DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claims Status
Claims 1-20 are pending and claims 1, 2, 5-11, 13-17, 19, and 20 are amended.  
Response to Arguments 
Objection to specification is withdrawn in view Applicant’s arguments, see Page 8,  “Objection to the Specification” section, filed on 3/22/21.
Rejection of Claims 1-9, 13, 14, and 16-20 under 35 U.S.C. 112(b) have been withdrawn in view the amendment filed om 3/22/21, see Page 8-10.
Applicant's arguments with respect to Rejection of Claims 16-18 and 20 under 35 U.S.C. 102(a)(1) and Rejection of Claims 1-15 and 19 under 35 U.S.C. $ 103  have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. A new ground of rejection added to overcome amendments to the claims.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claims 16 – 18 and 20 are rejected under 35 U.S.C. 102 (a)(1) as being anticipated by Lee et al.  (US 20180351993 A1, hereinafter Lee) 
Regarding to claim 16, (Currently Amended) A computer-readable memory having computer program code recorded thereon that when executed by at least one processor causes the at least one processor to perform a method comprising: obtaining, from a security detections pool, ([0030] see selecting ACE library (detection pool) a plurality of detection instances for a detection algorithm that meets at least one predetermined criterion, ([0030] preferably by selecting one or more ACEs from a pre-existing library (pool) of ACEs (detection algorithm) that are not already active for the customer (not already active/not boarded detection algorithm, which is one predetermined criterion) 
the detection algorithm comprising an algorithm and generate detection instances that include the plurality of detection instances; ([Abstract] The methods and system described herein automatically generate network router access control entities (ACEs) ( detection algorithm) that are used to filter internet traffic (plurality detection instances) storing an indication, for each of the obtained detection instances, whether the detection instance is a true positive; ([0042] The attack traffic profile contains statistics on the packet algorithm based at least on the indications for the algorithm to a security monitoring platform that generates one or more security cases for evaluation based on the detection algorithm if the true positive rate is above a threshold; ([0030] This is shown by arrows 107a-b in FIG. 1. In a fully automated system, the ACE Engine 104 can directly inject a recommended ACE (automatically onboard detection algorithm) into the router or other data cleaning center equipment (security monitoring platform), preferably only if the recommend ACE score is above a threshold.)
and automatically rejecting the detection algorithm and (//Examiner remark: the onboarding evaluation based an ACE (detection algorithm) above a threshold is automatically performs rejection evaluation based on a detection instance below a threshold. In short the inverse operation of onboarding, rejection is inherently performed.)
 transmitting a notification to an author of the detection algorithm if the true positive rate is not above the threshold.  ([0009] the recommended ACE may be tuned to block attack traffic that was not blocked by the already-deployed ACEs (put another way, to block leak-through 
 
Regarding to claim 17, (Currently Amended) The computer-readable memory of claim 16,  the combination of Lee and Paudice teach claim 16. 
Lee teaches wherein the predetermined criterion comprises a determination that the detection algorithm has not been onboarded or rejected.  ([0030] The ACE Engine 104 generates ACE recommendations, preferably by selecting one or more ACEs from a pre-existing library of ACEs (detection algorithm) that are not already active for the customer (not boarded)
Regarding to claim 18, (Original) The computer-readable memory of claim 16, the combination of Lee and Paudice teach claim 16. 
Lee teaches wherein the predetermined criterion comprises a determination that the one or more detection instances were generated for at least a threshold time period.   ([0041] discloses generating detection instances for a predetermined time period.)
Regarding to claim 20, (Currently Amended) The computer-readable memory of claim 16, the combination of Lee and Paudice teach claim 16. 
Lee teaches wherein the notification comprises a reason associated with the rejection of the detection algorithm.  ([0009] the recommended ACE may be tuned to block attack traffic that was not blocked by the already-deployed ACEs (put another way, to block leak-through attack 


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1 – 15 and 20 are rejected under 35 U.S.C. 103 as being unpatentable.
