Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Office Action is in response to the instant Application 16453,462 filed on 6/26/2019. Claims 1-20 are pending. This Office Action is Non-Final.

Information Disclosure Statement
The information disclosure statement (IDS), submitted on 11/13/2019, is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner


Claim Rejections - 35 USC § 101
	35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 14-18 are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter.
	Regarding claim 14; claim 14 is rejected under 35 U.S.C. 101 because the claims is directed to non-statutory subject matter.  Claim 14 recites “[a] computer- storage medium”.  Under a recent precedential opinion, the scope of the recited “computer  storage medium” encompasses transitory media such as signals or carrier waves, where, as here the Specification does not limit the computer readable storage Ex parte Mewherter, 107 USPQ2d 1857, 1862 (PTAB 2013) (precedential) (holding recited machine-readable storage medium ineligible under § 35 U.S.C. 101 since it encompassed transitory media).  The Examiner respectfully suggests that the claim be amended to either “A non-transitory computer  storage medium” or “a computer storage device” to make the claim statutory under 35 USC 101; (emphasis added).  
	Regarding claims 15-18; claims 15-18 are also rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter for the same reasons

Claim Interpretation
	The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: means for in claim 19.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1, 3, 5-10, 14-16 and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Krause et al. (US 2017/0244748) in view of Roundy et al. (US 9,256,739).
	As per claim 1, Krause teaches a computer-implemented method for exfiltrating event data from within a network, the method performed by a first computing device of a plurality of computing devices within the network, and the method comprising: generating, by the first computing device, a connectivity configuration and a neighborhood map (Krause, Paragraph 0055 recites “The network mapping module 318 may be configured to map or otherwise identify all devices in a specific network intermittently or continuously.”), 
	the generating based on a plurality of electronic messages exchanged with at least a second computing device of the plurality of computing devices, and an attempt by the first computing device to directly access a remote server device outside the network (Krause, Paragraph 0056 recites “The network mapping module 318 may be in communication with the whitelist/blacklist (WL/BL) module 322 which creates a list of permitted (accepted) devices. These devices maybe designated based on their operating system, MAC address, IP address, etc. This list may be designed to block non-approved devices from connecting to the network (and to other devices). Additionally, a user interface may enable a user to stop connections to devices that are not on the whitelist, or enable a user to add a certain device to the whitelist. The WL/BL module 322 may additionally or alternatively create a blacklist explicitly defining non-approved devices, such that any device on the blacklist is prohibited from connecting to the network and other devices.” Devices outside the network would be interpreted to be read by Krause, where it discusses on whether to block or allow communications to the network).
	obtaining, by the first computing device, a behavioral rule associated with a process of the second computing device, and a log associated with the process; based on the behavioral rule and the log, detecting, by the first computing device, a suspect event associated with the process (Krause, Paragraph 0100 recites “Step 806 involves determining a discrepancy between the prescribed behavior of the at least one node based on the at least one policy and actual behavior of the at least one node. For example, certain changes made to an application may suggest compromise by a third party. Or, attempts to initiate an outgoing FTP transfer may be indicative of an exfiltration attempt by a third party. Other types of behavior may relate to memory usage, a number of processes being executed, and processor load. These observations may represent discrepancies from the prescribed behavior of a node based on a policy, and information regarding the node's behavior may be gathered intermittently or continuously and sometimes at least substantially in real time.” And Paragraph 0049 recites “Any suspicious activity may be logged and categorized by a logging module 206. For example, an observed attempt by an executing suspect file to read a file and initiate an outgoing FTP transfer may be indicative of an exfiltration attempt. Based on these observations during the testing stage, the classification module 202 may classify the file as malicious or benign.”).
	But fails to teach selecting, by the first computing device, the second computing device as a target device based on the generated connectivity configuration and the generated neighborhood map, the target device being selected from a group consisting 
	However, in an analogous art Roundy recites selecting, by the first computing device, the second computing device as a target device based on the generated connectivity configuration and the generated neighborhood map, the target device being selected from a group consisting of the remote server device and the plurality of computing devices; generating, by the first computing device, an event dataset associated with the detected suspect event; and communicating, by the first computing device, the generated event dataset to the selected target device (Roundy, Col. 12 Lines 37-60 recites “ Returning to FIG. 3, at step 306 one or more of the systems described herein may use the event-correlation graph constructed as part of step 304 to generate a procedure for remediating an effect of an attack on the computing system that is reflected in the event-correlation graph. For example, remediating module 108 may, as part of server 206 in FIG. 2, use event-correlation graph 230 to generate a procedure for remediating an effect of an attack reflected in event-correlation graph 230. Upon completion of step 306, exemplary method 300 in FIG. 3 may terminate. Remediating module 108 may use event-correlation graphs to generate procedures for remediating attacks reflected in the event-correlation graphs in any suitable manner. In general, remediating module 108 may use the forensic information contained in event-correlation graphs to generate procedures for remediating the actual global impact of the attacks reflected in the event-correlation graphs. In one example, remediating module 108 may use event-correlation graphs to generate any of a variety of steps for repairing, reducing, warning about, gathering information about, and/or otherwise addressing an impact of an attack on a computing system, an impact of an actor involved in an attack on a computing system, and/or an impact of a suspicious event involved in an attack on a computing system.” Examiner is interpreting that a warning regarding the event would read on selecting a second device and sending them a dataset regarding event.).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Roundy’s Systems and methods for using event-correlation graphs to generate remediation procedures with Krause’s Secure computing environment because the use of creating a dataset to be sent to a target would help inform the network of issues and help create remediation.

