Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 06-13-2019 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 

(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “task scheduler is configured to allocate…” in claim 25.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim limitation “task scheduler is configured to allocate…” in claim 25 invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. Therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph.
Applicant may:
(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(c)        Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 

(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.

Claim Rejections - 35 USC § 101 (Abstract Idea)
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


8.	Claims 1 – 7, 9 – 15, 17 – 23 and 25 is / are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more analyzed according to 2019 Revised Patent Subject Matter Eligibility Guidance (“2019 PEG”). The claim recites scheduling prioritized task(s) from a set based on the seriousness of the alert, performing root-cause analysis, re-assessing the severity of the alert and adjusting prioritized task execution.
Step 1: The claims 1, 9, 17 and 25 do fall into one of the four statutory categories of method and system claims. Nevertheless the claims still is/are considered as abstract idea for the following prongs and reasons.
Step 2A: Prong 1: The limitation of claims 1, 9, 17 and 25 recites: scheduling prioritized task(s) from a set based on the seriousness of the alert, performing root-cause analysis, re-assessing the 
Dependent claims 2 – 7 which in turn recite performing an interrupt and resumption action for a task, setting waypoints (a.k.a. breakpoints), interrupting at waypoint and resuming at the same point, causality tracking using causal graph, selecting tasks with highest priority based on suspicious behavior is/are mere structural addendums and are other steps that could be performed by human manually with/without need for a computer.  If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in an human organized way but for the recitation of generic computer components, then it falls within the “certain methods of organizing human activities” grouping of abstract ideas and can be done manually. Same reasoning is attributed for other dependent claims 8 – 15 and 18 – 23. Accordingly, the claim recites an abstract idea.
Prong 2: This judicial exception is not integrated into a practical application. In particular, the claims do not recite any additional element to perform beyond routine steps of: scheduling prioritized task(s) from a set based on the seriousness of the alert, performing root-cause analysis, re-assessing the severity of the alert and adjusting prioritized task execution. The steps spec. [0034]) such that it amounts no more than mere instructions to apply the exception using generic computer components). Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. Therefore the claims is directed to an abstract idea.
Step 2B: The claims does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, scheduling prioritized task(s) from a set based on the seriousness of the alert, performing root-cause analysis, re-assessing the severity of the alert and adjusting prioritized task execution amounts to no more than mere instructions to apply the exception using a generic computer terms. Mere instructions to apply an exception using a generic computer components cannot provide an inventive concept. The claims is / are not patent eligible. Therefore all the corresponding dependent claims 2 – 7, 8 – 15 and 18 – 23 are also rejected for the same rationale.
Note: claims 8, 16 and 24 are not considered abstract and therefore these claims are not rejected under this statute.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1 – 3, 5 – 7, 9 – 11, 13 – 15, 17 – 19, 21 – 23 and 25 is/are rejected under 35 U.S.C. 103 as being unpatentable over Krisher et al (US 8984643), hereafter Kris and Zafer et al (US 10666494) hereafter Zafer.
Claim 1: Kris teaches a method for real-time processing of security alerts received from one or more alerting sources, comprising: scheduling execution of a set of one or more tasks, wherein a col. 2 lines 63-66: a set of remediations associated with a risk score and a set of vulnerabilities are identified (col. 12 lines 51-57) for timed application of remediations to resolve a vulnerability of a computing asset);
and wherein a priority of execution of a particular task is based at least in part on a severity of the particular alert; (col. 3 lines 64-67: the vulnerability threat management platform provides a ranked or ordered list of vulnerabilities which represent the order in which the vulnerabilities should be addressed, such that the vulnerability that poses the most significant threat is addressed first and the one that poses the least significant threat is addressed last);
and adjusting a priority of execution of the particular task based at least in part on re-assessment of the severity of the particular alert; (col. 11 lines 13-16: user changes priority value of a particular asset, causing risk score to be adjusted based on the newly given importance to the particular asset… (col. 13 lines 17-25) for each remediation in the set of remediations, an amount that the risk score would be reduced if said each remediation is applied to a corresponding vulnerability in the set of vulnerabilities is determined. The set of remediations is ordered based on the amount the risk score is reduced by each remediation in the set of remediations and based on the updated risk score).
wherein the set of one or more tasks are executed in a set of computing resources. (col. 11 lines 49-51: list of remediations to resolve the vulnerabilities of the computing asset).
