Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
	This office action is in response to an amendment application received on 02/25/2021. In the amendment, applicant has amended independent claims 1 and 10. Claims 4, 6-9 and 14-17 remain cancelled. Claims 2-3, 5, 10-13 and 18-20 remain original.
	For this office action, claims 1-3, 5, 10-13 and 18-20 have been received for consideration and have been examined. 
Response to Arguments
Claim rejection under 35 U.S.C. § 103
	Applicant’s remarks in light of the amendments made to independent claims have been reviewed by the examiner, however, examiner does not find them to be persuasive. After reviewing, applicant’s remarks have been summarized as follows:
On page # 9-10 remarks recites 
“First, Smith’s moving of suspect email addresses from a blacklist to a whitelist does not meet the requirement of "de-associating a given IOC from the incident object by unlinking it from the incident object in an automated manner, and responsive to the unlinking, re-generating the incident response plan upon a determination that the given IOC is unrelated to the given data security incident.” An email address is not IOC, and a blacklist or whitelist is not an “incident object” data structure of the type positively recited. Even if a skilled person would to construe an incident object to be a blacklist, removing the email address from that list is not an “unlinking,” and of course the follow-on requirement of “re-generating the incident response plan” is not done in the email address updating provided by Smith’s system. In this regard, the Examiner is reminded that the clause “responsive to the unlinking” is the predicate “cause,” and the follow-on “re-generating the” incident response plan is the “effect.” This “cause-and-effect” relationship is dictated by the claim language, and it is not described by Smith’s simple email blacklist update process.”
Remarks on page # 10-11 recites
“Second, the amendments herein now recite “responsive to re-generating the incident response plan, programmatically initiate execution, in one or more computing entities in the enterprise network, of one or more tasks included in the re-generated incident response plan.” This element is not found in Carver [0050]. There, response strategies are developed by the system to address a particular security incident, but a particular strategy only includes “information (e.g., incident activity information 130) related to the identified security incident.” The information may be useful “for mitigating a security incident, including workflow steps to perform and/or infrastructure changes to implement in response to the incident.” This information, however, is not described in Carver as directly initiating execution (programmatically) of one or more other computing entities, let alone according to an incident response plan that has been re-generated in any way. Carver’s system outputs relevant mitigation information so that a “workflow” can be developed and implemented. This, however is not the notion of “responsive to re-generating the incident response plan, programmatically [initiating] execution, in one or more computing entities” of the “one or more tasks” identified in the plan itself.
In the “Response to Arguments” (Office action at pages 4-5), the Examiner points to teachings in Carver that describe the notion of “implementing the response strategy” possibly as an “automated response.” This teaching does not go as far as the claimed subject matter, however, which addresses the programmatic execution being carried out in a cause-and-effect manner with respect to a re-generated incident plan, a plan in which one or more tasks associated with a given IOC that is no longer correlated with the given security incident have been removed.”
On page # 11 remarks recite
“Third, Pidathala’s description of a classifier that is trained to classify “anomalous behaviors (IOCs)” does not necessarily meet the specific requirement regarding “common IOCs” or “common groupings of IOCs.” Rather, the classification just compares an IOC to a set of IOCs, but the notion of “commonality” of that IOC set is not also described or suggested. The “malware family identifiers” simply correspond to the IOCs themselves, but not “common” ones or “common groupings””.
On page # 11-12, remarks recite
“Fourth, the proposed motivation to combine Smith and Carver is insufficient to meet the Office’s burden to show that a skilled person would combine these teachings.”
Examiner’s Response 
	Regarding remark # 1, examiner respectfully disagrees with applicant’s argument that an email address is not IOC, and a blacklist or whitelist is not an “incident object” data structure of the type positively recite. Examiner would like to point out to applicant’s own disclosure mentions various IOC types and “Email Attachment, Email Attachment Name, Email Body, Email Recipient, Email Sender Address, Email Destination Address, Email Sender Name, Email Subject” are one of the IOC types (See [0047] of applicant’s own disclosure). 