	As per claim 3, Krause in combination with Roundy teaches the method of claim 1, Krause further teaches receiving, by the first computing device, the log from one of the plurality of computing devices (Krause, Paragraph 0100 recites “Step 806 involves determining a discrepancy between the prescribed behavior of the at least one node based on the at least one policy and actual behavior of the at least one node. For example, certain changes made to an application may suggest compromise by a third party. Or, attempts to initiate an outgoing FTP transfer may be indicative of an exfiltration attempt by a third party. Other types of behavior may relate to memory usage, a number of processes being executed, and processor load. These observations may represent discrepancies from the prescribed behavior of a node based on a policy, and information regarding the node's behavior may be gathered intermittently or continuously and sometimes at least substantially in real time.” And Paragraph 0049 recites “Any suspicious activity may be logged and categorized by a logging module 206. For example, an observed attempt by an executing suspect file to read a file and initiate an outgoing FTP transfer may be indicative of an exfiltration attempt. Based on these observations during the testing stage, the classification module 202 may classify the file as malicious or benign.”).

	As per claim 5, Krause in combination with Roundy teaches the method of claim 1, Krause further teaches receiving, by the first computing device, another log associated with the process from the second computing device; and determining, by the first computing device, the behavioral pattern rule based at least in part on the received other log (Krause, Paragraph 0100 recites “Step 806 involves determining a discrepancy between the prescribed behavior of the at least one node based on the at least one policy and actual behavior of the at least one node. For example, certain changes made to an application may suggest compromise by a third party. Or, attempts to initiate an outgoing FTP transfer may be indicative of an exfiltration attempt by a third party. Other types of behavior may relate to memory usage, a number of processes being executed, and processor load. These observations may represent discrepancies from the prescribed behavior of a node based on a policy, and information regarding the node's behavior may be gathered intermittently or continuously and sometimes at least substantially in real time.” And Paragraph 0049 recites “Any suspicious activity may be logged and categorized by a logging module 206. For example, an observed attempt by an executing suspect file to read a file and initiate an outgoing FTP transfer may be indicative of an exfiltration attempt. Based on these observations during the testing stage, the classification module 202 may classify the file as malicious or benign.”).