Kris teaches the claimed concept but is silent on as the particular task executes, performing priority-based causality tracking around the particular alert; based at least in part on results of the priority-based causality tracking, re-assessing the severity of the particular alert;
col. 23 lines 54-59: first applies a possible control and checks if a high-level objective (i.e., priority causal analysis) is achieved. If so, the system backs off the remediation and/or applies a different but lighter remediation and checks again if the high-level objective is still achieved... (col. 27 lines 45-48) the root cause is then established by measuring a vector of "symptoms" that manifested at the same time instances as when the incident was occurring);
based at least in part on results of the priority-based causality tracking, re-assessing the severity of the particular alert; (col. 23 lines 59-63: If the root-cause is not remedied, the system attempts to apply a heavier control and/or re-diagnose (i.e., re-assess) the higher-layer objective to low-layer control primitives binding and apply a different control);
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Kris to include the idea of determining root cause analysis during a task execution and re-assessing the severity of alert as taught by Zafer thus the customer can completely eliminate the additional costs associated with searching for a solution for a particular vulnerability and/or determining which of the available solutions will most significantly reduce the computing asset's risk score (col. 4 lines 47-51).
Claim 9: Kris teaches an apparatus, comprising: a processor; computer memory holding computer program instructions executed by the processor to provide real-time processing of security alerts received from one or more alerting sources, the computer program instructions, when executed by the processor, are configured to (Figs. 2 & 8): schedule execution of a set of one or more tasks, wherein a task in the set is associated to process a particular alert, and wherein a priority of execution of a particular task is based at least in part on a severity of the particular col. 2 lines 63-66: a set of remediations associated with a risk score and a set of vulnerabilities are identified (col. 12 lines 51-57) for timed application to resolve a vulnerability of a computing asset; col. 3 lines 64-67: the vulnerability threat management platform provides a ranked or ordered list of vulnerabilities which represent the order in which the vulnerabilities should be addressed, such that the vulnerability that poses the most significant threat is addressed first and the one that poses the least significant threat is addressed last; col. 11 lines 13-16: user changes priority value of a particular asset, causing risk score to be adjusted based on the newly given importance to the particular asset… (col. 13 lines 17-25) for each remediation in the set of remediations, an amount that the risk score would be reduced if said each remediation is applied to a corresponding vulnerability in the set of vulnerabilities is determined. The set of remediations is ordered based on the amount the risk score is reduced by each remediation in the set of remediations and based on the updated risk score; col. 11 lines 49-51: list of remediations to resolve the vulnerabilities of the computing asset);
Kris teaches the claimed concept but is silent on as the particular task executes, perform priority-based causality tracking around the particular alert; based at least in part on results of the priority-based causality tracking, re-assess the severity of the particular alert;
But the analogous art Zafer teaches as the particular task executes, perform priority-based causality tracking around the particular alert; based at least in part on results of the priority-based causality tracking, re-assess the severity of the particular alert; (col. 23 lines 54-59: first applies a possible control and checks if a high-level objective (i.e., priority causal analysis) is achieved. If so, the system backs off the remediation and/or applies a different but lighter remediation and checks again if the high-level objective is still achieved... (col. 27 lines 45-48) the root cause is then established by measuring a vector of "symptoms" that manifested at the same time instances as when the incident was occurring; col. 23 lines 59-63: If the root-cause is not remedied, the system attempts to apply a heavier control and/or re-diagnose (i.e., re-assess) the higher-layer objective to low-layer control primitives binding and apply a different control);
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Kris to include the idea of determining root cause analysis during a task execution and re-assessing the severity of alert as taught by Zafer thus the customer can completely eliminate the additional costs associated with searching for a solution for a particular vulnerability and/or determining which of the available solutions will most significantly reduce the computing asset's risk score (col. 4 lines 47-51).
