Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Continued Examination Under 37 CFR 1.114

1.       A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  
Applicant's submission filed on 3-1-2021 has been entered.

2.        Claims 1, 3 - 10, 12, 14 - 19, 21 - 27, 29, 30 are pending.  Claims 1, 3 - 10, 12, 14 - 19, 21 - 27, 29, 30 have been amended.  Claims 1, 19, 27 are independent.    This application was filed on 10-30-2015.  

Response to Arguments

3.    Applicant's arguments have been fully considered, however upon further consideration of the prior art and the claimed limitation, they were not persuasive.

A.  The Objection to Claim 27 is withdrawn due to amendments to Claim 27. 



B.  Applicant argues on page 10 of Remarks:    ...   “an entities view comprising...a link associated with each application in the listing of applications, wherein activation of the link by a user causes the graphical user interface to generate a detailed view illustrating a relationship between the application and the at least one anomaly or threat associated with the application.”. 

    The Examiner respectfully disagrees.  Andres discloses that an application can be considered as a threat to a computer network (i.e. a flawed application). (see Andres col 4, lines 5-19: vulnerabilities include open ports, flowed applications programs that can provide unauthorized access to network node(s); individuals that gain access through such vulnerabilities view secret information, delete files, alter settings of computer networks, or otherwise compromise security of a computer network; (i.e. events detected by security management tools)).   Andres discloses a graphical user interface display concerning indicated threats to a computer network and the capability to generate a more detailed view of the detected threats, generated risk scores associated with the assets. (see Andres col 11, line 67 - col 12, line 4: generates and displays threat listing; graphical user interface display of output from threat correlation module; col 12, lines 4-8: threat listing (i.e. flawed applications) comprising a threat summary, threat risk level, enables quick scan of threats; col 12, lines 8-13: threat correlation module calculates threat risk level (i.e. risk score) based on characteristics of threat (i.e. threat criticality); col 14, lines 36-34: risk score based on asset criticality, threat criticality and vulnerability severity values associated with asset; col 12, lines 17-24: highlighting a specific threat (i.e. link), threat correlation module displays detailed information about 

C.  Applicant argues on page 11 of Remarks: Eberhardt also does not disclose illustrating a relationship between an application and an anomaly or threat, as now recited in claim 1,   ...   . 

    The Examiner respectfully disagrees.   Andres discloses that an application can be considered as a threat to a computer network (i.e. a flawed application). (see Andres col 4, lines 5-19: vulnerabilities include open ports, flowed applications programs that can provide unauthorized access to network node(s); individuals that gain access through such vulnerabilities view secret information, delete files, alter settings of computer networks, or otherwise compromise security of a computer network).   Andres discloses a graphical user interface display concerning indicated threats to a computer network and the capability to generate a more detailed view of the detected threats, generated risk scores associated with the assets as stated above. 

D.  Applicant argues on page 11 of Remarks: Independent claims 19 and 27 are amended herein to recite similar features to claim 1,   ...   . 

    Responses to arguments against independent claim 1 also answer arguments 

E.  Applicant argues on page 11 of Remarks:    ...   each of the remaining claims depends from one of claims 1,19, and 27; thus, these claims are patentable over the cited references for at least the same reasons. 

    Responses to arguments against the independent claims also answer arguments against the associated dependent claims.   

Claim Rejections - 35 USC § 103

4.        The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

5.        Claims 1, 3 - 5, 7 - 9, 16 - 19, 21 - 23, 25 - 27, 29, 30 are rejected under 35 U.S.C. 103 as being unpatentable over Andres et al. (US Patent No. 8,201,257) in view of Eberhardt, III et al. (US PGPUB No. 20130198119, referred to as “Eberhardt”).     	

