Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 04-16-2021 was in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 101 (Abstract Idea)
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


8.	Claims 1 – 20 is / are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more analyzed according to 2019 Revised Patent Subject Matter Eligibility Guidance (“2019 PEG”). The claim recites inputting receiving events and comparing them with a case criteria, create a case criteria with data from the received event, assign a threat score to the case, match further events with the created case criteria and update it with further data and score and render the case on display if it meets another condition.
Step 1: The claims 1, 19 and 20 do fall into one of the four statutory categories of method and system claims. Nevertheless the claims still is/are considered as abstract idea for the following prongs and reasons.
Step 2A: Prong 1: The limitation of claims 1, 19 and 20 recites: inputting receiving events and comparing them with a case criteria, create a case criteria with data from the received event, assign a threat score to the case, match further events with the created case criteria and update it with further data and score and render the case on display if it meets another condition, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the human organized way and / or with pen and paper without a generic computer. Except for words ‘system with processors and computer program stored in storage medium’, there is nothing in the claim element precludes the step from practically being performed in human organized way and/or with pen and paper. For example, performing a privacy risk assessment and obtaining various information, in any office or campus and updating rules or criteria based on the assessed threats can also be perceived to be human organized way done in an orderly fashion. In the context of these claims encompasses assigning scores, matching further threats with created conditions and updating threat scores accordingly. 
Dependent claims 2 – 18 which in turn recite inputting and analyzing events based on time, identifiers, combining events, enriching data, process events from different storages, events within a time window etc is/are mere structural addendums and are other steps that could be performed by human manually with/without need for a computer.  If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in an human organized way but for the recitation of generic computer components, then it falls within the “certain methods of organizing human activities” grouping of abstract ideas and can be done manually. Accordingly, the claim recites an abstract idea.
Prong 2: This judicial exception is not integrated into a practical application. In particular, the claims do not recite any additional element to perform beyond routine steps of: inputting spec. [0077-78]) such that it amounts no more than mere instructions to apply the exception using generic computer components). Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. Therefore the claims is directed to an abstract idea.
Step 2B: The claims does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, inputting receiving events and comparing them with a case criteria, create a case criteria with data from the received event, assign a threat score to the case, match further events with the created case criteria and update it with further data and score and render the case on display if it meets another condition amounts to no more than mere instructions to apply the exception using a generic computer terms. Mere instructions to apply an exception using a generic computer components cannot provide an inventive concept. The claims is / are not patent eligible. Therefore all the corresponding dependent claims 2 – 18 are also rejected for the same rationale.

Claim Rejections - 35 USC § 101 (Non-Statutory)
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


The claimed invention is directed to non-statutory subject matter.  The claim(s) 1 and 20 does/do not fall within at least one of the four categories of patent eligible subject matter because Claims 1 and 20 is/are directed to “A computer system … comprising: one or more processors; and computer program stored on computer storage medium” (software and signal per se) a non-statutory subject matter.  The claim(s) 1 and 20 does/do not fall within at least one of the four categories of patent eligible subject matter because computer-readable medium is non-statutory and does not fall in any of the four categories of process, manufacture, machine or composition – as it does not provide any hardware or tangible structure to the claim(s). The client shall recite “non-transitory storage medium” for claim 20 and have a ‘memory’ or a recite “hardware processor” for claim 1 to overcome this rejection. Therefore all corresponding dependent claims 2 – 18 are also rejected for the same rationale.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1 – 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Yehudai et al (US 20190372934), hereafter Yeh and Tsironis; George (US 20180316705), hereafter Tsi.