Claim 17: Kris teaches a computer program product in a non-transitory computer readable medium for use in a data processing system to provide real-time processing of security alerts received from one or more alerting sources, the computer program product holding computer program instructions that, when executed by the data processing system, are configured to (Figs. 2 & 8): schedule execution of a set of one or more tasks, wherein a task in the set is associated to process a particular alert, and wherein a priority of execution of a particular task is based at least in part on a severity of the particular alert; and adjust a priority of execution of the particular task based at least in part on re- assessment of the severity of the particular alert. (col. 2 lines 63-66: a set of remediations associated with a risk score and a set of vulnerabilities are identified (col. 12 lines 51-57) for timed application to resolve a vulnerability of a computing asset; col. 3 lines 64-67: the vulnerability threat management platform provides a ranked or ordered list of vulnerabilities which represent the order in which the vulnerabilities should be addressed, such that the vulnerability that poses the most significant threat is addressed first and the one that poses the least significant threat is addressed last; col. 11 lines 13-16: user changes priority value of a particular asset, causing risk score to be adjusted based on the newly given importance to the particular asset… (col. 13 lines 17-25) for each remediation in the set of remediations, an amount that the risk score would be reduced if said each remediation is applied to a corresponding vulnerability in the set of vulnerabilities is determined. The set of remediations is ordered based on the amount the risk score is reduced by each remediation in the set of remediations and based on the updated risk score; col. 11 lines 49-51: list of remediations to resolve the vulnerabilities of the computing asset);
Kris teaches the claimed concept but is silent on as the particular task executes, perform priority-based causality tracking around the particular alert; based at least in part on results of the priority-based causality tracking, re-assess the severity of the particular alert;
But the analogous art Zafer teaches as the particular task executes, perform priority-based causality tracking around the particular alert; based at least in part on results of the priority-based causality tracking, re-assess the severity of the particular alert; (col. 23 lines 54-59: first applies a possible control and checks if a high-level objective (i.e., priority causal analysis) is achieved. If so, the system backs off the remediation and/or applies a different but lighter remediation and checks again if the high-level objective is still achieved... (col. 27 lines 45-48) the root cause is then established by measuring a vector of "symptoms" that manifested at the same time instances as when the incident was occurring; col. 23 lines 59-63: If the root-cause is not remedied, the system attempts to apply a heavier control and/or re-diagnose (i.e., re-assess) the higher-layer objective to low-layer control primitives binding and apply a different control);
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Kris to include the idea of determining root cause analysis during a task execution and re-assessing the severity of alert as taught by Zafer thus the customer can completely eliminate the additional costs associated with searching for a solution for a particular vulnerability and/or determining which of the available solutions will most significantly reduce the computing asset's risk score (col. 4 lines 47-51).
