DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

	This office action is in response to the applicant’s filling of an Amendments/Remarks on 3/16/2021.  Applicant canceled non-elected claims 9-15 and amended claims 1, 16, and 21-22.

	The claims 1-8 and 16-27 are pending.

Response to Arguments
Applicant's arguments filed 3/16/21 for claims 1-8 and 16-20 have been fully considered but they are not persuasive.  Applicant has amended the claims to include additional limitations that was not previously presented, and hence the Office Action has been updated below to reflect such amendments. 
Applicant’s arguments, with respect to claims 21-27 have been fully considered and are persuasive.  The previous 35 U.S.C. 103 rejection for claims 21-27 has been withdrawn. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed 

Claims 1-8 and 16-27 are rejected under 35 U.S.C. 103 as being unpatentable over Jordan et al. (US Pub No. 2015/0088868 – Published 3/26/2015) in view of Baikalov et al. (US Pub No. 2016/0226905 – Published 8/4/2016).

With respect to claim 1, Jordan teaches a method comprising: 
receiving a record in a first timeframe (e.g., receiving event in a current sliding window ¶ 0037 & 0039-0040); 
parsing the record (e.g., parsing the message ¶ 0037 & 0044);
sending the record to one or more threat [thread] calculators (e.g., after a message is parsed, the attribute-value pairings of that message may be added into a summary window ¶ 0044);
establishing a plurality of threat [vectors] for the record, where in the one or more threat [vector] calculators establish the plurality of threat [vetor] (e.g., combining the plurality of records in a cross relationship and pre-defined relationship schema ¶ 0044-0045 and having a plurality of attributes or tags such as a “Kazy” attacks for identifying threats to the record ¶ 0044 & 0048); 
merging the plurality of threat [vectors] to the record (e.g., superimposing the attributes to the event ¶ 0044-0046); 
generating a risk valuation for the record based on the plurality of threat [vectors] (e.g., having a plurality of attributes or tags for teaching of risk valuation, such as an “Exploit Kit” ¶ 0044 & 0048); 
merging the risk valuation to the record to form a risk event (e.g., superimposing the attributes to the event ¶ 0048 & Fig. 5); and 
storing the risk event in a computer-readable data store (e.g., storing the event, each having unique attribute collection of cross relationship ¶ 0046).  
  However, Baikalov, in the same field of endeavor, teaches a plurality of threat vectors (i.e., applying thread indicator and threat scores @ Figs 2-3 and Risk Score with different categories of risk score and risk factor @ Fig. 9 and ¶ 0027-0028).  Therefore, based on Jordan in view of Baikalov, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Baikalov to the system of Jordan in order to reliably identify threats and evaluate threat risks within an organization’s IT infrastructure while minimizing false positive alerts (¶ 0007).  Jordan in combination with Baikalov teaches the claim limitations as a whole.

	With respect to claim 2, Jordan further teaches wherein the record comprises a derived key (e.g., event record with matching derived keys (tuples) ¶ 0030).  

	With respect to claim 3, Jordan further teaches wherein the derived key is a source IP, a destination IP, a protocol, or a combination thereof (e.g., derived tuple fields may be a source address/port, destination address/port, and protocol combination or a subset of the tuple ¶ 0038).  

	With respect to claim 4, Jordan further teaches wherein the record comprises a plurality of events and attribute-value pairs in the first timeframe which share the derived key (e.g., all messages may be parsed into pairing of attribute and its data into an attribute-value pairing ¶ 0037-0038).  

	With respect to claim 5, Jordan further teaches wherein the plurality of threat vectors comprises statistics evaluations, flow anomalies, reputation information, alerts based on other network security 

	With respect to claim 6, Jordan further teaches further comprising notifying a user of the risk event if the risk valuation of the risk event is above a predetermined threshold value (e.g., presenting the view to the user ¶ 0048-0049 and after a message is parsed, creating a threshold, the attribute-value pairings of that message may be added into the summary window for viewing by the user ¶ 0044).  