Claim 1: Yeh teaches a computer system for detecting network security threats, the computer system comprising: at least one input configured to receive events relating to a monitored network; ([0003] application level security, or an attack analyzer, as part of a protection system, receives and aggregates alerts of malicious events in a network infrastructure);
one or more processors configured to: analyse the received events to identify at least one event that meets a case creation condition ([0003] the attack analyzer uses distance functions, such as Euclidean or non-Euclidean distance functions, to compare the extracted features with those of the clusters of previously detected malicious events);
and, in response, create a case in an experience database, the case being populated with data of the identified at least one event; ([0003] Based on the comparison, the attack analyzer updates the statistical distribution objects by adding a new alert of the malicious event to an existing cluster, generating a new cluster including the new alert, [0036, 39] creates new rules based on correlated or recurring clusters populated with specific feature set);
([0046] the attack analyzer combines distances calculated for multiple features using a weighted average or sum across the set of features to get a weighted sum for the malicious event);
Yeh is not explicit about match at least one further event to the created case and populating the case with data of the at least one further event, the threat score assigned to that case being updated in response; and in response to the threat score for one of the cases meeting a significance condition, render that case accessible via a case interface.
But the analogous art Tsi teaches match at least one further event to the created case and populating the case with data of the at least one further event, the threat score assigned to that case being updated in response; ([0126]  the anomaly action rule is applied to future and/or existing anomalies, [0157] the threat indicator data is compared against the preconfigured, non-configurable, and/or configurable rules associated with each candidate threat; [0118-120] wherein anomaly action rule's filter is prepopulated with the values of the anomaly's attributes and the user shall further customize the anomaly action rule or shall be automatically populated with data and [0122] re-scoring of anomalies are performed);
and in response to the threat score for one of the cases meeting a significance condition, render that case accessible via a case interface. ([0152] security threat that satisfies the attributes of the newly created custom threat rule constitutes a threat to the computer network. Any identified security threat or data indicative of the identified security threat is displayed on a display device, [0113] an indicator of a particular anomaly or anomalous pattern is output if the score satisfies a specified criterion (e.g., exceeds a threshold)).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Yeh to include the idea of creating a rule [0089]).
Claim 19: Yeh teaches a computer-implemented method of detecting network security threats, the method comprising the following steps: receiving at an analysis engine events relating to a monitored network; analysing the received events to identify at least one event that meets a case creation condition and, in response, creating a case in an experience database, the case being populated with data of the identified at least one event; assigning a threat score to the created case based on the event data; ([0003] application level security, or an attack analyzer, as part of a protection system, aggregates alerts of malicious events in a network infrastructure; [0003] Based on the comparison, the attack analyzer updates the statistical distribution objects by adding a new alert of the malicious event to an existing cluster, generating a new cluster including the new alert, [0036, 39] creates new rules based on correlated or recurring clusters populated with specific feature set; [0046] the attack analyzer combines distances calculated for multiple features using a weighted average or sum across the set of features to get a weighted sum for the malicious event);
Yeh is not explicit about matching at least one further event to the created case and populating the case with data of the at least one further event, the threat score assigned to that case being updated in response; and in response to the threat score for one of the cases meeting a significance condition, rendering that case accessible via a case interface.
But the analogous art Tsi teaches matching at least one further event to the created case and populating the case with data of the at least one further event, the threat score assigned to that ([0126]  the anomaly action rule is applied to future and/or existing anomalies, [0157] the threat indicator data is compared against the preconfigured, non-configurable, and/or configurable rules associated with each candidate threat; [0118-120] wherein anomaly action rule's filter is prepopulated with the values of the anomaly's attributes and the user shall further customize the anomaly action rule or shall be automatically populated with data and [0122] re-scoring of anomalies are performed; [0152] security threat that satisfies the attributes of the newly created custom threat rule constitutes a threat to the computer network. Any identified security threat or data indicative of the identified security threat is displayed on a display device, [0113] an indicator of a particular anomaly or anomalous pattern is output if the score satisfies a specified criterion (e.g., exceeds a threshold)).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Yeh to include the idea of creating a rule and analyzing new threats with created rule as taught by Tsi so that configurable rules identify new threat types, unknown to the data processing system, as opposed to the fixed palette of threat types available in exclusively preconfigured systems that change only with new releases of the entire network security platform ([0089]).