	As per claim 6, Krause in combination with Roundy teaches the method of claim 1, Krause further teaches  receiving, by the first computing device, the behavioral pattern rule from the second computing device, wherein the second computing device is configured to determine the behavioral pattern rule based at least in part on another log associated with the process (Krause, Paragraph 0100 recites “Step 806 involves determining a discrepancy between the prescribed behavior of the at least one node based on the at least one policy and actual behavior of the at least one node. For example, certain changes made to an application may suggest compromise by a third party. Or, attempts to initiate an outgoing FTP transfer may be indicative of an exfiltration attempt by a third party. Other types of behavior may relate to memory usage, a number of processes being executed, and processor load. These observations may represent discrepancies from the prescribed behavior of a node based on a policy, and information regarding the node's behavior may be gathered intermittently or continuously and sometimes at least substantially in real time.” And Paragraph 0049 recites “Any suspicious activity may be logged and categorized by a logging module 206. For example, an observed attempt by an executing suspect file to read a file and initiate an outgoing FTP transfer may be indicative of an exfiltration attempt. Based on these observations during the testing stage, the classification module 202 may classify the file as malicious or benign.”).
	As per claim 7, Krause in combination with Roundy teaches the method of claim 1, Krause further teaches receiving, by the first computing device, the behavioral pattern rule from a third computing device of the plurality of computing devices, wherein the second computing device is configured to communicate another log associated with the process to the third computing device, and the third computing device is configured to determine the behavioral pattern rule based at least in part on the communicated other log (Krause, Paragraph 0100 recites “Step 806 involves determining a discrepancy between the prescribed behavior of the at least one node based on the at least one policy and actual behavior of the at least one node. For example, certain changes made to an application may suggest compromise by a third party. Or, attempts to initiate an outgoing FTP transfer may be indicative of an exfiltration attempt by a third party. Other types of behavior may relate to memory usage, a number of processes being executed, and processor load. These observations may represent discrepancies from the prescribed behavior of a node based on a policy, and information regarding the node's behavior may be gathered intermittently or continuously and sometimes at least substantially in real time.” And Paragraph 0049 recites “Any suspicious activity may be logged and categorized by a logging module 206. For example, an observed attempt by an executing suspect file to read a file and initiate an outgoing FTP transfer may be indicative of an exfiltration attempt. Based on these observations during the testing stage, the classification module 202 may classify the file as malicious or benign.”).

	As per claim 8, Krause in combination with Roundy teaches the method of claim 1, Roundy further teaches wherein the generated event dataset includes the log (Roundy, Col. 12 Lines 37-60 recites “ Returning to FIG. 3, at step 306 one or more of the systems described herein may use the event-correlation graph constructed as part of step 304 to generate a procedure for remediating an effect of an attack on the computing system that is reflected in the event-correlation graph. For example, remediating module 108 may, as part of server 206 in FIG. 2, use event-correlation graph 230 to generate a procedure for remediating an effect of an attack reflected in event-correlation graph 230. Upon completion of step 306, exemplary method 300 in FIG. 3 may terminate. Remediating module 108 may use event-correlation graphs to generate procedures for remediating attacks reflected in the event-correlation graphs in any suitable manner. In general, remediating module 108 may use the forensic information contained in event-correlation graphs to generate procedures for remediating the actual global impact of the attacks reflected in the event-correlation graphs. In one example, remediating module 108 may use event-correlation graphs to generate any of a variety of steps for repairing, reducing, warning about, gathering information about, and/or otherwise addressing an impact of an attack on a computing system, an impact of an actor involved in an attack on a computing system, and/or an impact of a suspicious event involved in an attack on a computing system.” Examiner is interpreting that a warning regarding the event would read on selecting a second device and sending them a dataset regarding event.).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Roundy’s Systems and methods for using event-correlation 

	As per claim 9, Krause in combination with Roundy teaches the method of claim 8, Roundy further teaches selecting, by the first computing device, the log for inclusion into the event dataset based on a predefined template associated with the process (Roundy, Col. 12 Lines 37-60 recites “ Returning to FIG. 3, at step 306 one or more of the systems described herein may use the event-correlation graph constructed as part of step 304 to generate a procedure for remediating an effect of an attack on the computing system that is reflected in the event-correlation graph. For example, remediating module 108 may, as part of server 206 in FIG. 2, use event-correlation graph 230 to generate a procedure for remediating an effect of an attack reflected in event-correlation graph 230. Upon completion of step 306, exemplary method 300 in FIG. 3 may terminate. Remediating module 108 may use event-correlation graphs to generate procedures for remediating attacks reflected in the event-correlation graphs in any suitable manner. In general, remediating module 108 may use the forensic information contained in event-correlation graphs to generate procedures for remediating the actual global impact of the attacks reflected in the event-correlation graphs. In one example, remediating module 108 may use event-correlation graphs to generate any of a variety of steps for repairing, reducing, warning about, gathering information about, and/or otherwise addressing an impact of an attack on a computing system, an impact of an actor involved in an attack on a computing system, and/or an impact of a suspicious event involved in an attack on a computing system.” Examiner is interpreting that a warning regarding the event would read on selecting a second device and sending them a dataset regarding event.).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Roundy’s Systems and methods for using event-correlation graphs to generate remediation procedures with Krause’s Secure computing environment because the use of creating a dataset to be sent to a target would help inform the network of issues and help create remediation.