Furthermore, examiner respectfully disagrees that “a blacklist or whitelist is not an “incident object” data structure of the type positively recite”. Examiner would again point to applicant’s own specification which clearly mentions that a Threat Intelligence Source (TIS) interface which is part of Incident Manager (IM) and consists of ‘blacklist’ of different sources such as IP addresses, domain name, malware hash and it is used by incident responders and/or the IMs to create, update, and augment the contents of indicators or compromise (See [0048], [0060], [0062-0064] of applicant’s own disclosure). Similarly, examiner does not agree with applicant that secondary reference of Smith does not disclose the concept of “unlinking” and “re-generating the incident response plan”. Examiner would request applicant to closely read Smith’s Abstract which clearly recites 
“Techniques are provided for blocking forgiveness in a system that mitigates distributed denial of service (DDoS) attacks on a network. A user's network address can be blocked as a result performing human behavior analysis on network resource request activity from the user's address. The system can block an address temporarily based on their behavior, classifying legitimate human users as a malicious attacker performing a DDoS attack. But subsequent behavioral analysis of network resource requests can identify that the user should not have been blocked. The system can automatically unblock the user's address, and allow further network resource requests”.
By looking at the abstract, one of the ordinary person skilled in the art would be motivated to take Smith’s teachings and incorporate them into Carver and modify the response [0047] “the additional data items requested in the subsequent cycle can lead to a recategorization of the user's address to the good address list”.
Therefore, examiner respectfully disagrees with applicant’s remark that examiner’s motivation is based on hindsight reconstruction using Applicant’s claim language. 
Regarding remark # 2, examiner has reviewed applicant’s amendments and remarks however, examiner does not find them persuasive and overcome the Smith reference. Examiner believe that Amended limitation “response to re-generating the incident response plan” is still taught by Smith through details mentioned in regards to remark # 1. Furthermore, examiner has reviewed primary reference of Carver in light of applicant’s remark that Carver does not disclose “programmatically initiate execution” and examiner notices that Carver extensively teaches automated incident response to address identified incident (See Carver’s Abstract and [0049] & [0051-0052]). Examiner would like to further note that claims are rejected under 35 U.S.C. § 103 obviousness guidance and therefore applicant should look for each claim element in all the cited references. 
Regarding remark # 3, examiner respectfully disagrees with applicant’s remark that Pidathala’s “anomalous behaviors (IOCs)” does not necessarily meet the specific requirement regarding “common IOCs” or “common groupings of IOCs”. Pidathala discloses monitoring and comparing IOCs with Advanced Persistent Threat (APT) family identifiers which is interpreted as common IOCs representing each of the APT families (See Col. 8, Line # 34-48; As stated above, each family identifier is a collection of samples of anomalous behaviors, also referred to herein as common indicators of compromise (“Common IOCs”). The Common IOCs may be selected based, at least in part, on the counts maintained for each type of anomalous behavior (IOC) that is associated with the APTs (or malware) forming a particular family (e.g., APT family, malware family, etc.). Therefore, if the IOCs associated with the suspect object statistically match any Common IOCs corresponding to the family identifiers, the run-time classifier 150 determines that the suspect object is part of that particular (APT or malware) family. Depending on the deployment for the run-time classifier, a number of actions may be undertaken by the electronic device when the IOCs statistically match any Common IOCs representing a family identifier). 
Regarding remark # 4, examiner respectfully disagrees that proposed motivation to combine primary and secondary references is insufficient to show that a skilled person would combine these teachings. In response to applicant’s argument that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art.  See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007).  In this case, examiner would like to mention that examiner has not used so-called ‘parroting claim language’ in the motivational statement and instead used the language which is recited by Carver, Smith and Pidathala references because all these reference are analogous reference and comes from the same field of endeavor as disclosed in the instant application. 


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5, 10-13 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Carver et al., (US20150365438A1) in view of Smith et al., (US20160080413A1) and further in view of Pidathala et al., (US9747446B1).