Claims 1 - 20 are rejected under 35 U.S.C. 103 as being unpatentable over Lee et al.  (US 20180351993 A1, hereinafter Lee) in view of Paudice et al. ("An Experiment with Conceptual Clustering for the Analysis of Security Alerts," 2014 IEEE International Symposium on Software Reliability Engineering Workshops, Naples, 2014, pp. 335-340, doi: 10.1109/ISSREW.2014.82, hereinafter, Paudice) 
Regarding to claim 1, (Currently Amended) Lee teaches a system for evaluating security detections ([Abstract] A system … examines (evaluates) existing ACEs  (security detections), the system comprising: one or more processors; and one or more memory devices that store program code configured to be executed by the one or more processors, the program code 
a detection instance obtainer configured to obtain one or more detection instances for a detection algorithm that meets at least one predetermined criterion, ([Abstract] The rules are generated by an ACE engine that processes incoming internet packets (obtain detection instances)  and examines existing ACEs (detection algorithm) and a statistical profile of the captured packets (detection instances)  to produce one or more recommended ACEs with a quantified measure of confidence (predetermined criterion.)
the detection algorithm comprising an algorithm for generating detection instances that include the one or more detection instances;  and  ([Abstract] The methods and system described herein automatically generate network router access control entities (ACEs) (generate detection algorithm) that are used to filter internet traffic (detection instances) an onboarding determiner configured to onboard or reject the detection algorithm, ([0030] In a fully automated system, the ACE Engine 104 can directly inject (onboard) a recommended ACE (detection algorithm) into the router or other data cleaning center equipment , preferably only if the recommend ACE score is above a threshold. //Examiner remark: detection algorithms that are not injected are rejected.)
the onboarding determiner comprising: a volume thresholder configured to automatically onboard the detection algorithm [0041] At step 402, the Traffic Profiler applies certain volumetric and statistical rules (volume above first and second thresholds, etc) to look for signs of a potential attack (detection instances) in the traffic…); ([0009]  automatically and accurately identify an ACE  (detection algorithm) to use ( onboard)); 
(algorithm (
a detection performance evaluator configured to determine an efficacy of the detection algorithm (algorithm based at least on the efficacy.  ([0042] the level of confidence that the traffic truly represents an instance of the identified attack. While the ACE Engine 104 uses packet statistics to determine the appropriate ACE (efficacy), in some cases, the ACE (detection algorithm) recommendation determination can be augmented referencing the attack signature identifier and/or confidence score of the signature identifier (efficacy). Further, a human operator can use the attack signature information to confirm the choice of ACE (detection algorithm).) 
Lee doesn’t explicitly teach if a volume of the obtained one or more detection instances is below a first threshold, and if the volume is above a second threshold; (if the volume is not below the first and not above the second threshold), 
Paudice from analogues endeavor teaches if a volume of the obtained one or more detection instances is below a first threshold, and if the volume is above a second threshold;  if the volume is not below the first and not above the second threshold,
([page 337, Sec. IV, end of ¶] ..It is possible to discard many of these alerts because they are not potentially useful for the analysis of security incidents.   If the size of an obtained cluster is greater than a certain threshold (above a second threshold), then we filter out all the alerts (detection instances) belonging to the cluster. Examiner remark:  the inverse operation, evaluating a “volume  below a threshold” is automatically performed in evaluating” volume above threshold”.  Therefore, Paudice teaches a volume above and volume below threshold to filter detection instances.)
Therefore, it would have been obvious to a person having ordinary skills in the art, before the effective filing date of the claimed invention, to incorporate the teaching of Paudice to the teaching of Lee to improve discarding large volume of false-positive alerts/detection instances so security personnel focus on true-positive alerts, as taught Paudice.  The combining of the teachings would have yielded predictable results to one of ordinary skills in the art since Lee discusses detection instances having  volume statistics in relation to  detected algorithms. In other words, A volume of detection instances has correlation to a detection algorithm applied to the traffic being monitored.  Furthermore, a person having ordinary skills in the art would implement volume threshold comparison rules as formulated with the words "above" and "below", “within above and below” to produce the same result. Furthermore, A threshold by definition denotes values that are above and below a threshold.  Hence a value is checked whether it is outside an interval defined by two thresholds; above one threshold (or below the threshold for the inverse case.)
Regarding to claim 2, (Currently Amended) The system of claim 1, the combination of Lee and Paudice teaches claim 1. 
Lee teaches wherein the predetermined criterion comprises a determination that the detection algorithm has not been onboarded or rejected.  ([0030] The ACE Engine 104 generates ACE 
Regarding to claim 3, (Original) The system of claim 1, the combination of Lee and Paudice teaches claim 1. 
