Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
Applicant’s priority claim is hereby acknowledged of Chinese application 201811061492.X filed on 09/12/2018, however the certified priority documents have not been received under 35 U.S.C. § 119(a)-(d).
Information Disclosure Statement PTO-1449
The Information Disclosure Statement(s) submitted by applicant on 1/21/2020 has/have been considered. The submission is in compliance with the provisions of 37 CFR § 1.97. Form PTO-1449 signed and attached hereto. 

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claim(s) 1-20 is/are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without adding significantly more.  The analysis is as follows: Step 1: Claims 1-7, 8-14, and 15-2 are directed to a method, medium and system.Step 2A Prong 1: Claims 1, 8 and 15 recite mental processes.  The limitations of Step 2A Prong 2: The judicial exception is not integrated into a practical application.  Claims 1-7 recite no implementation whatsoever.  Claims 8-14 and 15-20 recite a generic non-transitory computer readable medium, processor and a storage which claimed at a high level of generality amount to no more than mere instructions to apply the exception using a generic computer component.  Accordingly, these limitations do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea.  Claims 1, 8 and 15 refer to collecting information at a level of generality that it could simply be performed through observation.  The claim is directed to an abstract idea with information being ephemerally manipulated and is mental process.
	Step 2B: The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception.  As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using a processor and a memory or a desktop computer to perform the recited steps is no more than merely to apply an exception using a generic computer component.  Mere 

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151 , or in an application for patent published or deemed published under section 122(b) , in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1, 8, and 15, is/are rejected under AIA  35 U.S.C. 102(a)(1) and 35 USC 102(a)(2) as being anticipated by Puri et al. (US 2016/0253232 A1). 
Regarding claims 1, 8, and 15, Puri teaches:
“A method for identifying a security threat (Puri, ¶ 21 and ¶ 23 teaches a processor, memory and computer readable medium to execute method steps), comprising: 	collecting a plurality of security-related security events, wherein each security event of the plurality of security-related security events, contains a plurality of fields (Puri, ¶ 24, ¶ 30, and ¶ 32, anomaly detection system is used for security event detection and the log information contains various fields); 	searching, for a first security event of the plurality of security-related security events, one or more second security events related to the first security event from the plurality of security-related security events according to one or more fields of the plurality of fields of the first security event, wherein the one or more second security events and the first security event, form event graphs (Puri, ¶ 30, ¶ 57-58 teaches matching graphs created from log data to detect an anomaly event); 	calculating weights of the event graphs (Puri, ¶ 55 teaches determining weights for graphs); and 	sorting the event graphs according to the weights calculated (Puri, Fig. 9, ¶ 56 and ¶ 58 disclose sorting graphs according to their weights)”.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 2-4, 7, 9-11, 14, 16-18, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Puri, in view of Hassanzadeh et al. (US 2019/0141058 A1).
Regarding claims 2, 9, and 16, Puri teaches:
“The method of claim 1 (Puri teaches the limitation of the parent claims as discussed above)”.
Puri does not, but in related art, Hassanzadeh teaches:	“converting each security event, of the plurality of security-related security events, according to conversion rules so as to map a plurality of fields of each security event into one or more feature sets (Hassanzadeh, ¶ 35 teaches converting security event data into a standard format for use in a correlation detection system)”.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Puri and Hassanzadeh, to modify the anomaly correlation detection system of Puri to include the method to convert security event data into a standard format as taught in Hassanzadeh.  The motivation to do so constitutes applying a known technique (i.e., anomaly correlation detection system) to known devices and/or methods (i.e., method to convert security event data into a standard format) ready for improvement to yield predictable results. 
 
Regarding claims 3, 10, and 17, Puri in view of Hassanzadeh teaches:
“The method of claim 2 (Puri in view of Hassanzadeh teaches the limitations of the parent claims as discussed above), wherein the conversion rules contain at least one of: directly using one or more fields as the one or more feature sets (Hassanzadeh, ¶ 34-36 teaches conversion based on the domain with which the information is based on)”.

Regarding claims 4, 11, and 18, Puri in view of Hassanzadeh teaches:
“The method of claim 2 (Puri in view of Hassanzadeh teaches the limitations of the parent claims as discussed above), wherein the searching of the one or more second security events related to the first security event comprises: 	searching one or more second security events related to the first security event by matching one or more features in the one or more feature sets of the first security event with one or more features in the one or more feature sets of the one or more second security events (Puri, ¶ 30, ¶ 57-58 teaches matching graphs created from log data to detect an anomaly event)”.

Regarding claims 7, 14, and 20, Puri teaches:
“The method of claim 1 (Puri in teaches the limitations of the parent claims as discussed above)”.
	Puri does not, but in related art, Hassanzadeh teaches:	“wherein the collecting of the plurality of security-related security events comprises: collecting a plurality of security logs and aggregating the plurality of security logs collected into a security event (Hassanzadeh, ¶ 34-36 teaches collecting and converting security information based on the domain with which the information is based on)”.	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Puri and Hassanzadeh, to modify the anomaly correlation detection system of Puri to include the method to collect and convert security event data into a standard format as taught in Hassanzadeh.  The motivation to do so constitutes applying a known technique (i.e., anomaly correlation detection system) to known devices and/or methods (i.e., method to collect and convert security event data into a standard format) ready for improvement to yield predictable results. 

Claim(s) 5, 12, and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Puri, in view of Hassanzadeh in view of Teverovsky et al. (US 2019/0281010 A1).
Regarding claims 5, 12, and 19, Puri in view of Hassanzadeh teaches:
“The method of claim 4 (Puri in view of Hassanzadeh teaches the limitations of the parent claims as discussed above)”.
Puri in view of Hassanzadeh does not, but in related art, Teverovsky teaches:
“wherein the searching of the one or more second security events related to the first security event comprises: searching one or more cause events triggering the first security event and one or more result events triggered by the first security event (Teverovsky, ¶ 26 and ¶ 61 teaches a correlation engine that matches cause and effect security events)”.	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Puri, Teverovsky, and Hassanzadeh, to modify the anomaly correlation detection system of Puri and Hassanzadeh to include the method to correlate cause and effect security events as taught in Teverovsky.  The motivation to do so constitutes applying a known technique (i.e., anomaly correlation detection system) to known devices and/or methods (i.e., method to correlate cause and effect security events) ready for improvement to yield predictable results.

Claim(s) 6 and 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Puri, in view of Hogg et al. (US 2019/0236661 A1).
Regarding claims 6, and 13, Puri teaches:
“The method of claim 1 (Puri in teaches the limitations of the parent claims as discussed above)”.
	“presetting a plurality of security levels, wherein each security event, plurality of security-related security events, belongs to a security level of the plurality of security levels and wherein a respective weight is assigned to each respective security level of the plurality of security levels for the calculating of the weights of the event graphs according to the respective weights assigned to the respective security levels of the plurality of security events (Hogg, ¶ 125 and ¶ 130 teaches an event risk measuring system which applies a specific weight to different security domain levels for calculating the overall vulnerability score)”.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Puri and Hogg, to modify the anomaly correlation detection system of Puri to include the method to assign weights to specific security levels for analysis as taught in Hogg.  The motivation to do so constitutes applying a known technique (i.e., anomaly correlation detection system) to known devices and/or methods (i.e., method to assign weights to specific security levels for analysis) ready for improvement to yield predictable results.

Conclusion
	In the case of amending the claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention.
	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure: See PTO-892..
	If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571) 272-3685.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
	Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.
/STEPHEN T GUNDRY/Examiner, Art Unit 2435