Regarding claims 1, Carver discloses:
	A method for responding to data security incidents in an enterprise network, the method comprising:
See [0038] i.e. generating), in an incident manager (IM) application and in an automated manner, one or more incident objects for respective one or more data security incidents, wherein an incident object includes incident characteristic ([0037] A compromise can be identified (302); [0038] Data can be retrieved (304) from one or more relevant sources … Relevant data can be structured or unstructured, for example. The data can be analyzed by the indicator analytics server 208, for example, to generate one or more indicators of compromise; [0044] the indicator analytics server 208 can automatically determine which indicators to provide to the threat intelligence server 202);
creating, in the IM application, one or more indicators of compromise (IOC) and linking the one or more indicators of compromise to the incident object ([0038] The data can be analyzed by the indicator analytics server 208, for example, to generate one or more indicators of compromise; [0045] Indicators of compromise can be determined (318) for each component. Indicators of compromise (or actual security threat indicators) may be prioritized, for example, based at least in part on potential effectiveness in preventing or mitigating an associated threat; [0050] Based on one or more indicators of compromise associated with a particular security incident (e.g., a DDoS attack), for example, the incident can be identified and an appropriate response strategy (e.g., rerouting network traffic) can be selected (406));	determining tasks for the incident object, wherein one or more tasks are determined for the incident object based upon the incident characteristic of the incident object, and the one or more IOCs associated with the incident object ([0017] when the security and information analytics component 104 detects a known pattern of events (e.g., related to the insights 116, such as the existence of a file, an activity on an IP address, or another indicator or observable action), it can record an incident, can trigger one or more requests for responses and can provide the response requests to the defense component 106; [0040] Indicator matches can be identified (308) … Processes and/or modified objects that match, for example, may be identified as threat indicators);
for a given data security incident, generating an incident response plan (See [0016] i.e. appropriate plan of action may be generated), wherein the incident response plan includes the tasks based upon the incident characteristic of the incident object associated with the given data security incident, and includes any tasks based upon the one or more IOCs associated with the incident object ([0016] based on one or more indicators of compromise identified by the intelligence component 102, an appropriate plan of action may be generated, selected, and implemented to respond to a corresponding security threat; [0050] Based on one or more indicators of compromise associated with a particular security incident (e.g., a DDoS attack), for example, the incident can be identified and an appropriate response strategy (e.g., rerouting network traffic) can be selected (406), e.g., by the response selector 132);
and programmatically initiate execution (See [0004] i.e. automated response), in one or more computing entities in the enterprise network, of one or more tasks included in the re-generated incident response plan to respond to the given data security incident ([0004] The one or more courses of action can include workflow steps to be performed in response to the incident, and implementing the response strategy may include performing the workflow steps. The one or more courses of action can include infrastructure changes to be implemented in the computing network in response to the incident, and implementing the response strategy may include implementing the infrastructure changes. Implementing the response strategy as an automated response can include coordinating operations of one or more third party services. Implementing the response strategy as an automated response can include gathering data by a host agent and providing the data to a forensics repository. A notification may be communicated about the selected response strategy that includes a message that the response strategy has been implemented. The notification about the selected response strategy can include a description of the security incident and a decision prompt. An indication can be received that the response strategy is to be performed, and the response strategy may be implemented in response to receiving the indication. The notification about the selected response strategy can include a list of possible courses of action to be performed).
Carver explicitly discloses:
	wherein an event is a data security incident, wherein an indicator is an IOC; wherein an event object is an incident object; wherein a plan is an incident response plan ([0050] Based on one or more indicators of compromise associated with a particular security incident (e.g., a DDoS attack), for example, the incident can be identified and an appropriate response strategy (e.g., rerouting network traffic) can be selected (406), e.g., by the response selector 132).
Carver does not disclose:
de-associating a given indicator from the event object by unlinking it from the event object in an automated manner, and responsive to unlinking, re‐generating the plan upon a determination that the given indicator is unrelated to the given event.
However, Smith discloses:
	for the given event, and responsive to a determination that a given IOC is no longer correlated with the given data security incident ([0033] if requests coming from an address are deemed to not be of a malicious nature, for example that they are indicative of human behavior, the address can be placed on the good address list and removed from the block list if on the block list), 
de-associating (i.e. removing the email address from blacklist) the given indicator from the event object by unlinking it from the event object in an automated manner, and responsive to unlinking, re‐generating (i.e. placing the email address in a good address list) the plan upon a determination that the given indicator is unrelated to the given event ([0048] If a user's address is placed on a blacklist in one observation cycle, the address may be removed from the blacklist and placed on a good address list in a subsequent cycle if the user's requests are indicative of human, non-bot behavior. On a next observation cycle the HBA can notice that a particular source address was also trying to make some good requests too, and then that can cause the address to be removed from a blacklist and placed on a good address list; See FIG. 7; [0055] At block 730, the first request is classified as a bad request based on one or more properties of the first request; [0059] At block 760, the second request is classified as a good request based on one or more properties of the second request; [0062] Embodiments of blocking forgiveness can automate the reconciliation of false positives and increases a reliability in determining humans from bots). 
