Notice of Pre-AIA  or AIA  Status
1. 	This action is responsive to the filing of a non-provisional application on 02/19/2019.The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
2. 	Claims 1-20 are pending. 
Allowable Subject Matter
Claims 4, 6, 9 and 18-20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. While Sharon and Nantel show user interfaces to display threat data, neither have a native connection in the interface to display a media based ticket including the graphical representation, connection log info, triaged incident, comment to a remote location or delivering the ticket to a dead drop host or encrypting the ticket in the interface or where there is a secure reverse channel connection between the expert and the local station in a cyber-threat interface.  


Claim Rejections - 35 USC § 112
3. 	The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

The following is a quotation of pre-AIA  35 U.S.C. 112, fourth paragraph:
Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA  35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

Claim 10 is rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends.  Claim 10 refers to a non-transitory computer readable medium to perform the method of claim 1. Claim 1 is .  Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.


4. 	The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:

(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with 
a) a “cyber threat module configured to generate and identify”; an “incident module to generate”; a “communication module configured to establish and connect and receive and provide”; an “ingestion module configured to collect”;  a logging module configured to store and maintain”; a “user interface module configured to generate”,  in claims 11-20.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
Claim limitation “a “cyber threat module configured to generate and identify”; an “incident module to generate”; a “communication module configured to establish and connect and receive and provide”; an “ingestion module configured to collect”;  a logging module configured to store and maintain”; a “user interface module configured to generate”,   invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description appears to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. For example support can be found for at least the majority of the modules in Fig. 1. Further the cyber threat module is disclosed in Para 28-31, 38-39; the ingestion module is disclosed in Para 31-32; the communication module is disclosed in Para 49 and 151-152 ; The user interface module is disclosed in Para 44; the logging module is disclosed in Para 50, 80, 152. Thus, a rejection under 35 U.S.C 112 (b) is not included in this 
Claim Rejections - 35 USC § 103
5. 	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or non- obviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
6. 	Claims 1-3, 5, 7-8, 11-17 are rejected under 35 U.S.C. 103 as being unpatentable over Sharon et. al. U.S. Publication No. 20190260769 filed Feb. 16, 2018 and in view of Nantel e.t. al. U.S. Publication No. 201601733446 filed Dec. 12, 2014.  

