DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Examiner’s Amendment

Authorization for the Examiner’s Amendment was given in an interview with the Applicant’s representative, Stephen A. Terrile (Reg. No. 32,946), on May 27, 2021.
Claims 1, 5, 7, 11, 13, and 17 have been amended by the Applicant.  Claims 4, 6, 10, 12, 16, and 18 have been canceled by the Applicant.  The following Examiner’s amendment is listed below:
Claims

1.	(Currently Amended)  A computer-implementable method for revising a security policy, comprising:  
detecting an event associated with an entity, the detecting being performed by protected endpoint, the protected endpoint comprising an endpoint agent executing on an endpoint device;
providing information relating to the event to a security policy, the security policy comprising a rule;
determining whether the security policy is violated by the event;
generating a response when the security policy is violated by the event; [[and,]] 
, the false positive response being generated as a result of defined bounds of the rule being met or exceeded as a result of occurrence of at least one of a legitimate event and enactment of a legitimate behavior, the remediating revising the rule to provide a revised rule;
performing a risk-adaptive analysis when revising the rule, the risk-adaptive analysis using a plurality of risk-adaptive behavior factors when performing the risk-adaptive analysis, the plurality of risk-adaptive behavior factors comprising a user profile attribute, a user behavior factor and a user mindset factor; and,
adaptively evolving a risk-adaptive security policy based upon the risk-adaptive analysis, the risk-adaptive security policy comprising a security policy implemented to detect whether the security policy is generating an undesirable number of false positives and to be remediated to lower the number of false positives when the security policy is generating the undesirable number of false positives.
4.	(Canceled) 

5.	(Currently Amended)  The method of claim [[4]] 1, further comprising:
updating the security policy using the revised rule.

6.	(Canceled) 

7.	(Currently Amended)  A system comprising:  
a processor;  
a data bus coupled to the processor; and 
a non-transitory, computer-readable storage medium embodying computer program code, the non-transitory, computer-readable storage medium being coupled to the data bus, the computer program code interacting with a plurality of computer operations and comprising instructions executable by the processor and configured for: 
detecting an event associated with an entity, the detecting being performed by protected endpoint, the protected endpoint comprising an endpoint agent executing on an endpoint device;
providing information relating to the event to a security policy, the security policy comprising a rule;
determining whether the security policy is violated by the event;
generating a response when the security policy is violated by the event; [[and,]] 
remediating the security policy to reduce false positive responses generated by the security policy, a false positive response being a response comprising an incorrect indication that the security policy has been violated, the false positive response being generated as a result of defined bounds of the rule being met or exceeded as a result of occurrence of at least one of a legitimate event and enactment of a legitimate behavior, the remediating revising the rule to provide a revised rule;
performing a risk-adaptive analysis when revising the rule, the risk-adaptive analysis using a plurality of risk-adaptive behavior factors when performing the risk-adaptive analysis, the plurality of risk-adaptive behavior factors comprising a user profile attribute, a user behavior factor and a user mindset factor; and,
adaptively evolving a risk-adaptive security policy based upon the risk-adaptive analysis, the risk-adaptive security policy comprising a security policy implemented to detect whether the security policy is generating an undesirable number of false positives and to be remediated to lower the number of false positives when the security policy is generating the undesirable number of false positives.
10.	(Canceled) 

11.	(Currently Amended)  The system of claim [[10]] 7, wherein the instructions executable by the processor are further configured for:  
updating the security policy using the revised rule.

12.	(Canceled) 

13.	(Currently Amended)  A non-transitory, computer-readable storage medium embodying computer program code, the computer program code comprising computer executable instructions configured for:  
detecting an event associated with an entity, the detecting being performed by protected endpoint, the protected endpoint comprising an endpoint agent executing on an endpoint device;
providing information relating to the event to a security policy, the security policy comprising a rule;
determining whether the security policy is violated by the event;
generating a response when the security policy is violated by the event; [[and,]] 
remediating the security policy to reduce false positive responses generated by the security policy, a false positive response being a response comprising an incorrect indication that the security policy has been violated, the false positive response being generated as a result of defined bounds of the rule being met or exceeded as a result of occurrence of at least one of a legitimate event and enactment of a legitimate behavior, the remediating revising the rule to provide a revised rule;
performing a risk-adaptive analysis when revising the rule, the risk-adaptive analysis using a plurality of risk-adaptive behavior factors when performing the risk-adaptive analysis, the plurality of risk-adaptive behavior factors comprising a user profile attribute, a user behavior factor and a user mindset factor; and,
adaptively evolving a risk-adaptive security policy based upon the risk-adaptive analysis, the risk-adaptive security policy comprising a security policy implemented to detect whether the security policy is generating an undesirable number of false positives and to be remediated to lower the number of false positives when the security policy is generating the undesirable number of false positives.
16.	(Canceled) 
17.	(Currently Amended)  The non-transitory, computer-readable storage medium of claim [[16]] 13, wherein the computer executable instructions are further configured for:  
updating the security policy using the revised rule.
18.	(Canceled) 




Reasons for Allowance


Claims 1-3, 5, 7-9, 11, 13-15, 17, and 19-20 are allowable.