	One of the ordinary person skilled in the art before the effective filing date of the claimed invention would modify the reference of Carver and include a system, which is able to determine that change in the incident has occurred and based on that, update the response plan, as disclosed by Smith.
	The motivation to change the response plan in an automated manner is to enable the automated response system to create incident response plans in efficient manner when the incident occurs.
The combination of Carver and Smith fails to disclose:
	one or more common IOCs or common groupings of IOCs, wherein common IOCs or common groupings of IOCs are determined by comparing the IOCs associated with the incident object for the data security incident to IOCs associated with one or more incident objects for other data security incidents stored within the IM application.
However, Pidathala discloses:
	one or more common IOCs or common groupings of IOCs (i.e. anomalous behaviors (IOCs)), wherein common IOCs or common groupings of IOCs are determined by comparing the IOCs associated with the incident object for the data security incident to IOCs associated with one or more incident objects for other data security incidents stored within the IM application (Col. 3, Line # 63-67 – Col. 4, Line # 1-4; According to one embodiment of the disclosure, when deployed within an APT detection system, a run-time classifier is configured to initially determine whether anomalous behaviors (IOCs) monitored during virtual processing of a received suspect object within a virtual execution environment statistically matches any (non-APT) malware family identifiers. In other words, the monitored IOCs are compared to the Common IOCs associated with every malware family identifier).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing of the claimed invention to modify the references of Carver and Smith and rely on monitored indicators of compromise (IOCs) and compare them with common indicators of compromise, as disclosed by Pidathala. 
	The motivation to compare monitored IOCs with common IOCs is to analyze and confirm whether the suspect object is malicious object.
Regarding claims 2, the combination of Carver, Smith and Pidathala discloses:
The method of claim 1, wherein determining the tasks for the incident object based upon the one or more IOCs associated with the incident object comprises:
	identifying incident objects associated with the common IOCs or common groupings of IOCs as a set of correlated incident objects; determining whether there are any common incident characteristics among the set of correlated incident objects (Pidathala: See Col. 8, Line # 34-48; As stated above, each family identifier is a collection of samples of anomalous behaviors, also referred to herein as common indicators of compromise (“Common IOCs”). The Common IOCs may be selected based, at least in part, on the counts maintained for each type of anomalous behavior (IOC) that is associated with the APTs (or malware) forming a particular family (e.g., APT family, malware family, etc.). Therefore, if the IOCs associated with the suspect object statistically match any Common IOCs corresponding to the family identifiers, the run-time classifier 150 determines that the suspect object is part of that particular (APT or malware) family. Depending on the deployment for the run-time classifier, a number of actions may be undertaken by the electronic device when the IOCs statistically match any Common IOCs representing a family identifier); and
creating tasks based upon the common incident characteristics among the set of correlated incident objects (Carver: [0049] The security incident can be compared (404) with a predefined ontology. For example, the security information and analytics component 104 and/or the security orchestration services 142 can maintain an incident response ontology (e.g., a runbook that maps security threats to courses of action), and the system 100 can use one or more of the automated incident response components 108 to compare an identified incident to the ontology. Information related to mitigations (e.g., changes to a software defined networking topology) to be performed in response to a security threat or breach during an incident response process).
Regarding claim 3, the combination of Carver, Smith and Pidathala discloses:
The method of claim 2, wherein determining whether there are any common incident characteristics among the set of correlated incident objects comprises:
loading statistical analysis algorithm for analyzing the incident characteristics of the set of correlated incident objects; and executing the statistical analysis algorithm against the incident characteristics of the incident objects within the set of correlated incident objects (Carver: [0043] A composite credibility can be determined (314) for each process, based on the actions. For example, the indicator analytics server 208 can access a model that combines the credibility scores for the process actions to generate a composite credibility score (e.g., ranging from zero to one) for each process).