Claim 20: Yeh teaches a computer program comprising instructions stored on a computer-readable storage medium and configured, when executed on one or more processors, to implement operations comprising: receiving events relating to a monitored network; analysing the received events to identify at least one event that meets a case creation condition and, in response, creating a case in an experience database, the case being populated with data of the ([0003] application level security, or an attack analyzer, as part of a protection system, aggregates alerts of malicious events in a network infrastructure; [0003] Based on the comparison, the attack analyzer updates the statistical distribution objects by adding a new alert of the malicious event to an existing cluster, generating a new cluster including the new alert, [0036, 39] creates new rules based on correlated or recurring clusters populated with specific feature set; [0046] the attack analyzer combines distances calculated for multiple features using a weighted average or sum across the set of features to get a weighted sum for the malicious event);
Yeh is not explicit about matching at least one further event to the created case and populating the case with data of the at least one further event, the threat score assigned to that case being updated in response; and in response to the threat score for one of the cases meeting a significance condition, rendering that case accessible via a case interface.
But the analogous art Tsi teaches matching at least one further event to the created case and populating the case with data of the at least one further event, the threat score assigned to that case being updated in response; and in response to the threat score for one of the cases meeting a significance condition, rendering that case accessible via a case interface. ([0126]  the anomaly action rule is applied to future and/or existing anomalies, [0157] the threat indicator data is compared against the preconfigured, non-configurable, and/or configurable rules associated with each candidate threat; [0118-120] wherein anomaly action rule's filter is prepopulated with the values of the anomaly's attributes and the user shall further customize the anomaly action rule or shall be automatically populated with data and [0122] re-scoring of anomalies are performed; [0152] security threat that satisfies the attributes of the newly created custom threat rule constitutes a threat to the computer network. Any identified security threat or data indicative of the identified security threat is displayed on a display device, [0113] an indicator of a particular anomaly or anomalous pattern is output if the score satisfies a specified criterion (e.g., exceeds a threshold)).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Yeh to include the idea of creating a rule and analyzing new threats with created rule as taught by Tsi so that configurable rules identify new threat types, unknown to the data processing system, as opposed to the fixed palette of threat types available in exclusively preconfigured systems that change only with new releases of the entire network security platform ([0089]).
Claim 2: the combination of Yeh and Tsi teaches the computer system of claim 1, wherein the one or more processors are configured to match the further event to the case based on respective timestamps of the further event and the case and/or respective entity identifiers of the further event and the case. (Yeh: [0034, 39] attack analyzer updates SDOs in a streaming mode, modifying clusters in real-time as new alerts are processed, patterns include temporal patterns across attack timestamps, patterns in the attacker's tool or source or signatures in program code or [0028] identifier of origin).
Claim 3: the combination of Yeh and Tsi teaches the computer system of claim 2, wherein the one or more processors are configured to match the further event to the case based on the respective entity identifiers, each of the entity identifiers being: a user identifier, a device identifier, a network address, or an identifier of a process. (Yeh: [0028] features of a malicious event include its origin (IP address or Autonomous System Number (ASN), country or geographical region, serial number or identifier, or anonymous source such as a Tor network), type of attack (e.g., SQL injection, denial-of-service, scripting, improper resource access, backdoor, remote file inclusion, comment spam, bots, etc.), target (e.g., webpage universal resource locator (URL), file type, or metadata attributes), time of attack (e.g., date or time of day), or type of tool (e.g., user agent, spam generator, web browser, or security application), among others).
Claim 4: the combination of Yeh and Tsi teaches the computer system of claim 1, wherein the events comprise: (i) network events generated by monitoring network traffic within the network, and (ii) endpoint events generated using endpoint agents executed on endpoints of the network to monitor local activity at those endpoints. (Yeh: [0018, 20] a malicious event corresponds to a malicious attack or request, other types of unwanted applications, an attack on the system, or any event associated with an undesirable effect on the system; the attack analyzer clusters malicious events from multiple customers, e.g., detected by different firewalls of each customer).
