DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claims 1-20 are presented for examination.

Claim Objections
Claims 1, 2, 7, 10, 11, 16, and 19 are objected to because of the following informalities:  
In claim 1, line 15: “a score for an entity” is unclear if it relates to “a score for an entity” (claim 1, line 13);
In claim 2, line 4: “events for performed” should read –events performed–;
In claim 2, line 7: “attack tree are” should read –attack tree that are–;
In claim 7, line 4: “an entity” is unclear if it relates to “an entity” (claim 1, line 6);
In claim 10, line 16: “a score for an entity” is unclear if it relates to “a score for an entity” (claim 10, line 14);
In claim 11, line 4: “events for performed” should read –events performed–;
In claim 11, line 6: “attack tree are” should read –attack tree that are–;
In claim 16, line 18: “a score for an entity” is unclear if it relates to “a score for an entity” (claim 15, line 16);
In claim 16, line 4: “events for performed” should read –events performed–;
In claim 16, line 7: “attack tree are” should read –attack tree that are–;
In claim 19, line 4: “an entity” is unclear if it relates to “an entity” (claim 15, line 16);

Appropriate correction is required.

Drawings
The drawings are objected to because In Figure 2, element 203: “PRE-CONFIGURE IP ADDRESS IN ENTERPRISE ENVIRONEMTN RANGE” should read – PRE-CONFIGURE IP ADDRESS IN ENTERPRISE ENVIRONMENT RANGE–.
Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.


Claim Rejections - 35 USC § 101
It is noted that the specification has specified that a computer readable storage medium is not to be construed as being transitory signals per se (see specification [0105]).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1, 4, 7, 10, 15, and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nenov (US Patent 9,692,784 B1) in view of Fujishima et al. (US 2014/0115663 A1 and Fujishima hereinafter), and further in view of Shulman et al. (US 2007/0214503 A1 and Shulman hereinafter).
As to claim 1, Nenov discloses a system and method for security appliance, the system and method having:
identifying, by one or more processors, events in a target environment that are associated with an indication of a security attack on the target environment (col. 4, lines 59-67); 
composing, by one or more processors, security monitoring rules based on the identified events and relating to an entity identifier that is fixed over a period of time in relation to an entity in the target environment (col. 4, lines 59-67; col. 5, lines 1-11); 
weighting, by one or more processors, the security monitoring rules according to a probability that the rule positively identifies the security attack (col. 6, lines 9-20).
Nenov fails to specifically disclose:
correlating, by one or more processors, outputs of multiple activated rules relating to an entity identifier that are activated over time in response to events occurring in the target environment; 
aggregating, by one or more processors, weightings from the multiple activated rules; 
determining, by one or more processors, a score for an entity relating to the entity identifier based on the aggregated weightings; 
providing, by one or more processors, an alert in response to a score for an entity meeting a threshold. 
Nonetheless, these features are well known in the art and would have been an obvious modification of the teachings disclosed by Nenov, as taught by Fujishima.
Fujishima discloses a system and method for detecting unauthorized access and network monitoring, the system and method having:
aggregating, by one or more processors, weightings from the multiple activated rules (0150, lines 2-5); 
determining, by one or more processors, a score for an entity relating to the entity identifier based on the aggregated weightings (0150, lines 2-5); 
providing, by one or more processors, an alert in response to a score for an entity meeting a threshold (0150, lines 6-8; 0153-0156). 
Given the teaching of Fujishima, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Nenov with the teachings of Fujishima by alerting in response to a score that is based on aggregated weightings of rules meeting a threshold. Fujishima recites motivation by disclosing that transmitting a warning according to weights of conditions provides the notification of the possibility of an attack, thus providing security to a system (0153). It is obvious that the teachings of Fujishima would have improved the teachings of Nenov by alerting in response to an aggregated weight based score in order to provide notification of an attack.

Nenov in view of Fujishima fails to specifically disclose:

correlating, by one or more processors, outputs of multiple activated rules relating to an entity identifier that are activated over time in response to events occurring in the target environment. 
Nonetheless, these features are well known in the art and would have been an obvious modification of the teachings disclosed by Nenov in view of Fujishima, as taught by Shulman.
Shulman discloses a system and method having a correlation engine for detecting network attacks, the system and method having:
correlating, by one or more processors, outputs of multiple activated rules relating to an entity identifier that are activated over time in response to events occurring in the target environment (0029, lines 1-2; 0032, lines 1-6; 0033, lines 1-5). 