Regarding claim 5, the combination of Carver, Smith & Pidathala discloses:
	The method of claim 1, further comprising:
sending a message to the IM application, the message having been generated by a Security Information and Event Manager (SIEM) of the enterprise network and including the incident characteristic of the incident object and the one or more IOCs associated with the incident object (Carver: [0017] the security information and analytics component 104 may be supported by security information and event management (SIEM), analytics, and visualization capabilities); and
creating, by the IM application, the incident object, the incident characteristics of the incident object, and the one or more IOCs associated with the incident object in response to receiving the message (Carver: [0017] Based on the insights 116, for example, the security and information analytics component 104 can modify its threat monitoring process. For example, when the security and information analytics component 104 detects a known pattern of events (e.g., related to the insights 116, such as the existence of a file, an activity on an IP address, or another indicator or observable action), it can record an incident, can trigger one or more requests for responses and can provide the response requests to the defense component 106. Response requests may include incident activity information 130).
Regarding claim 10, Carver discloses:

an incident manager (IM) application executed on the hardware processor that creates, in an automated manner, one or more incident objects for one or more respective data security incidents, wherein an incident object includes an incident characteristic, and that creates one or more indicators of compromise (IOC) and links them to the incident object ([0037] A compromise can be identified (302); [0038] Data can be retrieved (304) from one or more relevant sources … Relevant data can be structured or unstructured, for example. The data can be analyzed by the indicator analytics server 208, for example, to generate one or more indicators of compromise; [0044] the indicator analytics server 208 can automatically determine which indicators to provide to the threat intelligence server 202); and 
a rules engine of the IM application that ([0018] the defense component 106 may be supported by orchestration services 140 (e.g., including security orchestration services 142 and/or infrastructure orchestration services 144), which can set policies and can automate threat management workflows): 
creates one or more tasks for the incident object based upon the incident characteristic of the incident object ([0038] The data can be analyzed by the indicator analytics server 208, for example, to generate one or more indicators of compromise; [0045] Indicators of compromise can be determined (318) for each component. Indicators of compromise (or actual security threat indicators) may be prioritized, for example, based at least in part on potential effectiveness in preventing or mitigating an associated threat; [0050] Based on one or more indicators of compromise associated with a particular security incident (e.g., a DDoS attack), for example, the incident can be identified and an appropriate response strategy (e.g., rerouting network traffic) can be selected (406)); 
determining tasks for the incident object, wherein one or more tasks are determined for the incident object based upon the incident characteristic of the incident object, and the one or more IOCs associated with the incident object ([0017] when the security and information analytics component 104 detects a known pattern of events (e.g., related to the insights 116, such as the existence of a file, an activity on an IP address, or another indicator or observable action), it can record an incident, can trigger one or more requests for responses and can provide the response requests to the defense component 106; [0040] Indicator matches can be identified (308) … Processes and/or modified objects that match, for example, may be identified as threat indicators);
for a given data security incident, generating an incident response plan (See [0050] i.e. appropriate plan of action may be generated), wherein the incident response plan includes the tasks based upon the incident characteristic of the incident object associated with the given data security incident, and includes any tasks based upon the one or more IOCs associated with the incident object ([0016] based on one or more indicators of compromise identified by the intelligence component 102, an appropriate plan of action may be generated, selected, and implemented to respond to a corresponding security threat; [0050] Based on one or more indicators of compromise associated with a particular security incident (e.g., a DDoS attack), for example, the incident can be identified and an appropriate response strategy (e.g., rerouting network traffic) can be selected (406), e.g., by the response selector 132);
See [0004] i.e. automated response), in one or more computing entities in the enterprise network, of one or more tasks included in the re-generated incident response plan to respond to the given data security incident ([0004] The one or more courses of action can include workflow steps to be performed in response to the incident, and implementing the response strategy may include performing the workflow steps. The one or more courses of action can include infrastructure changes to be implemented in the computing network in response to the incident, and implementing the response strategy may include implementing the infrastructure changes. Implementing the response strategy as an automated response can include coordinating operations of one or more third party services. Implementing the response strategy as an automated response can include gathering data by a host agent and providing the data to a forensics repository. A notification may be communicated about the selected response strategy that includes a message that the response strategy has been implemented. The notification about the selected response strategy can include a description of the security incident and a decision prompt. An indication can be received that the response strategy is to be performed, and the response strategy may be implemented in response to receiving the indication. The notification about the selected response strategy can include a list of possible courses of action to be performed).