Claim 25: Kris teaches a computing system for security alert processing, comprising: a task scheduler; and a set of workers; the task scheduler configured to allocate a set of computing resources in the computing system preferentially to execute, by the workers, a set of alert reasoning tasks (Figs. 2 & 8), wherein an alert with a highest severity is assigned a highest priority of execution; wherein partial causality tracking results generated during processing of one or more alert reasoning tasks are saved for reuse to avoid recomputation; wherein the task scheduler and the set of workers are implemented as software executing in hardware. (col. 2 lines 63-66: a set of remediations associated with a risk score and a set of vulnerabilities are identified (col. 12 lines 51-57) for timed application to resolve a vulnerability of a computing asset; col. 3 lines 64-67: the vulnerability threat management platform provides a ranked or ordered list of vulnerabilities which represent the order in which the vulnerabilities should be addressed, such that the vulnerability that poses the most significant threat is addressed first and the one that poses the least significant threat is addressed last; col. 6 lines 2-5: vulnerability, exploit and breach data received at threat data unit is stored in storage unit according to vulnerability identifier; col. 8 lines 38-40: periodically analyze vulnerabilities of each customer against the received breach data; col. 11 lines 13-16: user changes priority value of a particular asset, causing risk score to be adjusted based on the newly given importance to the particular asset… (col. 13 lines 17-25) for each remediation in the set of remediations, an amount that the risk score would be reduced if said each remediation is applied to a corresponding vulnerability in the set of vulnerabilities is determined. The set of remediations is ordered based on the amount the risk score is reduced by each remediation in the set of remediations and based on the updated risk score; col. 11 lines 49-51: list of remediations to resolve the vulnerabilities of the computing asset);
Kris teaches the claimed concept but is silent on the task scheduler further configured to adjust a priority of execution of one or more alert reasoning tasks upon a determination, by one of the workers, that another alert should be assigned the highest severity; wherein the determination is based at least in part on priority-based causality tracking around an alert;
But the analogous art Zafer teaches the task scheduler further configured to adjust a priority of execution of one or more alert reasoning tasks upon a determination, by one of the workers, that another alert should be assigned the highest severity; wherein the determination is based at least in part on priority-based causality tracking around an alert; (col. 23 lines 54-59: first applies a possible control and checks if a high-level objective (i.e., priority causal analysis) is achieved. If so, the system backs off the remediation and/or applies a different but lighter remediation and checks again if the high-level objective is still achieved... (col. 27 lines 45-48) the root cause is then established by measuring a vector of "symptoms" that manifested at the same time instances as when the incident was occurring; col. 23 lines 59-63: If the root-cause is not remedied, the system attempts to apply a heavier control and/or re-diagnose (i.e., re-assess) the higher-layer objective to low-layer control primitives binding and apply a different control);
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Kris to include the idea of determining root cause analysis during a task execution and re-assessing the severity of alert as taught by Zafer thus the customer can completely eliminate the additional costs associated with searching for a solution for a particular vulnerability and/or determining which of the available solutions will most significantly reduce the computing asset's risk score (col. 4 lines 47-51).
Claim 2: the combination of Kris and Zafer teaches the method as described in claim 1 further including taking a given action with respect to the execution of the particular task. (Kris: col. 11 lines 13-16: user changes priority value of a particular asset, causing risk score to be adjusted based on the newly given importance to the particular asset).
Claim 3: the combination of Kris and Zafer teaches the method as described in claim 2 wherein the given action is one of: interrupting the particular task, and resuming the particular task. (Zafer: col. 24 lines 40-44: the manager sends instructions to the collector to command the controller to tell the appropriate network elements to (a) prioritize user X --->application Z traffic over other traffic, (b) disallow traffic involving application W).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Kris to include the idea of interrupting and resuming jobs as taught by Zafer thus the customer can completely eliminate the additional costs associated with searching for a solution for a particular vulnerability and/or determining which of the available solutions will most significantly reduce the computing asset's risk score (col. 4 lines 47-51).
Claim 5: the combination of Kris and Zafer teaches the method as described in claim 1 wherein performing priority-based causality tracking around the particular alert identifies, for each entity of one or more entities in a causal graph, one or more causal paths from the particular alert to the entity, and for each such causal path, a priority. (Zafer: cols. 1, 2 lines 64-67, 1-7: collecting all the network incidents related to a particular network issue over a time period and aggregating client incident hours across a collection of network incidents by grouping the network incidents according to root-cause symptoms; and based on the analysis of the network incident graph, generating and displaying a list of remediation recommendations, wherein each remediation recommendation includes a systemic issue in the network, a remediation to resolve the systemic issue, and a quantified expected benefit from implementing the remediation).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Kris to include the idea of performing causality tracking as taught by Zafer thus the customer can completely eliminate the additional costs associated with searching for a solution for a particular vulnerability and/or determining which of the available solutions will most significantly reduce the computing asset's risk score (col. 4 lines 47-51).