As to claim 10, Nenov discloses:

one or more computer readable storage media and program instructions stored on the one or more computer readable storage media, the program instructions comprising (col. 20, lines 1-6): 
program instructions to identify events in a target environment that are associated with an indication of a security attack on the target environment (col. 4, lines 59-67); 
program instructions to compose security monitoring rules based on the identified events and relating to an entity identifier that is fixed over a period of time in relation to an entity in the target environment (col. 4, lines 59-67; col. 5, lines 1-11); 
program instructions to weight the security monitoring rules according to a probability that the rule positively identifies the security attack (col. 6, lines 9-20).
Nenov fails to specifically disclose:
program instructions to correlate outputs of multiple activated rules relating to an entity identifier that are activated over time in response to events occurring in the target environment; 
program instructions to aggregate weightings from the multiple activated rules; 
program instructions to determine a score for an entity relating to the entity identifier based on the aggregated weightings; 
program instructions to provide an alert in response to a score for an entity meeting a threshold. 
Nonetheless, these features are well known in the art and would have been an obvious modification of the teachings disclosed by Nenov, as taught by Fujishima.
Fujishima discloses:
program instructions to aggregate weightings from the multiple activated rules (0150, lines 2-5); 
program instructions to determine a score for an entity relating to the entity identifier based on the aggregated weightings (0150, lines 2-5); 
program instructions to provide an alert in response to a score for an entity meeting a threshold (0150, lines 6-8; 0153-0156). 
Given the teaching of Fujishima, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Nenov with the teachings of Fujishima by alerting in response to a score that is based on aggregated weightings of rules meeting a threshold. Please refer to the motivation recited above with respect to claim 1 as to why it is obvious to apply the teachings of Fujishima to the teachings of Nenov.

Nenov in view of Fujishima fails to specifically disclose:

program instructions to correlate outputs of multiple activated rules relating to an entity identifier that are activated over time in response to events occurring in the target environment. 

Shulman discloses:
program instructions to correlate outputs of multiple activated rules relating to an entity identifier that are activated over time in response to events occurring in the target environment (0029, lines 1-2; 0032, lines 1-6; 0033, lines 1-5). 
Given the teaching of Shulman, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Nenov in view of Fujishima with the teachings of Shulman by correlating outputs of activated rules over time. Please refer to the motivation recited above with respect to claim 1 as to why it is obvious to apply the teachings of Shulman to the teachings of Nenov in view of Fujishima. 

As to claim 15, Nenov discloses:
one or more computer processors (col. 19, lines 48-50); 
one or more computer readable storage media (col. 20, lines 1-6); 
program instructions stored on the computer readable storage media for execution by at least one of the one or more processors, the program instructions comprising (col. 20, lines 1-6): 
program instructions to identify events in a target environment that are associated with an indication of a security attack on the target environment (col. 4, lines 59-67); 
program instructions to compose security monitoring rules based on the identified events and relating to an entity identifier that is fixed over a period of time in relation to an entity in the target environment (col. 4, lines 59-67; col. 5, lines 1-11); 
program instructions to weight the security monitoring rules according to a probability that the rule positively identifies the security attack (col. 6, lines 9-20). 
Nenov fails to specifically disclose:
program instructions to correlate outputs of multiple activated rules relating to an entity identifier that are activated over time in response to events occurring in the target environment; 
program instructions to aggregate weightings from the multiple activated rules; 
program instructions to determine a score for an entity relating to the entity identifier based on the aggregated weightings; 
program instructions to provide an alert in response to a score for an entity meeting a threshold. 
Nonetheless, these features are well known in the art and would have been an obvious modification of the teachings disclosed by Nenov, as taught by Fujishima.
Fujishima discloses:
program instructions to aggregate weightings from the multiple activated rules (0150, lines 2-5); 
program instructions to determine a score for an entity relating to the entity identifier based on the aggregated weightings (0150, lines 2-5); 
program instructions to provide an alert in response to a score for an entity meeting a threshold (0150, lines 6-8; 0153-0156). 
Given the teaching of Fujishima, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Nenov with the teachings of Fujishima by alerting in response to a score that is based on 