Carver explicitly discloses:
wherein an event is a data security incident, wherein an indicator is an IOC; wherein an event object is an incident object; wherein a plan is an incident response plan ([0050] Based on one or more indicators of compromise associated with a particular security incident (e.g., a DDoS attack), for example, the incident can be identified and an appropriate response strategy (e.g., rerouting network traffic) can be selected (406), e.g., by the response selector 132).
Carver does not disclose:
for the given event, and responsive to a determination that a given IOC is no longer correlated with the given data security incident, de-associating a given indicator from the event object by unlinking it from the event object in an automated manner, and responsive to unlinking, re‐generating the plan upon a determination that the given indicator is unrelated to the given event.
However, Smith discloses:
for the given event, and responsive to a determination that a given IOC is no longer correlated with the given data security incident ([0033] if requests coming from an address are deemed to not be of a malicious nature, for example that they are indicative of human behavior, the address can be placed on the good address list and removed from the block list if on the block list), 
de-associating (i.e. removing the email address from blacklist) the given indicator from the event object by unlinking it from the event object in an automated manner, and responsive to unlinking, re‐generating (i.e. placing the email address in a good address list) the plan upon a determination that the given indicator is unrelated to the given event ([0048] If a user's address is placed on a blacklist in one observation cycle, the address may be removed from the blacklist and placed on a good address list in a subsequent cycle if the user's requests are indicative of human, non-bot behavior. On a next observation cycle the HBA can notice that a particular source address was also trying to make some good requests too, and then that can cause the address to be removed from a blacklist and placed on a good address list; See FIG. 7; [0055] At block 730, the first request is classified as a bad request based on one or more properties of the first request; [0059] At block 760, the second request is classified as a good request based on one or more properties of the second request; [0062] Embodiments of blocking forgiveness can automate the reconciliation of false positives and increases a reliability in determining humans from bots). 
One of the ordinary person skilled in the art before the effective filing date of the claimed invention would modify the reference of Carver and include a system, which is able to determine that change in the incident has occurred and based on that, update the response plan, as disclosed by Smith.
The motivation to change the response plan in an automated manner is to enable the automated response system to create incident response plans in efficient manner when the incident occurs.
The combination of Carver and Smith fails to disclose:
one or more common IOCs or common groupings of IOCs, wherein common IOCs or common groupings of IOCs are determined by comparing the IOCs associated with the incident object for the data security incident to IOCs associated with one or more incident objects for other data security incidents stored within the IM application.
However, Pidathala discloses:
i.e. anomalous behaviors (IOCs)), wherein common IOCs or common groupings of IOCs are determined by comparing the IOCs associated with the incident object for the data security incident to IOCs associated with one or more incident objects for other data security incidents stored within the IM application (Col. 3, Line # 63-67 – Col. 4, Line # 1-4; According to one embodiment of the disclosure, when deployed within an APT detection system, a run-time classifier is configured to initially determine whether anomalous behaviors (IOCs) monitored during virtual processing of a received suspect object within a virtual execution environment statistically matches any (non-APT) malware family identifiers. In other words, the monitored IOCs are compared to the Common IOCs associated with every malware family identifier).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing of the claimed invention to modify the references of Carver and Smith and rely on monitored indicators of compromise (IOCs) and compare them with common indicators of compromise, as disclosed by Pidathala. 
The motivation to compare monitored IOCs with common IOCs is to analyze and confirm whether the suspect object is malicious object.