Claim 6: the combination of Kris and Zafer teaches the method as described in claim 5 further including selecting an entity bearing a highest priority and performing additional causality tracking with respect to the selected entity. (Kris: col. 8 lines 38-40: periodically analyze vulnerabilities of each customer against the received breach data; col. 11 lines 13-16, 23-30: user changes priority value of a particular asset, causing risk score to be adjusted based on the newly given importance to the particular asset. Vulnerabilities of the computing asset determined are based on vulnerability data provided by a customer, a risk score for the computing asset is generated based on the plurality of vulnerabilities. The risk score for the computing asset is based on certain contextual factors such as importance of the asset to the customer).
Claim 7: the combination of Kris and Zafer teaches the method as described in claim 1 wherein a priority of execution increases as a result of the priority-based causality tracking indicating suspicious behavior. (Zafer: col. 23 lines 19-22: the manager computes the initial update control to the programmable network elements based on the high-level policies, problems, security requirements, anomalies and (col. 33 lines 23-25) list of remediation recommendations is ranked, sorted, and/or prioritized based on one or more various factors).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Kris to include the idea of performing prioritized causality tracking as taught by Zafer thus the customer can completely eliminate the additional costs associated with searching for a solution for a particular vulnerability and/or determining which of the available solutions will most significantly reduce the computing asset's risk score (col. 4 lines 47-51).
Claim 10: the combination of Kris and Zafer teaches the apparatus as described in claim 9 wherein the program instructions are further configured to take a given action with respect to the execution of the particular task. (Kris: col. 11 lines 13-16: user changes priority value of a particular asset, causing risk score to be adjusted based on the newly given importance to the particular asset).
Claim 11: the combination of Kris and Zafer teaches the apparatus as described in claim 10 wherein the given action is one of: interrupting the particular task, and resuming the particular Zafer: col. 24 lines 40-44: the manager sends instructions to the collector to command the controller to tell the appropriate network elements to (a) prioritize user X --->application Z traffic over other traffic, (b) disallow traffic involving application W).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Kris to include the idea of interrupting and resuming jobs as taught by Zafer thus the customer can completely eliminate the additional costs associated with searching for a solution for a particular vulnerability and/or determining which of the available solutions will most significantly reduce the computing asset's risk score (col. 4 lines 47-51).
Claim 13: the combination of Kris and Zafer teaches the apparatus as described in claim 9 wherein the program code configured to perform priority-based causality tracking around the particular alert comprises program code further configured to identify, for each entity of one or more entities in a causal graph, one or more causal paths from the particular alert to the entity, and for each such causal path, a priority. (Zafer: cols. 1, 2 lines 64-67, 1-7: collecting all the network incidents related to a particular network issue over a time period and aggregating client incident hours across a collection of network incidents by grouping the network incidents according to root-cause symptoms; and based on the analysis of the network incident graph, generating and displaying a list of remediation recommendations, wherein each remediation recommendation includes a systemic issue in the network, a remediation to resolve the systemic issue, and a quantified expected benefit from implementing the remediation).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Kris to include the idea of performing col. 4 lines 47-51).
Claim 14: the combination of Kris and Zafer teaches the apparatus as described in claim 13 wherein the program code is further configured to select an entity bearing a highest priority and to perform additional causality tracking with respect to the selected entity. (Kris: col. 8 lines 38-40: periodically analyze vulnerabilities of each customer against the received breach data; col. 11 lines 13-16, 23-30: user changes priority value of a particular asset, causing risk score to be adjusted based on the newly given importance to the particular asset. Vulnerabilities of the computing asset determined are based on vulnerability data provided by a customer, a risk score for the computing asset is generated based on the plurality of vulnerabilities. The risk score for the computing asset is based on certain contextual factors such as importance of the asset to the customer).