	As per claim 10, Krause in combination with Roundy teaches the method of claim 1, Roundy further teaches wherein the event dataset is generated based at least in part on the target device being selected (Roundy, Col. 12 Lines 37-60 recites “ Returning to FIG. 3, at step 306 one or more of the systems described herein may use the event-correlation graph constructed as part of step 304 to generate a procedure for remediating an effect of an attack on the computing system that is reflected in the event-correlation graph. For example, remediating module 108 may, as part of server 206 in FIG. 2, use event-correlation graph 230 to generate a procedure for remediating an effect of an attack reflected in event-correlation graph 230. Upon completion of step 306, exemplary method 300 in FIG. 3 may terminate. Remediating module 108 may use event-correlation graphs to generate procedures for remediating attacks reflected in the event-correlation graphs in any suitable manner. In general, remediating module 108 may use the forensic information contained in event-correlation graphs to generate procedures for remediating the actual global impact of the attacks reflected in the event-correlation graphs. In one example, remediating module 108 may use event-correlation graphs to generate any of a variety of steps for repairing, reducing, warning about, gathering information about, and/or otherwise addressing an impact of an attack on a computing system, an impact of an actor involved in an attack on a computing system, and/or an impact of a suspicious event involved in an attack on a computing system.” Examiner is interpreting that a warning regarding the event would read on selecting a second device and sending them a dataset regarding event.).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Roundy’s Systems and methods for using event-correlation graphs to generate remediation procedures with Krause’s Secure computing environment because the use of creating a dataset to be sent to a target would help inform the network of issues and help create remediation.

	As per claim 14, Krause teaches a computer storage medium storing computer-useable instructions that, when used by at least one processor of a first computing device of a plurality of computing devices in a network, cause the at least one processor to perform operations comprising: generating a neighborhood map based on a plurality of electronic messages exchanged with a second computing device of the plurality of computing devices, each electronic message of the exchanged plurality of electronic messages including a corresponding connectivity configuration associated with one of the first computing device and the second computing device (Krause, Paragraph 0055 recites “The network mapping module 318 may be configured to map or otherwise identify all devices in a specific network intermittently or continuously.” And Paragraph 0056 recites “The network mapping module 318 may be in communication with the whitelist/blacklist (WL/BL) module 322 which creates a list of permitted (accepted) devices. These devices maybe designated based on their operating system, MAC address, IP address, etc. This list may be designed to block non-approved devices from connecting to the network (and to other devices). Additionally, a user interface may enable a user to stop connections to devices that are not on the whitelist, or enable a user to add a certain device to the whitelist. The WL/BL module 322 may additionally or alternatively create a blacklist explicitly defining non-approved devices, such that any device on the blacklist is prohibited from connecting to the network and other devices.” Devices outside the network would be interpreted to be read by Krause, where it discusses on whether to block or allow communications to the network).
	But fails to teach generating an event dataset based at least in part on a defined behavioral pattern rule associated with a process and a log generated via the process; and communicating the generated event dataset to the second computing device based on the generated neighborhood map, wherein the second computing device is configured to generate a corresponding neighborhood map based on the exchanged plurality of electronic messages and relay the communicated event dataset to one of a remote server device outside of the network or a third computing device of the plurality of computing devices based on the generated corresponding neighborhood map.
	However, in an analogous art Roundy teaches generating an event dataset based at least in part on a defined behavioral pattern rule associated with a process and a log generated via the process; and communicating the generated event dataset to the second computing device based on the generated neighborhood map, wherein the (Roundy, Col. 12 Lines 37-60 recites “ Returning to FIG. 3, at step 306 one or more of the systems described herein may use the event-correlation graph constructed as part of step 304 to generate a procedure for remediating an effect of an attack on the computing system that is reflected in the event-correlation graph. For example, remediating module 108 may, as part of server 206 in FIG. 2, use event-correlation graph 230 to generate a procedure for remediating an effect of an attack reflected in event-correlation graph 230. Upon completion of step 306, exemplary method 300 in FIG. 3 may terminate. Remediating module 108 may use event-correlation graphs to generate procedures for remediating attacks reflected in the event-correlation graphs in any suitable manner. In general, remediating module 108 may use the forensic information contained in event-correlation graphs to generate procedures for remediating the actual global impact of the attacks reflected in the event-correlation graphs. In one example, remediating module 108 may use event-correlation graphs to generate any of a variety of steps for repairing, reducing, warning about, gathering information about, and/or otherwise addressing an impact of an attack on a computing system, an impact of an actor involved in an attack on a computing system, and/or an impact of a suspicious event involved in an attack on a computing system.” Examiner is interpreting that a warning regarding the event would read on selecting a second device and sending them a dataset regarding event.).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Roundy’s Systems and methods for using event-correlation graphs to generate remediation procedures with Krause’s Secure computing environment because the use of creating a dataset to be sent to a target would help inform the network of issues and help create remediation.