Claim 5: the combination of Yeh and Tsi teaches the computer system of claim 1, wherein the events comprise joined events created by joining together network events and endpoint events. (Yeh: [0056] the second set of clusters includes at least one cluster generated by merging two or more clusters of the first set).
Claim 6: the combination of Yeh and Tsi teaches the computer system of claim 1, wherein the one or more processors are configured to repeatedly update the threat score for the case as further events are received and matched to the case. (Tsi: [0124, 132] If the rule action is set to re-score anomalies, the user sets an absolute score (integer value) or relative score (delta integer value) for matching anomalies, updated new anomaly action rule is then stored in memory for subsequent execution on matching anomalies).
[0089]).
Claim 7: the combination of Yeh and Tsi teaches the computer system of claim 1, wherein the at least one further event comprises at least one of: a subsequent event, and an earlier event. (Tsi: [0123] a number of anomaly action rules are applied to existing or future anomalies).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Yeh to include the idea of using existing and future events as taught by Tsi so that configurable rules identify new threat types, unknown to the data processing system, as opposed to the fixed palette of threat types available in exclusively preconfigured systems that change only with new releases of the entire network security platform ([0089]).
Claim 8: the combination of Yeh and Tsi teaches the computer system of claim 1, wherein the analysis comprises matching the at least one event to a tactic associated with a known attack technique and creating the case in response. (Yeh: [0003] Based on the comparison, the attack analyzer updates the statistical distribution objects by adding a new alert of the malicious event to an existing cluster, generating a new cluster including the new alert, [0036, 39] creates new rules based on correlated or recurring clusters populated with specific feature set).
Claim 9: the combination of Yeh and Tsi teaches the computer system of claim 8, wherein the one or more processors are configured to match at least one further event to the case by: matching the at least one further event to the same tactic, matching the at least one further event to another tactic associated with the known attack technique, or matching the at least one further event to another attack technique associated with the known attack technique. (Yeh: [0003] the attack analyzer uses distance functions to compare the extracted features with those of the clusters of previously detected malicious events, [0028] and also analyzer determines features of the malicious event for comparison with statistical distribution objects (SDOs), which are data structures that describe alerts of previously detected malicious events).
Claim 10: the combination of Yeh and Tsi teaches the computer system of claim 1, wherein the one or more processors are configured to render information about a set of multiple cases available via the case user interface in response to a determination that those cases (i) comprise matching entity identifiers, and (ii) meet a collective significance condition. (Yeh: [0026] the user interface engine sends notifications or alerts of detected malicious events in real-time for display, reports of aggregated alerts on a periodic basis, or metrics describing clusters or aggregated malicious event information, provide transparency describing operation of the attack analyzer "under the hood", provide context indicating types of malicious events that are detected and remediated by the attack analyzer and indicating how the attack analyzer is categorizing or classifying groups of alerts).
Claim 11: the combination of Yeh and Tsi teaches the computer system of claim 1, wherein the one or more processors are configured to apply an enrichment process to the events, to augment the events with enrichment data prior to the analysis. (Yeh: [0036] the attack analyzer uses an enrichment function to extract features from raw data of malicious events. The attack analyzer uses an enrichment function to clean a target URL of an attack (using a regular expression for truncation of the URL string) and extracts features such as a resource extension, suffix folder or pattern of the URL).
Claim 12: the combination of Yeh and Tsi teaches the computer system of claim 11, wherein the one or more processors are configured to perform the enrichment in real-time. (Yeh: [0034, 36] the attack analyzer uses an enrichment function to extract features from raw data of malicious events. The attack analyzer uses an enrichment function to clean a target URL of an attack (using a regular expression for truncation of the URL string) and extracts features such as a resource extension, suffix folder or pattern of the URL, modifying clusters in real-time as new alerts are processed).