Claim 15: the combination of Kris and Zafer teaches the apparatus as described in claim 9 wherein a priority of execution increases as a result of the priority-based causality tracking indicating suspicious behavior. (Zafer: col. 23 lines 19-22: the manager computes the initial update control to the programmable network elements based on the high-level policies, problems, security requirements, anomalies and (col. 33 lines 23-25) list of remediation recommendations is ranked, sorted, and/or prioritized based on one or more various factors).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Kris to include the idea of performing prioritized causality tracking as taught by Zafer thus the customer can completely eliminate the col. 4 lines 47-51).
Claim 18: the combination of Kris and Zafer teaches the computer program product as described in claim 17 wherein the program instructions are further configured to take a given action with respect to the execution of the particular task. (Kris: col. 11 lines 13-16: user changes priority value of a particular asset, causing risk score to be adjusted based on the newly given importance to the particular asset).
Claim 19: the combination of Kris and Zafer teaches the computer program product as described in claim 18 wherein the given action is one of: interrupting the particular task, and resuming the particular task. (Zafer: col. 24 lines 40-44: the manager sends instructions to the collector to command the controller to tell the appropriate network elements to (a) prioritize user X --->application Z traffic over other traffic, (b) disallow traffic involving application W).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Kris to include the idea of interrupting and resuming jobs as taught by Zafer thus the customer can completely eliminate the additional costs associated with searching for a solution for a particular vulnerability and/or determining which of the available solutions will most significantly reduce the computing asset's risk score (col. 4 lines 47-51).
Claim 21: the combination of Kris and Zafer teaches the computer program product as described in claim 17 wherein the program code configured to perform priority-based causality tracking around the particular alert comprises program code further configured to identify, for each entity of one or more entities in a causal graph, one or more causal paths from the particular alert to the Zafer: cols. 1, 2 lines 64-67, 1-7: collecting all the network incidents related to a particular network issue over a time period and aggregating client incident hours across a collection of network incidents by grouping the network incidents according to root-cause symptoms; and based on the analysis of the network incident graph, generating and displaying a list of remediation recommendations, wherein each remediation recommendation includes a systemic issue in the network, a remediation to resolve the systemic issue, and a quantified expected benefit from implementing the remediation).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Kris to include the idea of performing causality tracking as taught by Zafer thus the customer can completely eliminate the additional costs associated with searching for a solution for a particular vulnerability and/or determining which of the available solutions will most significantly reduce the computing asset's risk score (col. 4 lines 47-51).
Claim 22: the combination of Kris and Zafer teaches the computer program product as described in claim 21 wherein the program code is further configured to select an entity bearing a highest priority and to perform additional causality tracking with respect to the selected entity. (Kris: col. 8 lines 38-40: periodically analyze vulnerabilities of each customer against the received breach data; col. 11 lines 13-16, 23-30: user changes priority value of a particular asset, causing risk score to be adjusted based on the newly given importance to the particular asset. Vulnerabilities of the computing asset determined are based on vulnerability data provided by a customer, a risk score for the computing asset is generated based on the plurality of vulnerabilities. The risk score for the computing asset is based on certain contextual factors such as importance of the asset to the customer).
Claim 23: the combination of Kris and Zafer teaches the computer program product as described in claim 17 wherein a priority of execution increases as a result of the priority-based causality tracking indicating suspicious behavior. (Zafer: col. 23 lines 19-22: the manager computes the initial update control to the programmable network elements based on the high-level policies, problems, security requirements, anomalies and (col. 33 lines 23-25) list of remediation recommendations is ranked, sorted, and/or prioritized based on one or more various factors).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Kris to include the idea of performing prioritized causality tracking as taught by Zafer thus the customer can completely eliminate the additional costs associated with searching for a solution for a particular vulnerability and/or determining which of the available solutions will most significantly reduce the computing asset's risk score (col. 4 lines 47-51).