Regarding Claims 1, 19, 27, Andres discloses a computerized method, a non-transitory, computer-readable storage medium storing instructions, an execution of which in a computer system causes the computer system to perform operation, and a computer system comprising:


Furthermore, Andres discloses for b): identify anomalies from the event data, wherein anomalies are associated with at least one entity; (see Andres col 1, lines 53-58: threat correlation module finds actual assets that have attributes susceptible to one or more threats (i.e. compromised asset, device); threat correlation module displays a list of those susceptible assets (i.e. device(s) potentially compromised))  


However, Eberhardt discloses for b): using machine learning models to identify anomalies from the event data. (see Eberhardt paragraph [0105], lines 1-12: a model to identify novel and anomalous events using machine learning algorithms on relevant data about a set of events; data includes data relevant to the events, relevant to outcomes, and relevant to the specific subject domain; probabilities are used in a scoring algorithm to adjudicate whether an event is harmful or not harmful)    
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Andres for b): using machine learning models to identify anomalies as taught by Eberhardt.   One of ordinary skill in the art would have been motivated to employ the teachings of Eberhardt for the benefits achieved from the flexibility of a system that enables the prediction of certain unknown events that are dissimilar to certain known events and detecting new viruses or malware that has not been detected before. (see Eberhardt paragraph [0006], lines 2-7)   

Furthermore, Andres discloses the following:
c)  automatically determining a score for each anomaly, wherein the score represents a quantification of a degree to which the event data is associated with anomalous activity on the network; (see Andres col 15, lines 37-40: calculating a risk score parameter focusing on security risks associated with each asset individually but incorporating all threats and all vulnerabilities that affect a particular asset (i.e. device, entity)) and

e)  causing display, in a graphical user interface, of an entities view (see Andres col 11, line 67 - col 12, line 4: generates and displays threat listing; graphical user interface display of output from threat correlation module) comprising: a listing of applications that have run on the network and are associated with an anomaly or threat; (see Andres col 12, lines 4-8: threat listing (i.e. flawed applications) comprises a threat summary, threat risk level, enables quick scan of threats) and the score determined for the anomaly associated with each application in the listing of applications; (see Andres col 12, lines 8-13: threat correlation module calculates threat risk level (i.e. risk score) based on characteristics of threat (i.e. threat criticality); col 14, lines 36-34: risk score based on asset criticality, threat criticality and vulnerability severity values associated with asset) and a link associated with each application in the listing of applications, wherein activation of the link by a user causes the graphical user interface to generate a detailed view illustrating a relationship between the application and the at least one anomaly or threat associated with the application. (see Andres col 12, lines 17-

Furthermore for Claim 27, Andres discloses a non-transitory computer readable medium for storing machine instructions; and a processor coupled to the non-transitory computer readable medium, the processor upon executing the instructions caused to perform operations. (see Andres col 6, lines 7-15: implemented in software comprising computer-executable instructions organized into routines, subroutines, procedures, objects, methods, functions; directing a computer to perform specified tasks; (computer indicates a processor coupled to a memory (i.e. computer readable medium) for execution of stored instructions))     

Regarding Claims 3, 21, 29, Andres-Eberhardt discloses the method, computer readable storage medium, and computer system of claims 1, 19, 28, wherein the entities view lists, for each entity, the number of threats associated with the entity. (see Andres col 15, lines 37-40: calculated risk score focuses on security risk associated with each asset (i.e. entity) incorporating all threats and all vulnerabilities (anomalies) that affect the asset (i.e. entity); (all threats associated with an entity); col 1, lines 53-58: 

Regarding Claims 4, 22, 30, Andres-Eberhardt discloses the method, computer readable storage medium, and computer system of claims 1, 19, 27, wherein the entities view lists, for each entity, a number of anomalies associated with the entity. (see Andres col 1, lines 53-58: threat correlation module finds actual assets that have attributes susceptible to one or more threats (i.e. compromised asset, device); threat correlation module displays a list of those susceptible assets (i.e. device(s) potentially compromised); col 15, lines 37-40: calculated risk score focuses on security risk associated with each asset (i.e. entity) incorporating all threats and all vulnerabilities (i.e. anomalies) that affect the asset (i.e. entity); (all vulnerabilities (anomalies) associated with an entity))    

