Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .



Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “module configured to” in claims 11-19.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the 
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1 is/are rejected under 35 U.S.C. 103 as being unpatentable over Puri US 10,043,006 in view of Reybok Jr US 2018/0324207






Reybok Jr teaches sending an inoculation notice having an inoculation pattern describing the breach state and the chain of relevant behavioral parameters to a target device to warn of a potential cyber threat. [0019]  (identification of security threats, properties and mitigation)

It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teaching of Reybok Jr with Puri because it helps prevent security breaches.As per claim 2. Reybok Jr teaches The method for the cyber threat defense system of claim 1, 
As per claim 11, Puri teaches A cyber-threat coordinator-component, comprising: a comparison module configured to execute a comparison of the input data input data monitoring a network entity to at least one machine-learning model trained on a normal benign behavior of the network entity using a normal behavior benchmark describing parameters corresponding to a normal pattern of activity for that network entity to spot behavior on the network deviating from a normal benign behavior of that network entity to identify whether the network entity is in a breach state of the normal behavior benchmark, where the network entity representing at least one of a user and a device associated with a network; a cyber threat module configured to identify whether the breach state identified by the comparison module and a chain of relevant behavioral parameters deviating from the normal benign behavior of that network entity correspond to a cyber threat; (Column 2 lines 22-45, Column 3 lines 1-38; Column 4 lines 36-42)  (Puri teaches a cyber threat defense system that uses machine learning using a normal baseline of behavior for users or applications to detect anomalous behavior by comparing real time data to the baseline; and identifying attacks and cyber kill chains) 


Reybok Jr teaches an inoculation module configured to generate an inoculation pattern describing the breach state and the chain of relevant behavioral parameters corresponding to the cyber threat identified by the cyber threat module and to store the inoculation pattern in an inoculation record in a network-accessible inoculation database. [0019]  (identification of security threats, properties and mitigation)
As per claim 12. Reybok teaches The apparatus for the cyber threat defense system of claim 11, wherein the inoculation module is configured to generate an inoculation notice having the inoculation pattern to a target device to warn of a potential breach state of normal behavior corresponding to that cyber threat by the target device and to send the inoculation notice to a target device related to the network entity. [0019][0079]As per claim 13. Reybok teaches The apparatus for the cyber threat defense system of claim 11, wherein the inoculation module is configured to create an entity cluster to group the network entity with other entities of the network based on the chain of relevant behavior parameters of the inoculation pattern. [0019][0079] [0081] [0086] (sends to group members, to mediate based on kill chain properties)As per claim 14. Reybok teaches The apparatus for the cyber threat defense system of claim 13, wherein the inoculation module is configured to select a target device for notification regarding the inoculation pattern based on the entity cluster. [0107][0108] (group member)As per claim 15. Reybok teaches The apparatus for the cyber threat defense system of claim 11, wherein the inoculation module is configured to send an inoculation report listing at least the inoculation record to a target device related to the network entity to instruct the target device to retrieve the inoculation record from the network-accessible inoculation database. [0104] [0108] (updating from central database based on alert)As per claim 16.  Reybok teaches The apparatus for the cyber threat defense system of claim 11, wherein the inoculation record associates the inoculation pattern with a remediation action instruction to describe at least one action to remediate the cyber threat.  [0019]As per claim 17. Reybok teaches The apparatus for the cyber threat defense system of claim 11, wherein the inoculation module is configured to update the inoculation pattern in the inoculation record based on a subsequent event. [0019]As per claim 18. Reybok teaches The apparatus for the cyber threat defense system of claim 11, wherein the inoculation record associates the inoculation pattern with a context data set describing at least one of a network entity action and a network entity state related to the cyber threat. [0021] (context data)As per claim 19. Reybok teaches The apparatus for the cyber threat defense system of claim 11, wherein the inoculation record associates the inoculation pattern with an outside data set collected from at least one data source outside the network describing at least one of an outside action and an outside state related to the cyber threat. [0019][0022] (external provider searches for inoculation pattern, data outside of private network)As per claim 20 Puri teaches A network, comprising: at least one firewall; at least one network switch; multiple computing devices operable by users of the network; a cyber-threat coordinator-component that includes a comparison module configured to execute a comparison of the input 


Reybok teaches an inoculation module configured to generate an inoculation pattern describing the breach state and the chain of relevant behavioral parameters corresponding to the cyber threat identified by the cyber threat module and to send an inoculation notice having the inoculation pattern to a target device, and at least one output port to send the inoculation notice to a target device; wherein the cyber-threat coordinator-component leverages an improvement in the network entity to improve performance by the target device by containing the detected threat and minimizing an amount of CPU cycles, memory space, and power consumed by that detected threat in the network entity when the detected threat is contained by the initiated actions. [0019]  

Claim 7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Puri US 10,043,006 in view of Reybok Jr US 2018/0324207 in view of Jou US 2018/0052993


As per claim 7.  Jou teaches The method for the cyber threat defense system of claim 6, further comprising: populating the threat risk parameter with at least one of a confidence score indicating a threat likelihood describing a probability that the breach state is the cyber threat, a severity score indicating a percentage that the network entity in the breach state is deviating from the at least one model, and a consequence score indicating a severity of damage attributable to the cyber threat. [0003][0008][0027][0051]-[0054] (teaches the score and percentage likelihood a breach has occurred including behavior and comparing the behavior to a baseline behavior)
Reybok teaches other scoring including severity score [0079].

It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the percent comparison of Jou with the previous art because it provides and easily understandable probability of infection/breach.  

Claims 8-9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Puri US 10,043,006 in view of Reybok Jr US 2018/0324207 in view of Rajasekharan US 2019/0044963

As per claim 8.  Rajasekharan teaches The method for the cyber threat defense system of claim 6, further comprising: comparing the threat risk parameter to a benchmark matrix having a set of benchmark scores to determine whether to send the inoculation notice. [0030]-[0032]  (teaches comparing a behavior model to anomaly threshold to determine whether there is an anomaly or not and calculating weighted risk scores)
It would have been obvious to one of ordinary skill in the art  at the time the invention was filed to use the threshold of Rajasekharan with the prior art combination in order to reduce false positives.
As per claim 9. Rajasekharan The method for the cyber threat defense system of claim 8, further comprising: assigning a weight to each benchmark score to assign a relative importance to each benchmark score. [0013][0030]-[0032]  (teaches comparing a behavior model to anomaly






Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER BROWN whose telephone number is (571)272-3833.  The examiner can normally be reached on M-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.