Claims 4, 12 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kris and Zafer as applied to claims above, and further in view of Vadapandeshwara et al (US 20200097325), hereafter Vad.
Claim 4: the combination of Kris and Zafer teaches the method as described in claim 1 but is silent on further including: as each task executes, setting one or more waypoints for the task; upon interrupting execution of a particular task, saving the waypoints set for the particular task as partial causality tracking results, wherein the waypoints are saved in a space shared by all of the tasks; and upon task resumption, reusing the saved partial causality tracking results for the particular task to avoid recomputation of connections that reach the waypoints. 
Vad: [0053] In the instance in which the run is presently being processed, the run would be stopped and the checkpoints saved, and the run would be restart from the checkpoints and the analytical application will load the updated dataframe for the impacted task(s) thereafter such that the remaining run from the checkpoints will be processed with the updated dataframe. In the instance in which the run is completed but prior to update/write-back events, the analytical application will re-execute the run and load the updated dataframe for the impacted task(s) as they arise such that run from the start will be processed with the updated dataframe).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combined inventions of Kris and Zafer to include the idea of having checkpoints and recomputing checkpoints as taught by Vad thus operation module facilitates a user in administration and processing of data to create the highest level of efficiency within the system and to derive results based on one or more specified rules ([0045]).
Claim 12: the combination of Kris and Zafer teaches the apparatus as described in claim 9 but is silent on wherein the program instructions are further configured to: as each task executes, set one or more waypoints for the task; upon interrupting execution of a particular task, save the waypoints set for the particular task as partial causality tracking results, wherein the waypoints are saved in a space shared by all of the tasks; and upon task resumption, reuse the saved partial 
But analogous art Vad teaches wherein the program instructions are further configured to: as each task executes, set one or more waypoints for the task; upon interrupting execution of a particular task, save the waypoints set for the particular task as partial causality tracking results, wherein the waypoints are saved in a space shared by all of the tasks; and upon task resumption, reuse the saved partial causality tracking results for the particular task to avoid recomputation of connections that reach the waypoints. (Vad: [0053] In the instance in which the run is presently being processed, the run would be stopped and the checkpoints saved, and the run would be restart from the checkpoints and the analytical application will load the updated dataframe for the impacted task(s) thereafter such that the remaining run from the checkpoints will be processed with the updated dataframe. In the instance in which the run is completed but prior to update/write-back events, the analytical application will re-execute the run and load the updated dataframe for the impacted task(s) as they arise such that run from the start will be processed with the updated dataframe).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combined inventions of Kris and Zafer to include the idea of having checkpoints and recomputing checkpoints as taught by Vad thus operation module facilitates a user in administration and processing of data to create the highest level of efficiency within the system and to derive results based on one or more specified rules ([0045]).
Claim 20: the combination of Kris and Zafer teaches the computer program product as described in claim 17 but is silent on wherein the program instructions are further configured to: as each task executes, set one or more waypoints for the task; upon interrupting execution of a particular 
But analogous art Vad teaches wherein the program instructions are further configured to: as each task executes, set one or more waypoints for the task; upon interrupting execution of a particular task, save the waypoints set for the particular task as partial causality tracking results, wherein the waypoints are saved in a space shared by all of the tasks; and upon task resumption, reuse the saved partial causality tracking results for the particular task to avoid recomputation of connections that reach the waypoints. (Vad: [0053] In the instance in which the run is presently being processed, the run would be stopped and the checkpoints saved, and the run would be restart from the checkpoints and the analytical application will load the updated dataframe for the impacted task(s) thereafter such that the remaining run from the checkpoints will be processed with the updated dataframe. In the instance in which the run is completed but prior to update/write-back events, the analytical application will re-execute the run and load the updated dataframe for the impacted task(s) as they arise such that run from the start will be processed with the updated dataframe).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combined inventions of Kris and Zafer to include the idea of having checkpoints and recomputing checkpoints as taught by Vad thus operation module facilitates a user in administration and processing of data to create the highest level of efficiency within the system and to derive results based on one or more specified rules ([0045].