Nenov in view of Fujishima fails to specifically disclose:

program instructions to correlate outputs of multiple activated rules relating to an entity identifier that are activated over time in response to events occurring in the target environment. 
Nonetheless, these features are well known in the art and would have been an obvious modification of the teachings disclosed by Nenov in view of Fujishima, as taught by Shulman.
Shulman discloses:
program instructions to correlate outputs of multiple activated rules relating to an entity identifier that are activated over time in response to events occurring in the target environment (0029, lines 1-2; 0032, lines 1-6; 0033, lines 1-5). 
Given the teaching of Shulman, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Nenov in view of Fujishima with the teachings of Shulman by correlating outputs of activated rules over time. Please refer to the motivation recited above with respect to claim 1 as to why it is obvious to apply the teachings of Shulman to the teachings of Nenov in view of Fujishima. 

As to claim 4, Nenov discloses:
wherein the identified events are based on a combination of essential features in the security attack (attack vectors) (col. 4, lines 59-67). 

As to claims 7 and 19, Nenov discloses:
wherein an entity relates to an asset or person in the target environment and the entity identifier is one or more of: an Internet Protocol address, hostname, user name, media access control (MAC) address, or other entity identifier that is fixed over a period of time in relation to an entity (col. 7, lines 50-52; col. 9, lines 56-59). 

Claims 2, 11, and 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nenov in view of Fujishima and Shulman as applied to claims 1, 10, and 15 above, and further in view of Leiderfarb et al. (US 2017/0171230 A1 and Leiderfarb hereinafter).
As to claims 2, 11, and 16, Nenov in view of Fujishima and Shulman fails to specifically disclose:
defining, by one or more processors, an attack tree that includes events for performed on the target environment, wherein the attack tree defines paths of possible events in the security attack; 
selecting, by one or more processors, features of the attack tree are associated with the indication of the security attack on the target environment. 
Nonetheless, these features are well known in the art and would have been an obvious modification of the teachings disclosed by Nenov in view of Fujishima and Shulman, as taught by Leiderfarb.
Leiderfarb discloses a system and method for detecting and remediating polymorphic attacks across an enterprise, the system and method having:
defining, by one or more processors, an attack tree that includes events for performed on the target environment, wherein the attack tree defines paths of possible events in the security attack (0007, lines 3-9); 
selecting, by one or more processors, features of the attack tree are associated with the indication of the security attack on the target environment (0010, lines 1-4). 
.

Claims 5, 6, 8, 13, 14, 18, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nenov in view of Fujishima and Shulman as applied to claims 1, 10, and 15 above, and further in view of Mashevsky et al. (US 2011/0083180 A1 and Mashevsky hereinafter).
As to claims 5, 13, and 18, Nenov in view of Fujishima and Shulman fails to specifically disclose:
wherein weighting the security monitoring rules according to the probability that the rule positively identifies the security attack is based on an initial configuration with re-adjustment of weightings based on testing and analysis of security incidents in the target environment. 
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Nenov in view of Fujishima and Shulman, as taught by Mashevsky.
Mashevsky discloses a system and method for detection of previously unknown malware, the system and method having:
wherein weighting the security monitoring rules according to the probability that the rule positively identifies the security attack is based on an initial configuration with re-adjustment of weightings based on testing and analysis of security incidents in the target environment (0053, lines 1-7). 

Given the teaching of Mashevsky, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Nenov in view of Fujishima and Shulman with the teachings of Mashevsky by readjusting weightings based on testing and analysis incidents. Mashevsky recites motivation by disclosing that adjusting weightings based on testing of various criteria allows for the analysis of a level of danger and significance, providing a more accurate indication of malicious activity (0049-0051). It is obvious that the teachings of Mashevsky would have improved the teachings of Nenov in view of Fujishima and Shulman by adjusting weightings based on testing in order to provide a more accurate indication of malicious activity.