Lee teaches wherein the predetermined criterion comprises a determination that the one or more detection instances were generated for at least a threshold time period.  ([0041] discloses generating detection instances for a predetermined time period.)
 
Regarding to claim 4. (Original) The system of claim 1, the combination of Lee and Paudice teaches claim 1. 
Lee teaches wherein the detection instance obtainer is configured to obtain the one or more detection instances from a security detections pool.  ([0030] The ACE Engine 104 generates ACE recommendations, preferably by selecting one or more ACEs from a pre-existing library (pool) of ACEs (detection algorithm) that are not already active for the customer (not boarded)
Regarding to claim 5, (Currently Amended) The system of claim 1, the combination of Lee and Paudice teaches claim 1. 
Lee teaches wherein the detection performance evaluator is configured to: obtain a plurality of sampled detection instances associated with the detection algorithm;  ([0064] This attack traffic profile relates to traffic directed to a particular IP address, which could be associated with a particular customer (tenant) in a multi-tenant platform (plurality of sampled detection)
Regarding to claim 6,  (Currently Amended) The system of claim 5, Lee teaches wherein the detection performance evaluator is configured to: determine the efficacy of the detection algorithm by determining a true positive rate based at least on the indications for the sampled detection instances, and  ([0042] The attack traffic profile contains statistics on the packet parameter statistics that were captured and triggered by detection rules (detection algorithm). In some embodiments, the attack traffic profile also includes a signature identifier and a confidence score (true positive rate). 
onboard the detection algorithm if the efficacy is above a third threshold, and reject the detection algorithm if [[is]] the efficacy is not above the third threshold.  ([0042] the level of confidence that the traffic truly represents an instance of the identified attack. While the ACE Engine 104 uses packet statistics to determine the appropriate ACE (efficacy), in some cases, the ACE recommendation determination can be augmented referencing the attack signature identifier and/or confidence score of the signature identifier. Further, a human operator can use the attack signature information to confirm the choice of ACE.)
Regarding to claim 7, (Currently Amended) The system of claim 1, the combination of Lee and Paudice teaches claim 1.   Lee teaches wherein the onboarding determiner comprises: a rejection notifier configured to transmit a notification to an author of the detection algorithm algorithm. ([0009] the recommended ACE may be tuned to block attack traffic that was not blocked by the already-deployed ACEs (put another way, to block leak-through attack traffic) //Examiner remark:  Detection algorithms that failed to block traffic are sent to author of the algorithm to be tuned/modified.[0119] Also at 710, the selected ACE(s) (after conversion to the desired form) are sent to a user interface in the SOC 106 for evaluation/deployment. )
Regarding to claim 8, (Currently Amended) Lee teaches the system of claim 7, wherein the rejection notifier is further configured to update a state flag associated with the detection algorithm that indicates that the detection algorithm was rejected.  ([0030] In a semi-automated workflow, a security professional in the SOC 106 receives (notified) and evaluates the recommended ACE in correspondence with statistics from the traffic profiler and accepts/rejects/edits (update the state flag) the recommended ACE before it is deployed.)
Regarding to claim 9, (Currently Amended) The system of claim 1, the combination of Lee and Paudice teaches claim 1. 
Lee teaches wherein the onboarding determiner comprises:  a detection onboarder configured to onboard the detection algorithm to a security monitoring platform that generates one or more security cases for evaluation based on the detection algorithm.  ([0032] The Traffic Modeler 204 transforms the properties of the attack traffic profile  into a representation for recommending ACEs.)
Regarding to claim 10, (Currently Amended) A method for evaluating security detections, ([Abstract] A method … examines (evaluates) existing ACEs  (security detections), 
algorithm that meets at least one predetermined criterion, ([0030] preferably by selecting one or more ACEs from a pre-existing library (pool) of ACEs (detection algorithm) that are not already active for the customer (not already active/not boarded detection algorithm, which is one predetermined criterion)
the detection algorithm comprising an algorithm and generate detection instances that include the one or more detection instances;  ([0023] a system for automatically generating ACE (detection algorithm) recommendations and deploying them to clean network traffic (detecting security events).) determining a volume of the one or more detection instances for the detection algorithm;  ([0041] At step 402, the Traffic Profiler applies certain volumetric and statistical rules ( first, second thresholds) to look for signs of a potential attack (detection instances) in the traffic.) in response to (algorithm to a security monitoring platform ([0010] Once selected, the ACE(s) (detection algorithm) then can be deployed automatically or alternatively sent to system personnel for review and confirmation (security monitoring platform) that generates one or more security cases for evaluation based on the detection algorithm;  (0010] In that case, the recommended ACE may be tuned to block attack traffic that was not blocked by the already-deployed ACEs (put another way, to block leak-through attack traffic) (generate security cases.) algorithm (//Examiner remark: rejecting based on volume above a threshold is the inverse of volume of detection below a threshold which is performed automatically (see [0010].)