Claims 8, 16 and 24 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kris and Zafer as applied to claims above, and further in view of Chen et al (US 20180034836), hereafter Chen.
Claim 8: the combination of Kris and Zafer teaches the method as described in claim 1 but is silent on wherein the particular alert is associated with an Advanced Persistent Threat (APT), and the particular task is a machine learning-based alert reasoning task. 
But analogous art Chen teaches wherein the particular alert is associated with an Advanced Persistent Threat (APT), and the particular task is a machine learning-based alert reasoning task. (Chen: [0022] particularly in an advanced persistent threat (APT) scenario, the alerts are widely spaced in time, with heterogeneous system entity information and [0038] Based on the predictive distributions learned by the Bayesian hierarchical modeling finds a set of highly correlated alert patterns).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combined inventions of Kris and Zafer to include the idea of having APT and machine learning modelling for alerts as taught by Chen so that ranking module determines which alerts and alert patterns are trustworthy and represent true positives ([0063]).
Claim 16: the combination of Kris and Zafer teaches the apparatus as described in claim 9 but is silent on wherein the particular alert is associated with an Advanced Persistent Threat (APT), and the particular task is a machine learning- based alert reasoning task. 
But analogous art Chen teaches wherein the particular alert is associated with an Advanced Persistent Threat (APT), and the particular task is a machine learning-based alert reasoning task. (Chen: [0022] particularly in an advanced persistent threat (APT) scenario, the alerts are widely spaced in time, with heterogeneous system entity information and [0038] Based on the predictive distributions learned by the Bayesian hierarchical modeling finds a set of highly correlated alert patterns).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combined inventions of Kris and Zafer to include the idea of having APT and machine learning modelling for alerts as taught by Chen so that ranking module determines which alerts and alert patterns are trustworthy and represent true positives ([0063]).
Claim 24: the combination of Kris and Zafer teaches the computer program product as described in claim 17 but is silent on wherein the particular alert is associated with an Advanced Persistent Threat (APT), and the particular task is a machine learning-based alert reasoning task. 
But analogous art Chen teaches wherein the particular alert is associated with an Advanced Persistent Threat (APT), and the particular task is a machine learning-based alert reasoning task. (Chen: [0022] particularly in an advanced persistent threat (APT) scenario, the alerts are widely spaced in time, with heterogeneous system entity information and [0038] Based on the predictive distributions learned by the Bayesian hierarchical modeling finds a set of highly correlated alert patterns).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combined inventions of Kris and Zafer to include the idea of having APT and machine learning modelling for alerts as taught by Chen so that ranking module determines which alerts and alert patterns are trustworthy and represent true positives ([0063]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
1. Nakawatase et al (US 8495747): Prioritizing asset remediations.
2. Mayer et al (US 8132260): Methods and apparatus for prioritization of remediation techniques for network security risks.
3. Iyer et al (US 20200162497): PRIORITIZED REMEDIATION OF INFORMATION SECURITY VULNERABILITIES BASED ON SERVICE MODEL AWARE MULTI-DIMENSIONAL SECURITY RISK SCORING.
4. Li; David (US 20170098087): METHOD AND SYSTEM FOR IDENTIFICATION OF SECURITY VULNERABILITIES.
5. Tamir et al (US 10015186): Method and apparatus for reducing security risk in a networked computer system architecture.
6. Stevens et al (US 10979446): Automated vulnerability chaining.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867.  The examiner can normally be reached on M-F: 7:45am-5pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T. Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.







/BADRINARAYANAN /Examiner, Art Unit 2438.