	As per claim 15, Krause in combination with Roundy teaches the medium of claim 14, Roundy further teaches selecting the log for inclusion into the event dataset based at least in part on a predefined template associated with the process (Roundy, Col. 12 Lines 37-60 recites “ Returning to FIG. 3, at step 306 one or more of the systems described herein may use the event-correlation graph constructed as part of step 304 to generate a procedure for remediating an effect of an attack on the computing system that is reflected in the event-correlation graph. For example, remediating module 108 may, as part of server 206 in FIG. 2, use event-correlation graph 230 to generate a procedure for remediating an effect of an attack reflected in event-correlation graph 230. Upon completion of step 306, exemplary method 300 in FIG. 3 may terminate. Remediating module 108 may use event-correlation graphs to generate procedures for remediating attacks reflected in the event-correlation graphs in any suitable manner. In general, remediating module 108 may use the forensic information contained in event-correlation graphs to generate procedures for remediating the actual global impact of the attacks reflected in the event-correlation graphs. In one example, remediating module 108 may use event-correlation graphs to generate any of a variety of steps for repairing, reducing, warning about, gathering information about, and/or otherwise addressing an impact of an attack on a computing system, an impact of an actor involved in an attack on a computing system, and/or an impact of a suspicious event involved in an attack on a computing system.” Examiner is interpreting that a warning regarding the event would read on selecting a second device and sending them a dataset regarding event.).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Roundy’s Systems and methods for using event-correlation graphs to generate remediation procedures with Krause’s Secure computing environment because the use of creating a dataset to be sent to a target would help inform the network of issues and help create remediation.

	As per claim 16, Krause in combination with Roundy teaches the medium of claim 14, Roundy further teaches receiving the defined behavioral pattern rule and the log from the second computing device, wherein the process is executing on the second computing device (Roundy, Col. 12 Lines 37-60 recites “ Returning to FIG. 3, at step 306 one or more of the systems described herein may use the event-correlation graph constructed as part of step 304 to generate a procedure for remediating an effect of an attack on the computing system that is reflected in the event-correlation graph. For example, remediating module 108 may, as part of server 206 in FIG. 2, use event-correlation graph 230 to generate a procedure for remediating an effect of an attack reflected in event-correlation graph 230. Upon completion of step 306, exemplary method 300 in FIG. 3 may terminate. Remediating module 108 may use event-correlation graphs to generate procedures for remediating attacks reflected in the event-correlation graphs in any suitable manner. In general, remediating module 108 may use the forensic information contained in event-correlation graphs to generate procedures for remediating the actual global impact of the attacks reflected in the event-correlation graphs. In one example, remediating module 108 may use event-correlation graphs to generate any of a variety of steps for repairing, reducing, warning about, gathering information about, and/or otherwise addressing an impact of an attack on a computing system, an impact of an actor involved in an attack on a computing system, and/or an impact of a suspicious event involved in an attack on a computing system.” Examiner is interpreting that a warning regarding the event would read on selecting a second device and sending them a dataset regarding event.).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Roundy’s Systems and methods for using event-correlation graphs to generate remediation procedures with Krause’s Secure computing environment because the use of creating a dataset to be sent to a target would help inform the network of issues and help create remediation.

	Regarding claim 19, claim 19 is directed to a similar system associated with the method of claim 1 respectively. Claim 19 is similar in scope to claim 1, respectively, and are therefore rejected under similar rationale. 
	
