access request and verify (i) that the user account is to have access to the resource); and 
enabling the disabled capability for the at least one computer device of the plurality of computer devices based on the request (Seigel, [0021], system administrator enables the user account to have access to the resource).  

As per claims 6 and 16, claims 5 and 15 are incorporated, respectively, and the modified Seigel discloses: regrouping the at least one computer device requesting re-enablement of the disabled capability to a different cluster (Seigel, [0021], the user that requests access privileges to be reinstated is regrouped to belong to a certain group with the same privileges).  

As per claim 7, claims 1 is incorporated and the modified Seigel discloses: periodically reviewing machine behavior in the one or more clusters (Seigel, [0022], periodically re-checks which user accounts have which privileges and can access which 
modifying the applied ASR parameters to improve overall cyber hygiene and cluster productivity (Seigel, [0058], removing privileges that are unused or seldom used for the group of users).  

As per claim 8, claims 1 is incorporated and the modified Seigel discloses: periodically reviewing cluster allocation of the one or more clusters and the applied ASR parameters (Seigel, [0038], periodically re-checks user accounts privileges and automatically adjusts the privileges based on usage, [0038], periodically re-checking could be done on a group basis); and
applying the usage behavior learned to further decrease cluster size of the clusters and increase ASR security prevention coverage (Seigel, [0020], user account may be removed from one or more groups that have been granted access to the resource, thereby preventing the user account from accessing the resource, in other words, cluster size may decrease by removing user accounts in order to increase access security of the system based on privilege usage).

As per claims 9 and 17, claims 1 and 11 are incorporated, respectively, and the modified Seigel discloses: wherein the capabilities of the plurality of computer devices include one or more of applications, services, or functionalities available for execution or use (Seigel, [0013], privileges include accessing resources (e.g., a server, a database, a workstation, a folder, or the like) in a computing system).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Refer to PTO-892, Notice of References Cited for a listing of analogous art.  
Purushothaman et al. (US 20170171208 A1) discloses identifying a user group that has not used granted permissions during a predetermined time period and removing the unused permissions from the user group ([0079]).
Venkatramani et al. (US 20170163666 A1) discloses monitoring stateful connections, e.g., Transmission Control Protocol, or stateless connections, e.g., User Dataram Protocol for detecting and responding to security threats ([0051]).

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALEXANDER R LAPIAN whose telephone number is (571)272-7552.  The examiner can normally be reached on M-F 9:30-6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on 571-272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


ALEXANDER R. LAPIAN
Examiner
Art Unit 2437



/ALEXANDER R LAPIAN/Examiner, Art Unit 2437                                                                                                                                                                                                        
/KRISTINE L KINCAID/Supervisory Patent Examiner, Art Unit 2437