As to claim 6, Nenov discloses:

dynamically recalculating, by one or more processors, risk correlation scores further based on security incidents and corresponding re-adjustment of rule weightings (Figure 3A).
Mashevsky also discloses:
 dynamically recalculating, by one or more processors, risk correlation scores further based on security incidents and corresponding re-adjustment of rule weightings (0053, lines 1-7).
Given the teaching of Mashevsky, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Nenov in view of Fujishima and Shulman with the teachings of Mashevsky by dynamically recalculating risk correlation scores. Please refer to the motivation recited above with respect to claim 5 as to why it is obvious to apply the teachings of Mashevsky to the teachings of Nenov in view of Fujishima and Shulman.


producing, by one or more processors, an updated risk correlation score record in response to a rule activation. 
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Nenov in view of Fujishima and Shulman, as taught by Mashevsky.
Mashevsky discloses:
producing, by one or more processors, an updated risk correlation score record in response to a rule activation (0085, lines 2-6; 0086, lines 1-2; 0100, lines 1-8).
Given the teaching of Mashevsky, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Nenov in view of Fujishima and Shulman with the teachings of Mashevsky producing an updated risk correlation score. Please refer to the motivation recited above with respect to claim 5 as to why it is obvious to apply the teachings of Mashevsky to the teachings of Nenov in view of Fujishima and Shulman.

Claim 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nenov in view of Fujishima and Shulman as applied to claim 1 above, and further in view of Boteler et al. (US 2011/0185419 A1 and Boteler hereinafter).
As to claim 9, Nenov in view of Fujishima and Shulman fails to specifically disclose:
aggregating, by one or more processors, weightings from the multiple activated rules utilizing a sliding window of a period of time. 
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Nenov in view of Fujishima and Shulman, as taught by Boteler.
Boteler discloses a system and method for detecting SSH login attacks, the system and method having:
aggregating, by one or more processors, weightings from the multiple activated rules utilizing a sliding window of a period of time (0090, lines 2-14; 0094, lines 2-11; 0099, lines 1-8; 0100, lines 1-9; 0101, lines 1-3; Figure 2). 
Given the teaching of Boteler, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Nenov in view of Fujishima and Shulman with the teachings of Boteler by aggregating weightings using a sliding period of time. Boteler recites motivation by disclosing that using particular successive time periods to detect events offers another level of sophistication to be able to ignore lower level attacks (0091). It is obvious that the teachings of Boteler would have improved the teachings of Nenov in view of Fujishima and Shulman by aggregating weightings from rules using a sliding period of time in order to provide another level of sophistication in attack detection.
	

Allowable Subject Matter
Claims 3, 12, and 17 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Prior Art Made of Record
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Almukaynizi et al. (US 2020/0036743 A1) discloses a system and method for predicting the likelihood of cyber-threats leveraging intelligence associated with hacker communities.
Bernoth et al. (US Patent 7,937,353 B2) discloses a system and method for determining whether to alter a firewall configuration.
Chester (US 2016/0285861 A1) discloses a system and method for authenticating the legitimacy of a request for a resource by a user.
Choi et al. (US 2015/0058993 A1) discloses a system and method for discovering optimal network attack paths.
El-Moussa et al. (US 2020/0228544 A1) discloses a system and method for malicious host detection.
Hebert et al. (US 2016/0099953 A1) discloses a system and method for application attack monitoring.
Koottayi et al. (US 2018/0288063 A1) discloses a system and method for mechanisms for anomaly detection and access management.
Lam et al. (US 2018/0176254 A1) discloses a system and method for compliance monitoring.
Milazzo et al. (US 2020/0186569 A1) discloses a system and method for security rule generation based on cognitive and industry analysis.
Pal et al. (US 2017/0171225 A1) discloses a system and method for modeling all operations and executions of an attack and malicious process entry.
Reynolds, II et al. (US 2016/0182561 A1) discloses a system and method for route monitoring.
Sanchez et al. (US 2020/0327223 A1) discloses a system and method for affectedness scoring engine for cyber threat intelligence services.
Seki et al. (US 2021/0044607 A1) discloses a system and method for monitoring.
Singla (US 2014/0165200 A1) discloses a system and method for distributed rule-based correlation of events.
Sirianni et al. (US 2020/0374298 A1) discloses a system and method for malware detection and mitigation.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SARAH SU whose telephone number is (571)270-3835.  The examiner can normally be reached on 7:30 AM - 4:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/SARAH SU/Primary Examiner, Art Unit 2431