The following is an Examiner’s statement of reasons for allowance:
The present invention is directed to a system and method that discloses for revising a security policy, comprising detecting an event associated with an entity; providing information relating to the event to a security policy; determining whether the security policy is violated by the event; generating a response when the security policy is violated by the event; and, remediating the security policy to reduce false positive responses generated by the security policy.


The prior art of Hutson et al. (2008/0168453) discloses the security and/monitoring software and devices may communicate with the system to indicate when a software or security policy is violated.  A software or security policy may represent a rule or communication standard observed by an organization.  Consequently, a violation of a software or security policy may indicate that improper behavior has occurred within an organization and/or between the organization and others.  An organization may have a rule that social security numbers are not communicated electronically.  Hutson discloses enforce this rules, the organization may provide their security and/or monitoring software devices with a software or security policy that looks for any condition where nine numbers are found within eleven contiguous spaces. Hutson discloses the software or security policy may generate a large number of false positives by determining that phone numbers provided in electronic communications are work tasks that require further review and potentially investigation. 

“the false positive response being generated as a result of defined bounds of the rule being met or exceeded as a result of occurrence of at least one of a legitimate event and enactment of a legitimate behavior, the remediating revising the rule to provide a revised rule; performing a risk-adaptive analysis when revising the rule, the risk-adaptive analysis using a plurality of risk-adaptive behavior factors when performing the risk-adaptive analysis, the plurality of risk-adaptive behavior factors comprising a user profile attribute, a user behavior factor and a user mindset factor; and
adaptively evolving a risk-adaptive security policy based upon the risk-adaptive analysis, the risk-adaptive security policy comprising a security policy implemented to detect whether the security policy is generating an undesirable number of false positives and to be remediated to lower the number of false positives when the security policy is generating the undesirable number of false positives”.

The prior art of Viljoen (2018/0234434) discloses security module may analyze false positive and/or false negative rates of computing events detected within the enterprise to determine an optimal threshold disposition score for the enterprise. Viljoen discloses security module may perform a retrospective analysis on the disposition scores of an enterprise's computing events. This retrospective analysis may involve computing false positive and/or false negative rates using a variety of theoretical or test threshold disposition scores. Specifically, security module may determine a theoretical initial classification and a theoretical updated classification for one or more computing events using various test threshold disposition scores and the actual initial and updated disposition scores for the computing events. Security module, may then calculate rates of false positives and false negatives produced by each test threshold 

The prior art of Viljoen (2018/0234434) does not disclose or suggest, “the false positive response being generated as a result of defined bounds of the rule being met or exceeded as a result of occurrence of at least one of a legitimate event and enactment of a legitimate behavior, the remediating revising the rule to provide a revised rule; performing a risk-adaptive analysis when revising the rule, the risk-adaptive analysis using a plurality of risk-adaptive behavior factors when performing the risk-adaptive analysis, the plurality of risk-adaptive behavior factors comprising a user profile attribute, a user behavior factor and a user mindset factor; and
adaptively evolving a risk-adaptive security policy based upon the risk-adaptive analysis, the risk-adaptive security policy comprising a security policy implemented to detect whether the security policy is generating an undesirable number of false positives and to be remediated to lower the number of false positives when the security policy is generating the undesirable number of false positives”.

The Non-patent literature of Cheng et al (Title: Automatic Management of Network Security Policy).  Cheng teaches while technologies for building large-scale networks and network services have advanced dramatically, creating new vulnerabilities and opportunities for complex attacks, no significant new ideas or principles have emerged for network management, and especially not for security management. Existing tools have been designed for static security and are inadequate to meet the current demands of user mobility and diversity requiring frequent and error-prone reconfigurations. Furthermore, there are no tools to verify the correctness or 

The Non-patent literature of Cheng et al (Title: Automatic Management of Network 
Security Policy) does not teach or suggest, “the false positive response being generated as a result of defined bounds of the rule being met or exceeded as a result of occurrence of at least one of a legitimate event and enactment of a legitimate behavior, the remediating revising the rule to provide a revised rule; performing a risk-adaptive analysis when revising the rule, the risk-adaptive analysis using a plurality of risk-adaptive behavior factors when performing the risk-adaptive analysis, the plurality of risk-adaptive behavior factors comprising a user profile attribute, a user behavior factor and a user mindset factor; and adaptively evolving a risk-adaptive security policy based upon the risk-adaptive analysis, the risk-adaptive security policy comprising a security policy implemented to detect whether the security policy is generating an undesirable number of false positives and to be remediated to lower the number of false positives when the security policy is generating the undesirable number of false positives”.

Therefore the claims are allowable over the cited prior art.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance."


Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JENISE E JACKSON whose telephone number is (571)272-3791.  The examiner can normally be reached on M-F 8:00am-4:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



5/28/2021
/J.E.J/
Examiner, Art Unit 2439


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439