Regarding claims 11, the combination of Carver, Smith & Pidathala discloses:
The system of claim 10, wherein the IM application further comprises an inference engine that: 
Identifies incident objects associated with the common IOCs or common groupings of IOCs as a set of correlated incident objects; determining whether there are any Pidathala: See Col. 8, Line # 34-48; As stated above, each family identifier is a collection of samples of anomalous behaviors, also referred to herein as common indicators of compromise (“Common IOCs”). The Common IOCs may be selected based, at least in part, on the counts maintained for each type of anomalous behavior (IOC) that is associated with the APTs (or malware) forming a particular family (e.g., APT family, malware family, etc.). Therefore, if the IOCs associated with the suspect object statistically match any Common IOCs corresponding to the family identifiers, the run-time classifier 150 determines that the suspect object is part of that particular (APT or malware) family. Depending on the deployment for the run-time classifier, a number of actions may be undertaken by the electronic device when the IOCs statistically match any Common IOCs representing a family identifier); and
sends the common incident characteristics to the rules engine, wherein the rules engine determines the tasks for each incident object based upon the one or more IOCs associated with each incident object in response to receiving the common incident characteristics from the inference engine (Carver: [0018] the defense component 106 may be supported by orchestration services 140 (e.g., including security orchestration services 142 and/or infrastructure orchestration services 144), which can set policies and can automate threat management workflows; [0049] The security incident can be compared (404) with a predefined ontology. For example, the security information and analytics component 104 and/or the security orchestration services 142 can maintain an incident response ontology (e.g., a runbook that maps security threats to courses of action), and the system 100 can use one or more of the automated incident response components 108 to compare an identified incident to the ontology. Information related to mitigations (e.g., changes to a software defined networking topology) to be performed in response to a security threat or breach during an incident response process).
Regarding claims 12, the combination of Carver, Smith & Pidathala discloses:
The system of claim 10, wherein the IM application includes a statistical analysis algorithm, and wherein the inference engine downloads the statistical analysis algorithm from the IM application and applies the statistical analysis algorithm to the set of correlated incident objects to determine whether there are any common incident characteristics among the set of correlated incident objects (Carver: [0043] A composite credibility can be determined (314) for each process, based on the actions. For example, the indicator analytics server 208 can access a model that combines the credibility scores for the process actions to generate a composite credibility score (e.g., ranging from zero to one) for each process).
Regarding claims 13, the combination of Carver, Smith & Pidathala discloses:
The system of claim 10, further comprising a Security Information and Event Manager (SIEM) that includes the incident characteristics of the incident object and the one or more IOCs associated with the incident object within a message, and sends the message to the IM application (Carver: [0017] the security information and analytics component 104 may be supported by security information and event management (SIEM), analytics, and visualization capabilities), and wherein the IM application creates the incident object, the incident characteristic of the incident object, and the IOCs associated with the incident object in Carver: [0017] Based on the insights 116, for example, the security and information analytics component 104 can modify its threat monitoring process. For example, when the security and information analytics component 104 detects a known pattern of events (e.g., related to the insights 116, such as the existence of a file, an activity on an IP address, or another indicator or observable action), it can record an incident, can trigger one or more requests for responses and can provide the response requests to the defense component 106. Response requests may include incident activity information 130).
Regarding claim 18, the combination of Carver, Smith & Pidathala discloses:
The system of claim 10, wherein types of the IOCs associated with the incident object include Internet Protocol (IP) addresses, hashes associated with malware, domain names, names of files, user accounts, registry keys, email addresses, and or protocol port numbers (Carver: [0004]).
Regarding claim 19, the combination of Carver, Smith & Pidathala discloses:
The system of claim 10, wherein the incident characteristic included within the incident object include an incident type, data compromise status information, data exposure status information, and time/date of incident occurrence (Carver: [0036]).
Regarding claim 20, the combination of Carver, Smith & Pidathala discloses:
The system of claim 10, wherein the IM receives updates to the tasks from a security analyst, and updates the incident response plans for the data security incidents to include the updated tasks from the security analyst (Carver: [0051]).


Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018.  The examiner can normally be reached on 8:30 AM - 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffery L. Nickerson can be reached on 469-295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.




/S.M.A./             Patent Examiner, Art Unit 2432                                                                                                                                                                                           
/SYED A ZAIDI/             Primary Examiner, Art Unit 2432