Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
Applicant’s amendment filed on April 8, 2021 amends claims 1, 15, and 18.  Claims 1-20 are pending.

Response to Arguments
Applicant's arguments filed on April 8, 2021 have been fully considered and are not persuasive.  With respect to each of claim 1, 15, and 18, the Applicant has not provided adequate evidence from the specification to support the amendment.  Furthermore Gorny discloses the newly recited features in each of amended claims 1, 15, and 18.  As described in the rejection under 35 USC 102 which follows, Gorny discloses a second adjustment factor, RALi, which is mapped to the recited reduction factor. 

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):

Claims 1, 15, and 18 are rejected under 35 U.S.C. 112(a), first paragraph, as failing to comply with the written description requirement.  Each of these claims contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Applicant is requested to provide adequate evidence from the specification to support any amended claim.  Applicant has not adequately pointed out where the amended claim is supported with respect to the claim limitation:   “wherein generating the risk score comprises applying a reduction factor to a particular one of the assigned weights for a corresponding one of the categories as a function of the number of indicators in the corresponding category” as recited in each of claims 1, 15, and 18.
Page 19 of the specification describes the use of Di in a summation in which a risk score in the high category is computed by way of the following equation:

    PNG
    media_image1.png
    200
    400
    media_image1.png
    Greyscale

Thus, the risk score in the high category is equal to a summation of a sequence of adjusted weights in the high category, in which a plurality of NH adjustment factors are applied (i.e., corresponding to 1/Di, in which the exponent, i, varies from i=0 to NH-1). Applicant’s reference to page 19 of the specification does not provide support for the limitation, “wherein generating the risk score comprises applying a reduction factor to a particular one of the assigned weights for a corresponding one of the categories as a function of the number of indicators in the corresponding category” as recited in each of claims 1, 15, and 18, because a plurality of NH adjustment factors are applied to the NH terms in the sequence to obtain the risk score in the high category.  

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:


(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-2 and 4-20 are rejected under 35 U.S.C. 102 (a)(1)as being unpatentable over Gorny et al. (US 2017/0324760).
Regarding independent claim 1, Gorny teaches receiving a plurality of indicators relating to an entity of a computer network (see Gorny at [0009] which discloses that select files containing website data are downloaded from hosting servers to the analysis and repair servers where characteristics of the website files are detected, counted, and processed with an algorithm that supports weighting certain characteristics over others to produce a rare website security breach event prediction; note that Examiner maps characteristics to the recited indicators); arranging the indicators in a plurality of categories of increasing risk (see Gorny at [0009] and at claim 15, which discloses aggregating characteristics into security breach risk groups); assigning weights to the indicators in the categories as a function of the number of categories and the number of indicators in each category (see Gorny at [0060] which discloses that plurality of risk adjustment factors may be calculated for each cluster (or group) of characteristics including first risk adjustment factors:

    PNG
    media_image2.png
    200
    400
    media_image2.png
    Greyscale

where 

    PNG
    media_image3.png
    200
    400
    media_image3.png
    Greyscale


Further, see Gorny at [0061] which discloses that second risk adjustment factors may be linear risk adjustment factors that may represent the percent contribution of a cluster risk contribution to the sum of the individual risk contributions.  Examiner maps the first adjustment factors to the recited weights.  Moreover, Gorny discloses the following equation at [0061] to describe computation of the second risk adjustment factor:

    PNG
    media_image4.png
    200
    400
    media_image4.png
    Greyscale

Examiner notes that the preceding equations are a function of cluster (or group) number, i, and the number of individual cluster characteristics in a cluster, n, where c varies from 1 to n); generating a risk score for the indicators based at least in part on the assigned weights (see Gorny at [0064] which discloses that a total risk calculation may be computed based on the individual risk contributions); wherein generating the risk score comprises applying a reduction factor to a particular one of the assigned weights for a corresponding one of the categories as a function of the number of indicators in the corresponding category (see Gorny at [0060] or at [0061] which discloses a plurality of risk adjustment factors (RAEi and RALi); Examiner maps the first risk adjustment factor, RAEi, to the recited weights and the second risk adjustment factor, RALi, to the recited reduction factor.  Examiner maps the clusters to the recited categories and the number of cluster characteristics to the number of indicators.   Examiner notes that RALi will have value less than 1 since RCi will always be less than SUM(RC(i-1, 2, 3, … n)).  Since RALi is a value less than 1, Gorny’s second risk adjustment factor corresponds to a reduction factor.  Examiner notes that the presence of a particular second risk adjustment factor, i, corresponds to a particular one of the assigned weights.); and initiating at least one automated action relating to the entity of the computer network based at least in part on the risk score (see Gorny at [0009] which discloses sending an alert based on the placement of the total risk in the risk alert range; also see Gorny at [0010] which discloses that a user interaction circuit provides a notification as an alert that is sent to a mobile device of the user); wherein the method is performed by at least one processing device comprising a processor coupled to a memory (see Gorny at [0140] which discloses that the methods and systems described herein may be deployed in part or in whole through a machine having a computer, computing device, processor, circuit, and/or server that executes computer readable instructions, program codes, instructions, and/or includes hardware configured to functionally execute one or more operations of the methods and systems disclosed processor may include memory that stores methods, codes, instructions and programs as described herein and elsewhere.  The processor may access a storage medium through an interface that may store methods, codes, and instructions as described herein and elsewhere. The storage medium associated with the processor for storing methods, programs, codes, program instructions or other type of instructions capable of being executed by the computing or processing device may include but may not be limited to one or more of a CD-ROM, DVD, memory, hard disk, flash drive, RAM, ROM, cache and the like.).
Independent claim 15 is substantially the same as claim 1 and is therefore rejected under the same rationale as stated for claim 1 above.
Regarding independent claim 18, Gorny teaches a computer program product comprising a non-transitory processor-readable storage medium having stored therein program code of one or more software programs, wherein the program code is executed by at least one processing device (see Gorny at [0152] which discloses that the methods, program code, instructions, and/or programs may be stored and/or accessed on machine readable transitory and/or non-transitory media that may include: computer components, devices, and recording media that retain digital data used for computing for some interval of time; semiconductor storage known as random access 
Regarding claim 2, Gorny teaches method of claim 1 wherein the entity comprises at least one of a file, a machine and a user of the computer network (see Gorny at [0009] which discloses that select files containing website data are downloaded from hosting servers to the analysis and repair servers where characteristics of the website files are detected, counted, and processed with an algorithm that supports weighting certain characteristics).
Regarding claim 4, Gorny teaches the method of claim 1 wherein the categories accommodate up to respective maximum numbers of indicators (see Gorny at [0009] which discloses limiting certain characteristic counts and aggregating them into predefined groups; and Gorny at claim 15 which discloses aggregating groups of characteristics into security breach risk groups based on a predetermined list of characteristic groupings).
Regarding claim 5, Gorny teaches the method of claim 1 wherein different ones of the categories are configured to accommodate different maximum numbers of indicators (see Gorny at [0009] which discloses limiting certain characteristic counts and aggregating them into predefined groups; and Gorny at claim 15 which discloses aggregating groups of characteristics into security breach risk groups based on a predetermined list of characteristic groupings; Examiner notes that there is an inherent 
Regarding claim 6, Gorny teaches the method of claim 1 wherein the weights are assigned in accordance with a designated probability density function in which weights for categories of increasing risk are computed at least in part using exponentials based on respective increasing integers or respective increasing powers of a designated integer (see Gorny at [0060] which discloses that a plurality of risk adjustment factors may be calculated and that a first risk adjustment factor may be an exponential risk adjustment factor with an equation:

    PNG
    media_image5.png
    200
    400
    media_image5.png
    Greyscale

Gorny at [0062] discloses the associated probability function calculation for each cluster as an exponential of a baseline probability plus the cluster-specific contribution divided by the sum of 1 and the exponential of the baseline probability plus the cluster-specific contribution:
		
    PNG
    media_image6.png
    200
    400
    media_image6.png
    Greyscale


	Regarding claim 7, Gorny teaches the method of claim 1 wherein assigning the weights comprises: assigning initial weights to at least a subset of the indicators; and subsequently adjusting one or more of the weights (see Gorny at [0060] and at [0061] and their respective equations; Examiner notes that as the variable n increases with additional risk contributions, RAEi and RALi  is adjusted accordingly.)
Regarding claim 10, Gorny teaches the method of claim 1 wherein a weighted contribution to the risk score of indicators in a relatively high one of the categories is greater than a weighted contribution to the risk score of indicators in a relatively low one of the categories regardless of the numbers of indicators in the relatively high and relatively low categories (see Gorny at [0061] which discloses the equation:

    PNG
    media_image4.png
    200
    400
    media_image4.png
    Greyscale

which discloses a second risk adjustment factor that may represent the percent contribution of a cluster risk contribution to the sum of the individual risk contributions.  Examiner notes that the risk adjustment factor corresponds to the recited weighted contribution.  Examiner notes that the value of the adjustment factor is higher when the contribution for cluster i is in a higher risk category.  Likewise, Examiner notes that the value of the adjustment factor is lower when the contribution for cluster i is in a lower 
Claim 17 is substantially the same as claim 10 and is therefore rejected under the same rationale as stated for claim 10 above.
Claim 20 is substantially the same as claim 10 and is therefore rejected under the same rationale as stated for claim 10 above.
Regarding claim 16, Gorny teaches the apparatus of claim 15 wherein a weighted contribution to the risk score of indicators in a relatively low one of the categories decreases as a number of indicators in a relatively high one of the categories increases, and a weighted contribution to the risk score of indicators in a relatively low one of the categories increases as a number of indicators in a relatively high one of the categories decreases (see Gorny at [0064] which discloses that if the total risk calculation falls in the upper portion of the range, the risk may be HIGH. If the total risk calculation falls in the lower portion of the range, the risk may be LOW.  Examiner refers to the following equation, as disclosed in Gorny at [0058]:

    PNG
    media_image3.png
    200
    400
    media_image3.png
    Greyscale

Based on the foregoing equation, Examiner notes that given a number, n, of individual cluster characteristics in a cluster, the number of indicators that are 
Claim 8 is substantially the same as claim 16 and is therefore rejected under the same rationale as stated for claim 16 above.
Claim 9 is substantially the same as claim 16 and is therefore rejected under the same rationale as stated for claim 16 above.
Claim 19 is substantially the same as claim 16 and is therefore rejected under the same rationale as stated for claim 16 above.
Regarding claim 11, Gorny teaches the method of claim 1 wherein said at least one automated action relating to the entity of the computer network comprises: generating an alert responsive to a result of comparing the risk score to at least one designated threshold; and transmitting the alert to a security agent of the computer network (see Gorny at [0009] and at [0010], which discloses that an alert is sent based on the placement of the total risk in a risk alert range and that an alert is sent to a mobile device of the user.  Examiner maps the mobile device to the recited security agent of the computer network.  Examiner notes that the specification, at page 7 of the present application, states that a given security agent device can comprise a mobile telephone equipped with a mobile application configured to receive alerts from the network security system.)
 comprises one or more of: whitelisting, blacklisting or greylisting a file; quarantining at least one of a file and an associated machine containing the file; computing a cryptographic hash of a file for use in scanning of one or more machines; scanning one or more machines using a cryptographic hash of a file; and disconnecting one or more machines from the computer network (see Gorny at [0017] which discloses updating a library of known feature indication arrays that may include gathering arrays for a plurality of files that are known as either malicious or not malicious.  Updating the library may include populating the library with arrays classified as indicating malicious content that are derived from malicious files and do not match any arrays derived from non-malicious files.  Examiner notes that updating a library with files that are known as malicious or not malicious corresponds to the recited blacklisting a file.)  
Regarding claim 13, Gorny teaches the method of claim 1, wherein said at least one automated action relating to the entity of the computer network comprises performing at least one of static analysis of a file and dynamic analysis of a file (see Gorny at [0009] which discloses a set of analysis and repair servers that are configured with website content security breach analysis, detection, and repair functionality. Select files containing website data are downloaded from hosting servers to the analysis files are detected, counted, and processed.)
Regarding claim 14, Gorny teaches the method of claim 1 wherein said at least one automated action relating to the entity of the computer network comprises: moving at least one of the indicators from one of the categories to another one of the categories based at least in part on a result of a security analysis of the entity; and adjusting the weights assigned to the indicators responsive to the moving of the one or more indicators (see Gorny at [0009], which discloses a set of analysis and repair servers where characteristics of downloaded files are detected, counted, and processed with an algorithm for predicting a security breach event; Gorny, at [0057], discloses that a first security breach prediction model may be fitted with a set of characteristics from two out of three characteristic groups while Gorny, at [0065], discloses that a second security breach prediction model may be fitted with characteristics from all three characteristic groups.  Examiner notes that characteristics may be moved from one breach prediction model to another and that the contribution of a particular characteristic may be determined for each group or cluster by applying the following risk adjustment factor equations as disclosed in [0060] and [0061]:

    PNG
    media_image5.png
    200
    400
    media_image5.png
    Greyscale


    PNG
    media_image4.png
    200
    400
    media_image4.png
    Greyscale



Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries for establishing a bacdemon62.hellcat
kground for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.

3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claim 3 is rejected under 35 USC 103 as being unpatentable over Gorny et al. (US 2017/0324760) in view of Singh et al. (US 9,984,344)
	Regarding claim 3, Gorny teaches all of the limitations of claim 1 but does not expressly teach wherein the categories comprise at least a subset of low, medium, high and critical categories.  However, the Singh reference, which is in the same field of endeavor teaches wherein the categories comprise at least a subset of low, medium, high and critical categories (see Singh at col. 7 lines 36-37 which discloses risk/sensitivity levels that are Low, Medium, High and Critical associated with admin configurable attributes).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Gorny to incorporate categories comprising at least a subset of low, medium, high and critical categories, as taught by Singh.  
One would have been motivated to make such a modification in order to increase the level of sensitivity, as suggested by Singh at col. 7 line 37.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ROY RHEE whose telephone number is 313-446-6593.  The examiner can normally be reached on 8:30 am to 5:30 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair.
Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).  If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/R.R./Examiner, Art Unit 3661

/PETER D NOLAN/Supervisory Patent Examiner, Art Unit 3661