	With respect to claim 7, Baikalov further teaches further comprising optimizing each threat vector of the plurality of threat vectors based on machine learning (e.g., dynamically updating a risk score @ Col. 9, lines 61-67).  

	With respect to claim 8, Baikalov further teaches wherein the risk valuation corresponds to a joint-distribution probability of the threat vectors merged to the record (e.g., applying probability to the threat vectors ¶ 0027-0028).  

With respect to claim 16, Jordan teaches a device comprising: 
a system that receives or retrieves a plurality of events in a sliding window from a plurality of network security systems (e.g., a system for receiving event in a current sliding window ¶ 0039-0043 from multiple network security systems ¶ 0022 & 0028); 
a processor (e.g., ¶ 0025-0026) that forms a plurality of security events by: 
merging each event sharing an IP-couple-pair into a record to form a plurality of records (e.g., normalization and merging of events ¶ 0037-008 with each event sharing a derived key tuple such as source address/port and destination address ¶ 0030 & 0038); 
distributing each record of the plurality of records to a plurality of threat valuation system (e.g., distributing the records to a database ¶ 0046 that is later use to determine threat ¶ 0027-0028 & 0045);
merging a plurality of threat factors to each record of the plurality of records (e.g., superimposing attributes to the event ¶ 0044-0046); and 
merging a risk [score] to each record of the plurality of records based on the threat factors present in the respective record of the plurality of records to form the plurality of security events event (e.g., having a plurality of attributes or tags for teaching of risk being merge with the events, such as an “Exploit Kit” ¶ 0044, and superimposing the attributes to the event ¶ 0048 & Fig. 5); and 
a computer readable data store that stores the plurality of security events (e.g., storing the event, each having unique attribute collection of cross relationship ¶ 0046).  
Jordan teaches the receiving and analyzing of event records with a plurality of threat and risk in general but does not explicitly disclose a risk score.  However, Baikalov, in the same field of endeavor, teaches a risk score (i.e., applying thread indicator and threat scores @ Figs 2-3 and Risk Score with different categories of risk score and risk factor @ Fig. 9 and ¶ 0027-0028).  Therefore, based on Jordan in view of Baikalov, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Baikalov to the system of Jordan in order to reliably identify threats and evaluate threat risks within an organization’s IT infrastructure while minimizing false positive alerts (¶ 0007).  Jordan in combination with Baikalov teaches the claim limitations as a whole.

	With respect to claim 17, Jordan further teaches wherein each of the events has a source IP and a destination IP, and wherein events having the same source IP and the same destination IP have a same IP-couple-pair (e.g., derived tuple fields may be a source address/port, destination address/port, and protocol combination of a subset of the tuple ¶ 0038).

	With respect to claim 18, the references above further teach further comprising a monitor adapted to display the plurality of security events (e.g., presenting to the user @ Jordan ¶ 0048 and Baikalov ¶ 0035 & Fig. 9).

	With respect to claim 19, the references above further teaches wherein the monitor displays a predetermined number of the security events of the plurality of security events, each of the predetermined number of the security events having the highest risk score and being sorted by risk score (e.g., Baikalov ¶ 0035 & Figs. 8-9).  

With respect to claim 20, the references above further teach wherein the monitor displays the record, the IP- couple-pair, the risk score, the plurality of threat factors, or a combination thereof for each security event of the predetermined number of the security events. (e.g., displaying the fetched results to the user @ Jordan ¶0048-0049 and Baikalov ¶ 0035 & Figs. 8-9)  

Allowable Subject Matter
The claims 21-27 are allowed.
This communication warrants no examiner's reason for allowance, as applicant's reply makes evident the reason for allowance, satisfying the record as whole as required by rule 37 CFR 1.104 (e). In 
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
 THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.  
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHAU LE whose telephone number is (571)270-7217.  The examiner can normally be reached on M-F 8:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/CHAU LE/Primary Examiner, Art Unit 2493