Claim 13: the combination of Yeh and Tsi teaches the computer system of claim 1, wherein the events are stored in an observation database, and the one or more processors are configured to apply an enrichment process to the events in the observation database, to augment the events with enrichment data. (Yeh: [0034, 36] the attack analyzer uses an enrichment function to extract features from raw data of malicious events. The attack analyzer uses an enrichment function to clean a target URL of an attack (using a regular expression for truncation of the URL string) and extracts features such as a resource extension, suffix folder or pattern of the URL, modifying clusters in real-time as new alerts are processed, and [0024] configuration information is generated based on malicious events processed by the attack analyzer or information from a cluster database).
Claim 14: the combination of Yeh and Tsi teaches the computer system of claim 13, wherein the enrichment process is a batch enrichment process performed according to an enrichment schedule. (Yeh: [0034, 36] the attack analyzer uses an enrichment function to extract features from raw data of malicious events. [0031] the attack analyzer is generated the clusters in a batch clustering mode, the attack analyzer accumulates a batch of alerts over a period of time before clustering them into their respective one of clusters).
Claim 15: the combination of Yeh and Tsi teaches the computer system of claim 13, wherein the one or more processors are configured to apply the analysis to a combination of events received from an event queue and events received from the observation database. (Yeh: [0056-57] attack analyzer generates a second set of clusters which is a combination of the first set of clusters, the stored information is used by the attack analyzer at a later time to process new malicious events, [0025] the attack analyzer maintains a cluster database that stores SDOs describing clusters of previously detected and analyzed malicious events. The attack analyzer uses one or more types of functions to determine aggregate alerts of malicious events).
Claim 16: the combination of Yeh and Tsi teaches the computer system of claim 15, wherein the one or more processors are configured to apply a first stage enrichment process to the events received from the event queue and a second stage enrichment process to the events stored in the observation database. (Yeh: [0036] the attack analyzer uses an enrichment function to extract features from raw data of malicious events. The attack analyzer uses an enrichment function to clean a target URL of an attack (using a regular expression for truncation of the URL string) and extracts features such as a resource extension, suffix folder or pattern of the URL, [0040-41] attack analyzer determines a first set of distances using a first distance function and the set of features, attack analyzer determines a second set of distances using a second distance function and the additional features).
Claim 17: the combination of Yeh and Tsi teaches the computer system of claim 13, wherein the once or more processors are configured to access at least one further event from the observation database and match the at least one further event to the case, wherein that further event is located by searching for events within a threat time window. (Yeh: [0032] By comparing distances or relationships between features of the alert 330 and features of alerts of the existing clusters, the attack analyzer 104 determines that the alert 330 has a certain level of similarity to alerts of the third cluster, [0039] patterns include temporal patterns across attack timestamps).
Claim 18: the combination of Yeh and Tsi teaches the method according to claim 17, wherein the length of the threat time window is determined based on a type of attack associated with the case. (Tsi: [0147-149] if the user selects processing of anomalies from the past, then the user may be prompted to either a window defining a time range from the instant day back in time. Alternatively, the user selects for processing any anomalies beginning from a specified date to the present date).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Yeh to include the idea of detecting attacks within time range as taught by Tsi so that configurable rules identify new threat types, unknown to the data processing system, as opposed to the fixed palette of threat types available in exclusively preconfigured systems that change only with new releases of the entire network security platform ([0089]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
SYSTEMS AND METHODS FOR DISTRIBUTED RULE-BASED CORRELATION OF EVENTS.
2. Jou et al (US 20160344762): METHOD AND SYSTEM FOR AGGREGATING AND RANKING OF SECURITY EVENT-BASED DATA.
3. Dotan et al (US 9571524): Creation of security policy templates and security policies based on the templates.
4. Baikalov et al (US 9800605): Risk scoring for threat assessment.
5. Chesla, Avi (US 20170063917): RISK-CHAIN GENERATION OF CYBER-THREATS.
6. Porat et al (US 20150135262): DETECTION AND PREVENTION FOR MALICIOUS THREATS.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867.  The examiner can normally be reached on M-F: 7:45am-5pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T. Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR 






/BADRINARAYANAN /Examiner, Art Unit 2438.