and transmitting a notification to an author of the detection algorithm. ([0030] discloses security professional receiving (author receiving notification) ACEs (detection algorithm for accepts/rejects/edits.)
Lee doesn’t explicitly teach determining that the volume is below a first threshold; determining that the volume is above a second threshold;
Paudice teaches determining that the volume is above a second threshold; volume is below a first threshold. ([page 337, Sec. IV, end of §] ..It is possible to discard many of these alerts because they are not potentially useful for the analysis of security incidents.   If the size of an obtained cluster is greater than a certain threshold (above a second threshold), then we filter out all the alerts (detection instances) belonging to the cluster. Examiner remark:  the inverse operation, evaluating a “volume  below a threshold” is automatically performed in evaluating” volume above threshold”.  Therefore, Paudice teaches a volume above and volume below threshold to filter detection instances.)
Therefore, it would have been obvious to a person having ordinary skills in the art, before the effective filing date of the claimed invention, to incorporate the teaching of Paudice to the teaching of Lee to improve discarding large volume of false-positive alerts/detection instances so security personnel focus on true-positive alerts, as taught Paudice.  The combining of the teachings would have yielded predictable results to one of ordinary skills in the art since Lee discusses detection instances having  volume statistics in relation to  detected algorithms. In other words, A volume of detection instances has correlation to a detection algorithm applied to the traffic being monitored.  Furthermore, a person having ordinary skills in the art would implement volume threshold comparison rules as formulated with the words "above" and "below", “within above and below” to produce the same result. Furthermore, A threshold by definition denotes values that are above and below a threshold.  Hence a value is checked whether it is outside an interval defined by two thresholds; above one threshold (or below the threshold for the inverse case.
Regarding to claim 11, (Currently Amended) The method of claim 10, the combination of Lee and Paudice teaches claim 10.
Lee teaches wherein the predetermined criterion comprises a determination that the detection algorithm has not been onboarded or rejected.  ([0030] The ACE Engine 104 generates ACE recommendations, preferably by selecting one or more ACEs from a pre-existing library of ACEs (detection algorithm) that are not already active for the customer (not boarded)
Regarding to claim 12, (Original) The method of claim 10, the combination of Lee and Paudice teaches claim 10.
Lee teaches wherein the predetermined criterion comprises a determination that the one or more detection instances were generated for at least a threshold time period.   ([0037]  the Network Traffic Collection component 200 aggregates packet statistics over time intervals (Threshold time period).)
Regarding to claim 13, (Currently Amended) The method of claim 10,  the combination Lee and Paudice teaches claim 10.
Lee teaches further comprising: determining an efficacy of the detection algorithm (algorithm based at least on the efficacy.  ([0042] the level of confidence that the traffic truly represents an instance of the identified attack. While the ACE Engine 104 uses packet statistics to determine the appropriate ACE (efficacy), in some cases, the ACE (detection algorithm) recommendation determination (onboatding) can be augmented referencing the attack signature identifier and/or confidence score of the signature identifier (efficacy). Further, a human operator can use the attack signature information to confirm the choice of ACE (detection algorithm). [0066] In this way, the ACE Engine 104 can evaluate and select (onboard) optimal ACEs (based on efficacy of detection algorithm) in a device-agnostic way)  
Regarding to claim 14, (Currently Amended) The method of claim 13, the combination of Lee and Paudice teaches claim 10.