	
Claims 2 and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Krause et al. (US 2017/0244748) and Roundy et al. (US 9,256,739) and in further view of Chehaibar et al. (US 2019/0109796).

	As per claim 2, Krause in combination with Roundy teaches the method of claim 1, the method further comprising: storing, by the first computing device, the generated event dataset to a memory of the first computing device; receiving, by the first computing device, an electronic acknowledgement message from the selected target device based on the generated event dataset communicated thereto; and deleting, by the first computing device, the stored event dataset from the memory based on the received electronic acknowledgement message.
	However, in an analogous art Chehaibar teaches storing, by the first computing device, the generated event dataset to a memory of the first computing device; receiving, by the first computing device, an electronic acknowledgement message from the selected target device based on the generated event dataset communicated thereto; and deleting, by the first computing device, the stored event dataset from the memory based on the received electronic acknowledgement message (Chehaibar, Paragraph 0121 recites “When the response has been received by the network interface controller 100, the network interface controller proceeds to sending 580 an acknowledgment of receipt or acknowledgment message to the target node and to deleting 585 the message data from the transmission buffer memory.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Chehaibar’s method and device for dynamically managing the 

	As per claim 17, Krause in combination with Roundy teaches the medium of claim 14, but fails to teach the operations further comprising: receiving an electronic acknowledgement message from the second computing device; and deleting the generated event dataset from a memory of the first computing device based on the received electronic acknowledgement message.
	However, in an analogous art Chehaibar teaches the operations further comprising: receiving an electronic acknowledgement message from the second computing device; and deleting the generated event dataset from a memory of the first computing device based on the received electronic acknowledgement message (Chehaibar, Paragraph 0121 recites “When the response has been received by the network interface controller 100, the network interface controller proceeds to sending 580 an acknowledgment of receipt or acknowledgment message to the target node and to deleting 585 the message data from the transmission buffer memory.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Chehaibar’s method and device for dynamically managing the message retransmission delay on an interconnection network with Krause’s Secure computing environment because the use of deleting messages after acknowledgement would free up resources in a network.

Claims 4 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Krause et al. (US 2017/0244748) and Roundy et al. (US 9,256,739) and in further view of Lyon (US 201/30103785).

	As per claim 4, Krause in combination with Roundy teaches the method of claim 1, but fails to teach wherein each of the connectivity configuration and the neighborhood map is generated by the first computing device based further in part on determining at least one capability of the first computing device, the determining based on an amount of free CPU bandwidth of the first computing device, an amount of free storage space of the first computing device, and a detected idle state of the first computing device.
	However, in an analogous art Lyon teaches wherein each of the connectivity configuration and the neighborhood map is generated by the first computing device based further in part on determining at least one capability of the first computing device, the determining based on an amount of free CPU bandwidth of the first computing device, an amount of free storage space of the first computing device, and a detected idle state of the first computing device (Lyon, Paragraph 0022 recites “Since inbound traffic usually eclipses outbound traffic, the networks commonly have a large amount of free idle outbound bandwidth. It would be useful, for example, to add servers at these networks and configure them as CDN nodes so that the extra available outbound bandwidth can be utilized and/or monetized using the techniques described herein.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Lyon’s redirecting content requests with Krause’s Secure 

	As per claim 20, Krause in combination with Roundy teaches the computerized system of claim 19, but fails to teach wherein the connectivity configuration is generated based further in part on a capability associated with the first computing device, the capability corresponding to one of a determined amount of free CPU bandwidth, a determined amount of free storage space, and an idle state.
	However, in an analogous art Lyon teaches wherein the connectivity configuration is generated based further in part on a capability associated with the first computing device, the capability corresponding to one of a determined amount of free CPU bandwidth, a determined amount of free storage space, and an idle state (Lyon, Paragraph 0022 recites “Since inbound traffic usually eclipses outbound traffic, the networks commonly have a large amount of free idle outbound bandwidth. It would be useful, for example, to add servers at these networks and configure them as CDN nodes so that the extra available outbound bandwidth can be utilized and/or monetized using the techniques described herein.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Lyon’s redirecting content requests with Krause’s Secure computing environment because the use of seeing idle and available bandwidth would be useful to optimizing a network.


