DETAILED ACTION
This office action is in response to the application filed on 03/28/2019. Claims 1-20 are pending and are examined.	
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 102 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151 , or in an application for patent published or deemed published under section 122(b) , in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claims 1-2, 11-12 and 16-17, are rejected under AIA  35 U.S.C. 102(a) (x) as being unpatentable over Carver et al. (U.S Pub No. 2015/0365438 A1, referred to as Carver).
Regarding claims 1, 11 and 16, Carver teaches:
	A computer-implemented method for identifying cyber adversary behavior on a computer network (Carver: ¶ 0012), the computer-implemented method comprising: 
receiving individual security events from multiple threat intelligence data sources (Carver: Fig. 1, Items 102, 110 (multiple threat intelligence data sources); ¶ 0014, “The threat intelligence component 102 can receive information from one or more 110.”, “In some implementations, a service may receive security threat information (individual security events) from multiple peer sources”; ¶ 0015);
 matching a security incident corresponding to an attack on at least one element of the computer network, the security incident being described by the individual security events received from the multiple threat intelligence data sources, to a defined cyber adversary objective in a structured framework of a plurality of defined cyber adversary objectives and a related technique associated with the defined cyber adversary objective used by a cyber adversary in the attack (Carver: ¶ 0002, “implementing a response to one or more security incidents in a computing network, including identifying a security incident based on detecting one or more indicators of compromise associated with the security incident,”; Fig. 2, Item 202; ¶ 0023; “information associated with an IP block of addresses targeting a particular type of resource (e.g., a database server (at least one element of the computer network))”; ¶ 0024, “For example, contextualizing and storing information may include matching threat information identified from internal security threats to threat information identified from external security threats to supplement the information from each source. In the present example, one or more threat indicators (e.g., an IP block of addresses) may be associated with a particular security threat (e.g., a secure shell (SSH) (adversary objective) brute force attack (a related technique associated with the defined cyber adversary)).”; ¶ 0025); and 
performing a set of mitigation actions on the computer network based on the matching of the security incident corresponding to the attack on the computer network to the defined cyber adversary objective and the related technique (Carver: ¶ 0018, “To mitigate a phishing attack ((a related technique associated with the defined cyber )), for example, the defense component 106 can cause a predefined course of action to be executed, including using the orchestration services 140 to determine whether a uniform resource locator (URL) included in an e-mail is malicious, and if so, to block access to the URL and to generate a workflow request to remove the malicious e-mail from a recipient's mailbox (adversary objective)”; ¶ 0026- ¶ 0034).
Regarding claim 11, Carver further teaches:
the computer system comprising: a bus system; a storage device connected to the bus system, wherein the storage device stores program instructions; and a processor connected to the bus system, wherein the processor executes the program instructions (Carver: Fig. 6, Items 610 (processor), 630 (a storage device), 650 (a bus system); ¶ 0068- ¶ 0069).
Regarding claim 16, Carver further teaches:
the computer program product comprising a computer readable storage medium having program instructions embodied therewith, the program instructions executable by a computer (Carver: Fig. 6, Items 610 (processor), 630 (a storage device); ¶ 0068- ¶ 0069).

Regarding claims 2, 12, and 17, Carver teaches all the features of claim 1, 11 and 16, as outlined above.
Carver further teaches:
wherein the matching is performed according to a set of security rules corresponding to the security incident in a plurality of security rules (Carver: ¶ 0002, “comparing the security incident with a predefined ontology that maps the security ”).

Allowable Subject Matter
Claims 3-10, 13-15 and 18-20 would be allowable if they were rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The following is an examiner’s statement of reasons for identifying allowable subject matter.	

The closest prior arts made of records are, Carver et al. (U.S Pub No. 2015/0365438 A1, referred to as Carver) and Amsler (U.S Pub No. 2014/0201836A1, referred to as Amsler).

Carver discloses methods for implementing a response to one or more security incidents in a computing network. One of the methods includes identifying a security incident based on detecting one or more indicators of compromise associated with the security incident, comparing the security incident with a predefined ontology that maps the security incident to one or more courses of action, selecting a response strategy that includes one or more of the courses of action, and implementing the response strategy as an automated response.

Amsler discloses a risk assessment and managed security system for network users provides security services for dealing with formidable cyber threats, malware creations and phishing techniques. Automated solutions in combination with human-driven solutions establish an always-alert positioning for incident anticipation, mitigation, discovery and response.

However, regarding claims 3, 13 and 18, the prior art of Carver and Amsler when taken in the context of the claim as a whole do not disclose nor suggest, “wherein the matching is performed according to a timeline of when the individual security events were received and a cyber adversary technique corresponding to the defined cyber adversary objective.”.

Regarding claims 4, 14 and 19, the prior art of Carver and Amsler when taken in the context of the claim as a whole do not disclose nor suggest, “presenting the security incident as compared to the defined cyber adversary objective and the related technique matched to the security incident on a security attack graph.”.

Regarding claim 6, the prior art of Carver and Amsler
Regarding claim 7, the prior art of Carver and Amsler when taken in the context of the claim as a whole do not disclose nor suggest, “retrieving cyber adversary objectives and techniques data corresponding to the extracted indicators of compromise and related indicators of compromise from a set of remote trusted third-party structured threat intelligence data sources.”.

Claims 5, 15 and 20 depend on claims 4, 14 and 19 and claims 8-10 depend on claim 7, and are of consequence identified as allowable.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:  See PTO-892.  

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HASSAN SAADOUN whose telephone number is (571)272-8408.  The examiner can normally be reached on Mon-Fri 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.







/HASSAN SAADOUN/Examiner, Art Unit 2435

/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435