Lee teaches wherein said determining the efficacy of the detection algorithm comprises: obtaining a plurality of sampled detection instances associated with the detection algorithm; ([Abstract] The rules are generated by an ACE engine that processes incoming internet packets (obtain detection instances)  and examines existing ACEs (detection algorithm) and a statistical profile of the captured packets (detection instances)  to produce one or more recommended ACEs with a quantified measure of confidence) for each of the sampled detection instances, storing an indication whether the sampled detection instance is a true positive;  ([0042] The attack traffic profile contains statistics on the algorithm by determining a true positive rate based at least on the indications for the sampled detection instances.  ([0042] the level of confidence that the traffic truly represents an instance of the identified attack. While the ACE Engine 104 uses packet statistics to determine the appropriate ACE (efficacy), in some cases, the ACE (detection algorithm) recommendation determination can be augmented referencing the attack signature identifier and/or confidence score of the signature identifier (efficacy).
Regarding to claim 15, (Currently Amended) The method of claim 10, the combination of Lee and Paudice teach claim 10. 
Lee teach wherein the notification comprises a reason associated with the rejection of the detection algorithm.  ([0009] the recommended ACE may be tuned to block attack traffic that was not blocked by the already-deployed ACEs (put another way, to block leak-through attack traffic); [0019] [0119] Also at 710, the selected ACE(s) (after conversion to the desired form) are sent to a user interface in the SOC 106 for evaluation/deployment.  //Examiner remark: reason for notification is  because detection algorithms that failed to block leak-through, i.e. data leak from internal network to external, are sent to author of the algorithm to be tuned/modified)
Regarding to claim 19, (Currently Amended) The computer-readable memory of claim 16, Lee teaches further comprising: determining a volume of the plurality of detection algorithm;  ([0030] In a fully automated system, the ACE Engine 104 can directly inject  (automatically onboard) a recommended ACE (detection algorithm)  into the router or other data cleaning center equipment, preferably only if the recommend ACE score is above a threshold.) and in response to algorithm and
 transmitting a notification to an author of the detection algorithm.  ([0009] the recommended ACE may be tuned to block attack traffic that was not blocked by the already-deployed ACEs (put another way, to block leak-through attack traffic) //Examiner remark: an ACE/detection algorithms that failed to perform as intended is sent to author of the algorithm to be tuned/modified/edited/rejected)
Lee doesn’t explicitly teach determination that the volume is below a second threshold; determination that the volume is above a second threshold,
Paudice teaches determination that the volume is below a second threshold; determination that the volume is above a second threshold, ([page 337, Sec. IV, end of ¶] ..It is possible to discard many of these alerts because they are not potentially useful for the analysis of security incidents.   If the size of an obtained cluster is greater than a certain threshold (above a second threshold), then we filter out all the alerts (detection instances) belonging to the cluster. Examiner remark:  the inverse operation, evaluating a “volume  below a threshold” is automatically performed in evaluating” volume above threshold”.  Therefore, Paudice teaches a volume above and volume below threshold to filter detection instances.)
Therefore, it would have been obvious to a person having ordinary skills in the art, before the effective filing date of the claimed invention, to incorporate the teaching of Paudice to the teaching of Lee to improve discarding large volume of false-positive alerts/detection instances so security personnel focus on true-positive alerts, as taught Paudice.  The combining of the teachings would have yielded predictable results to one of ordinary skills in the art since Lee discusses detection instances having  volume statistics in relation to  detected algorithms. In other words, A volume of detection instances has correlation to a detection algorithm applied to the traffic being monitored.  Furthermore, a person having ordinary skills in the art would implement volume threshold comparison rules as formulated with the words "above" and "below", “within above and below” to produce the same result. Furthermore, A threshold by definition denotes values that are above and below a threshold.  Hence a value is checked whether it is outside an interval defined by two thresholds; above one threshold (or below the threshold for the inverse case.)

Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 20180004948 A1 – anomaly detection analysis using benign score and a 
US 10873467 B2 – Alarm filtering using a dynamically or statically configured threshold to manage the volume of alerts monitored in a network.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to SOLOMON AREGA whose telephone number is (571)272-0122. The examiner can normally be reached on Monday - Friday from 8:30 AM to 5:00 PM (EDT).
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild, can be reached at telephone number (571) 272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

/SOLOMON AREGA/Examiner, Art Unit 2431     
                                                                                                                                                                                                                                                                                                                                                                    /LYNN D FEILD/Supervisory Patent Examiner, Art Unit 2431