Claims 11-13 and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Krause et al. (US 2017/0244748) and Roundy et al. (US 9,256,739) and in further view of Chefalas et al. (US 2002/0147915).

	As per claim 11, Krause in combination with Roundy teaches the method of claim 1, wherein each electronic message of the exchanged plurality of electronic messages is broadcast by a corresponding one of the plurality of computing devices, the electronic message including a corresponding connectivity configuration of the corresponding computing device from which the electronic message was broadcasted.
	However, in an analogous art Chefalas teaches wherein each electronic message of the exchanged plurality of electronic messages is broadcast by a corresponding one of the plurality of computing devices, the electronic message including a corresponding connectivity configuration of the corresponding computing device from which the electronic message was broadcasted (Chefalas, Paragraph 0014 recites “Thus, any attempt to access the bait server would indicate the presence of a virus on the client attempting access. The bait server monitors itself and, responsive to an attempt from a client to access the bait server, broadcasts an indication that a virus attack is underway to all devices within the network. The bait server then ignores all further access requests by the offending client until it receives an indication that the offending client has been disinfected and disconnects the offending client from the network. The bait server also notifies the local server and/or a network administrator”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Chefalas’ Method and apparatus for the detection, 

	As per claim 12, Krause in combination with Roundy and Chefalas teaches the method of claim 11, Chefalas further teaches wherein the corresponding connectivity configuration includes a corresponding result of a corresponding performed attempt to directly access the remote server device (Chefalas, Paragraph 0014 recites “Thus, any attempt to access the bait server would indicate the presence of a virus on the client attempting access. The bait server monitors itself and, responsive to an attempt from a client to access the bait server, broadcasts an indication that a virus attack is underway to all devices within the network. The bait server then ignores all further access requests by the offending client until it receives an indication that the offending client has been disinfected and disconnects the offending client from the network. The bait server also notifies the local server and/or a network administrator”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Chefalas’ Method and apparatus for the detection, notification, and elimination of certain computer viruses on a network using a promiscuous system as bait with Krause’s Secure computing environment because the use of broadcasting a message would help alert all devices of potential issues in a system.


	As per claim 13, Krause in combination with Roundy and Chefalas teaches the method of claim 12, Chefalas further teaches wherein the corresponding connectivity configuration includes a corresponding at least one determined capability of the corresponding computing device (Chefalas, Paragraph 0014 recites “Thus, any attempt to access the bait server would indicate the presence of a virus on the client attempting access. The bait server monitors itself and, responsive to an attempt from a client to access the bait server, broadcasts an indication that a virus attack is underway to all devices within the network. The bait server then ignores all further access requests by the offending client until it receives an indication that the offending client has been disinfected and disconnects the offending client from the network. The bait server also notifies the local server and/or a network administrator”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Chefalas’ Method and apparatus for the detection, notification, and elimination of certain computer viruses on a network using a promiscuous system as bait with Krause’s Secure computing environment because the use of broadcasting a message would help alert all devices of potential issues in a system.

	As per claim 18, Krause in combination with Roundy teaches the medium of claim 14, but fails to teach the operations further comprising: attempting to directly access the remote server device; generating the corresponding connectivity configuration associated with the first computing device based at least in part on the attempt.
	However, in an analogous art Chefalas teaches the operations further comprising: attempting to directly access the remote server device; generating the corresponding connectivity configuration associated with the first computing device based at least in part on the attempt (Chefalas, Paragraph 0014 recites “Thus, any attempt to access the bait server would indicate the presence of a virus on the client attempting access. The bait server monitors itself and, responsive to an attempt from a client to access the bait server, broadcasts an indication that a virus attack is underway to all devices within the network. The bait server then ignores all further access requests by the offending client until it receives an indication that the offending client has been disinfected and disconnects the offending client from the network. The bait server also notifies the local server and/or a network administrator”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Chefalas’ Method and apparatus for the detection, notification, and elimination of certain computer viruses on a network using a promiscuous system as bait with Krause’s Secure computing environment because the use of broadcasting a message would help alert all devices of potential issues in a system.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODERICK TOLENTINO whose telephone number is (571)272-2661.  The examiner can normally be reached on Mon- Fri 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


RODERICK . TOLENTINO
Examiner
Art Unit 2439



/RODERICK TOLENTINO/Primary Examiner, Art Unit 2439