DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Priority
Acknowledgment is made of applicant’s claim for domestic priority under 35 U.S.C. 119 (e).

Claim Objections
Claims 16, 17, 19, and 20 are objected to because of the following informalities: 
Claim 15 refers to “at least one processor device”, and is later referred to as “the at least one processing device” which lacks antecedent basis.  Appropriate correction is required.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:


The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 

Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “processor device configured to receive/separate/generate” in claim 15; “processing device configured to receive” in claim 16”; “processing device configured to separate” in claim 17; “processing device is configured to assign” in claim 19; and “processing device is configured to obtain” in claim 20.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting 

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1, 2, 8, 9, 15, and 16 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Muddu et al, U.S. Patent 9,516,053.

As per claim 1, it is taught of a computer-implemented method for implementing automated threat alert triage via data provenance, comprising:
receiving, by an alert triage system (analysis module, column 17, lines 40-49), a set of alerts and security provenance data (event specific data), wherein the security provenance data provides alert context by reconstructing a chain of events (supporting data) that lead to an alert event and/or ramifications of the alert event (anomaly)(col. 17, line 50 through col. 18, line 12);
separating, by the alert triage system, true alert events within the set of alert events corresponding to malicious activity from false alert events within the set of alert events corresponding to benign activity based on an alert anomaly score assigned to the at least one alert event (col. 101, line 41 through col, 102, line 6), including:

obtaining a subgraph (mini-graphs, col. 24, lines 37-40) of the at least one dependency graph based on a propagation of path anomaly scores (col. 59, lines 26-36) corresponding to respective paths including sequences of dependency events from the at least one dependency graph (col. 59, lines 11-20); and
automatically generating, by the alert triage system, a set of triaged alert events based on the separation (col. 59, lines 37-47).
As per claim 2, it is disclosed wherein receiving the at least one dependency graph further includes generating the at least one dependency graph based on the security provenance data (col. 24, lines 33-51).
As per claim 8, it is disclosed a computer program product comprising a non-transitory computer readable storage medium having program instructions embodied therewith, the program instructions executable by a computer to cause the computer to perform a method for implementing automated threat alert triage via data provenance, the method performed by the computer comprising:
receiving, by an alert triage system (analysis module, column 17, lines 40-49), a set of alerts and security provenance data (event specific data), wherein the security provenance data provides alert context by reconstructing a chain of events (supporting data) that lead to an alert event and/or ramifications of the alert event (anomaly)(col. 17, line 50 through col. 18, line 12);
separating, by the alert triage system, true alert events within the set of alert events corresponding to malicious activity from false alert events within the set of alert events corresponding 
receiving at least one dependency graph derived from the security provenance data corresponding to at least one alert event of a set of alert events, the dependency graph including nodes representing system objects and edges representing causal relationships between the system objects (col. 24, lines 33-51); and
obtaining a subgraph (mini-graphs, col. 24, lines 37-40) of the at least one dependency graph based on a propagation of path anomaly scores (col. 59, lines 26-36) corresponding to respective paths including sequences of dependency events from the at least one dependency graph (col. 59, lines 11-20); and 18037Page 33 of38
automatically generating, by the alert triage system, a set of triaged alert events based on the separation (col. 59, lines 37-47).
As per claim 9, it is taught wherein receiving the at least one dependency graph further includes generating the at least one dependency graph based on the security provenance data (col. 24, lines 33-51).
As per claim 15, it is taught of a system for implementing automated threat alert triage (analysis module, column 17, lines 40-49) via data provenance, comprising:
a memory device for storing program code; and
at least one processor device operatively coupled to a memory device and configured to execute program code stored on the memory device to:
receive a set of alerts and security provenance data (event specific data), wherein the security provenance data provides alert context by reconstructing a chain of events (supporting data) that lead to an alert event and/or ramifications of the alert event (anomaly)(col. 17, line 50 through col. 18, line 12);

receiving at least one dependency graph derived from the security provenance data corresponding to at least one alert event of a set of alert 18037Page 35 of38events, the dependency graph including nodes representing system objects and edges representing causal relationships between the system objects (col. 24, lines 33-51); and
obtaining a subgraph (mini-graphs, col. 24, lines 37-40) of the at least one dependency graph based on a propagation of path anomaly scores (col. 59, lines 26-36) corresponding to respective paths including sequences of dependency events from the at least one dependency graph (col. 59, lines 11-20); and
automatically generate a set of triaged alert events based on the separation (col. 59, lines 37-47).
As per claim 16, it is disclosed wherein the at least one processing device is further configured to receive the at least one dependency graph by generating the at least one dependency graph based on the security provenance data (col. 24, lines 33-51).

Allowable Subject Matter
Claims 3-7, 10-14, and 17-20 objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Hassanzadeh et al, US 2016/0301704 is relied upon for disclosing of analyzing threat scenarios by determining a progression of system states and communication paths during an attack, see paragraph 0062.
Jiang, US 2018/0013787 is relied upon for disclosing of looking at attack paths by view the closest packet forwarding device to the attack source, see paragraph 0040.
Saurabh, U.S. Patent 10,666,666 is relied upon for disclosing of scoring event data along a plurality of dimensions, see abstract.
Bassett, U.S. Patent 9,292,695 is relied upon for disclosing of looking at benign actors that are added to attack graphs and paths, and compare probabilities, see column 17, lines 39-48.
Bourget et al, U.S. Patent 10,873,596 is relied upon for disclosing of parsing alerts, and automatically running an alert triage system to assign an alert importance score, see column 4, lines 25-32.
Dhammi et al, “Behavior Analysis of Malware Using Machine Learning” is relied upon for disclosing of capturing and analyzing the latest malware traffic, performing static and dynamic analysis, categorizing the malware, and validating and verifying the results, see page 3, section IV, column 2.
Bierma et al, “Learning or Rank for Alert Triage”, is relied upon for disclosing of filtering alerts to identify potential intrusions, and ranks them to ensure that an analyst is provided with the most important alerts, see abstract.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER A REVAK whose telephone number is (571)272-3794.  The examiner can normally be reached on 5:30am - 3:00pm.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LYNN FEILD can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/CHRISTOPHER A REVAK/Primary Examiner, Art Unit 2431