In regard to Independent claims 1 and 11, Sharon teaches a method for a cyber-threat defense system, comprising: 
generating a threat-tracking graphical user interface to display a visual representation of data from a network entity describing network activity containing a potential cyber threat(See Sharon, Para 33-34, a security analyst desktop that monitors network activity  and generating a query interface component integrated into the threat-tracking graphical user interface to receive a query for assistance (Para 41, cyber security event) that captures data related to an incident (Para 42-51) and then stores data in a database). Sharon teaches when a user becomes aware of a threat on a user interface that they can report it. (Para 52-53). Sharon teaches automating the first step of identifying a threat by comparing to a (query) a set of prior events (playbooks)(Para 55-83).     
presenting the threat-tracking graphical user interface and the query interface component to a system user belonging to a client team to review the potential cyber threat (see Para 85-90, visualization of the playbook where the playbook (Para 88, receives the compromised files or activity (see also Para 88-89 ).  
allowing the system user to digitally grab a visual data container displaying information in the visual representation presented by the threat-tracking graphical user interface and containing a data object of the data from the network entity and collecting the visual data container from the threat-tracking graphical user interface into a collection window of the query interface component (See Para 90-109, Fig 5a-f). Sharon shows a user interface that allows the user to drag and drop a task to collect data  from a network entity or source where the data is be collected and entered into a playbook or as a result into another playbook, such as graphically identifying all the machines, etc. (Para 103-104, 108) or suspicious URL to generate a report (See also Para 108-122). 
and providing an incident ticket containing the query for assistance and a copy of the visual data container to a system support expert within the cyber threat appliance and optionally, at a remote platform from the threat-tracking graphical user interface for a response to the query (See Fig. 3a-4; Para 42-83 and 110-139). Sharon teaches the analyst or another analyst (expert) can view a report (Para 103, 110-112) received from another user (Para 123)  and if input is required by the analyst that can provide the input (Para 115-121) to remedy the threat. Sharon teaches poll a data point to determine the nature of the threat (Para 130) and prompt analyst to provide input or contact another source ((expert) Para 133).The output of the incident report in a form or ticket can be sent to other sources (Para 133) and outlines next steps for the analyst or others which can then be presented in the user interface to others or the analyst or both (Para 139).
While Sharon makes clear the user can edit, drag or modify the tasks in the playbook which can comprise gathering source information data on a cyber-threat (88, 118, 130), which is interpreted as allowing the user to grab threat information displayed to the user in a user interface, the claims nonetheless refer to a broad scope of a visual container displaying threat information that can be grabbed in a user interface. The reliance on Nantel is to show how skilled artisan prior to the effective date of the invention would understand an alternate means of grabbing in a visualization data that represents a threat.  
	Nantel is analogous art to Sharon as Nantel is also directed to extracting and presenting threat information to a user (Para 3). Nantel teaches a method of displaying and analyzing one or more threats (Para 10). Nantel teaches the threat information can be derived from a firewall or log information and can be presented as a historical graph (Para 10, 21). Nantel teaches one or more threats can be displayed (Para 22). Nantel multiple pieces of information can be stored per threat (Para 23). Nantel teaches a plurality of different visual graphs can be used to display said threat (para 24). Nantel teaches the threat filters can be applied to continuously monitor data from a threat in real time (Para 25). Nantel teaches the intrusion prevention and detection system can be implemented in a firewall so as to classify data as threats to a network (Para 36). Nantel teaches said system can also be connected independently or in other devices. Nantel teaches an administrator or security analyst terminal can be used to retrieve the threat information, much like 
dependent claim 2, Sharon teaches the method for the cyber threat defense further comprising: presenting the query interface component integrated into the threat-tracking graphical user interface to come up as a pop up window when activated that allows the system support expert at a remote location to analyze information being displayed on the threat-tracking graphical user interface along with the system user viewing the threat-tracking graphical user interface (See notification Para 116, 133, 139). 
With respect to dependent claim 3, Sharon teaches the method further comprising: receiving a poll for incident tickets from the remote platform; and in response to polling from the remote platform to retrieve the incident ticket containing the query, sending the incident ticket to the remote platform for the system support expert (See Poll Para 130 that provides data to retrieve the playbook and potentially the incident report 110—114).  
With respect to dependent claim 5, Sharon teaches the method further comprising: receiving a drag-and-drop input from the system user selecting the visual data container containing the data object to move a copy of the data object into the collection window of the query interface component, where the data objects contain a literal copy of the data as opposed to a summarization of the data (See Sharon contains a copy of the literal data as a file (Para 88-89) that could be dragged in the playbook). In the alternative, Nantel shows the user dragging the actual graph object). 
With respect to dependent claim 7, Sharon teaches the method, further comprising: targeting the system support expert for delivery of the incident ticket based on a query category for the query. (See Para 133, 139)
With respect to dependent claim 8, Sharon teaches the method further comprising: encrypting an incident ticket to make the incident ticket unreadable until unlocked by the system support expert (See Para 136, waits for input from analyst). 
dependent claim 12, Sharon teaches the apparatus for the cyber threat defense system wherein the communication module is configured to receive the query response from the system support expert (See User or other accesses report, Para 139). 
With respect to dependent claim 13, Sharon teaches the apparatus for the cyber threat defense wherein the communication module is configured to receive, from the system support expert, a query report listing a series of queries from the system user and query responses from the system support expert for a report period (See Para 41-84, the form contains a variety of communications data and information that the other user can access). 
With respect to dependent claim 14, Sharon teaches the apparatus further comprising: a logging module configured to maintain a query log on a cyber-threat defense system user interface for the client team listing previous incident queries to the system support expert from the client team. 
With respect to dependent claim 15, Sharon teaches the apparatus for the cyber threat defense system further comprising: a logging module configured to store the incident ticket as an incident report for later review (Para 42-43, 51). 
With respect to dependent claim 16, Sharon teaches the apparatus for the cyber threat defense system wherein the logging module can be configured to export the incident report as a document (See file, Para 42).  
With respect to dependent claim 17, Sharon teaches the apparatus for the cyber threat defense system wherein the communication module is configured to connect to an internal support expert responding to the incident ticket after opening the incident ticket as a mirrored incident ticket to the client team(See Para 133, 139 and (See Para 41-84 as accessing the same data from the same database).  
. 
A reference to specific paragraphs, columns, pages, or figures in a cited prior art reference is not limited to preferred embodiments or any specific examples. It is well settled that a prior art reference, in its entirety, must be considered for all that it expressly teaches and fairly suggests to one having ordinary skill in the art. Stated differently, a prior art disclosure reading on a limitation of Applicant's claim cannot be ignored on the ground that other embodiments disclosed were instead cited. Therefore, the Examiner's citation to a specific portion of a single prior art reference is not intended to exclusively dictate, but rather, to demonstrate an exemplary disclosure commensurate with the specific limitations being addressed. In re Heck, 699 F.2d 1331, 1332-33,216 USPQ 1038, 1039 (Fed. Cir. 1983) (quoting In re Lemelson, 397 F.2d 1006, 1009, 158 USPQ 275, 277 (CCPA 1968)). In re: Pusher-Smith Labs. v. Pamlab, LLC, 412 F.3d 1319, 1323, 75 USPQ2d 1213, 1215 (Fed. Cir. 2005); In re Fritch, 972 F.2d 1260, 1264, 23 USPQ2d 1780, 1782 (Fed. Cir. 1992); Merck & Co. v. Biocraft Labs., Inc., 874 F.2d 804, 807, 10 USPQ2d 1843, 1846 (Fed. Cir. 1989); In re Fracalossi, 681 F.2d 792,794 n.1, 215 USPQ 569, 570 n.1 (CCPA 1982); In re Lamberti, 545 F.2d 747, 750, 192 USPQ 278, 280 (CCPA 1976); In re Bozek, 416 F.2d 1385, 1390, 163 USPQ 545, 549 (CCPA 1969). 


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to STEVEN B THERIAULT whose telephone number is (571)272-5867.  The examiner can normally be reached on Monday -Friday 9-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Renee Chavez can be reached on 571-270-1104.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 






/STEVEN B THERIAULT/Primary Examiner, Art Unit 2179