Regarding Claims 5, 23, Andres-Eberhardt discloses the method and computer readable storage medium of claims 1, 19, wherein the entities view lists, for each entity, a number of threats and anomalies associated with the entity. (see Andres col 1, lines 53-58: threat correlation module finds actual assets that have attributes susceptible to one or more threats (i.e. compromised asset, device); threat correlation module displays 

Regarding Claims 7, 25, Andres-Eberhardt discloses the method and computer readable storage medium of claims 1, 19, wherein the entities view further comprises a listing of users in a computer network of an organization including a department in which the user is assigned in the organization. (see Andres col 4, lines 34-40: assets encompassed all devices or nodes connected to a computer network; computers, applications and services such as an email client program (i.e. a particular user execution connected within a network environment); col 17, lines 58-65: allows a user to specify a subset of the network such as assets of a certain department (i.e. users via email client programs for a particular department of a company))    

Regarding Claim 8, 26, Andres-Eberhardt discloses the method and computer readable storage medium of claims 1, 19,
a)  wherein the entities view further comprises a listing of network users in a computer network of an organization, (see Andres col 4, lines 34-40: assets encompassed all devices or nodes (computer systems) connected to a computer network; computers, applications and services such as an email client program (i.e. a particular device or computer system associated with a particular user 
b)  further includes, for each network user, a date of a most recent automated determination regarding the network user’s involvement in an anomaly. (see Andres col 8, line 49 - col 9, line 5: threat intelligence database maintains information concerning date and time each record was entered; threat intelligence module transmits alert information to a particular user; separate timestamp information maintained for each user of threat correlation module; (date information associated with most recent threat (i.e. compromise) information associated with a particular user))    

Regarding Claim 9, Andres-Eberhardt discloses the method of claim 1, 
a)  wherein the entities view comprises a listing of devices communicating on the network and associated with an anomaly, (see Andres col 1, lines 53-58: threat correlation module finds actual assets that have attributes susceptible to one or more threats (i.e. compromised asset, device); threat correlation module displays a list of those susceptible assets (i.e. device(s) potentially compromised); col 12, lines 33-37: threat correlation module allows user to select a particular threat and request that the threat be correlated with other assets of computer network) and 
b)  further wherein the listing includes, for each device, the date of the most recent automated determination regarding the device’s involvement in an anomaly. (see Andres col 8, line 49 - col 9, line 5: threat intelligence database maintains 

Regarding Claim 16, Andres-Eberhardt discloses the method of claim 1, wherein the entities view further comprises a listing of network users in a computer network of an organization and upon selection by a user of a network user in the listing, a detailed network user view is generated that identifies other network users determined to be similar. (see Andres col 9, lines 61-67: threat correlation module refers to information stored in database to compile a list of threats to display to users; allow users to select a threat for more detailed information and for correlation about threat data with data about actual vulnerabilities stored in vulnerabilities database; (display detailed information associated with a particular threat); col 12, lines 33-37: select a particular threat and request that it be correlated with a set of assets to determine which assets are affected by the selected threat; (future tracking provides threat assessment information after threat selection and set of assets selection))

Regarding Claim 17, Andres-Eberhardt discloses the method of claim 1, further comprising: upon receiving a selection by a user, via the graphical user interface, of a link in the detailed view, generating an instances view listing instances of anomalies that are associated with the application. (see Andres col 17, lines 8-17: vulnerabilities are 

Regarding Claim 18, Andres-Eberhardt discloses the method of claim 1, further comprising: 
a)  upon receiving a selection by a user, via the graphical user interface, of a link in the detailed view, generating an instances view listing instances of anomalies that are associated with the application, (see Andres col 12, lines 17-24: highlighting a specific threat (i.e. link), threat correlation module displays detailed information about the selected threat; col 12, lines 33-37: threat correlation module allows user to select a particular threat and request that the threat be correlated with other assets of computer network; col 21, lines 51-60: results of correlation are displayed; col 9, lines 61-67: threat correlation module refers to information stored in database to compile a list of threats to display to users; allow users to select a threat for more detailed information and for correlation about threat data with data about actual vulnerabilities stored in vulnerabilities database; (display detailed information associated with a particular threat))    
b)  wherein each listed instance includes a link to a detailed view of that instance. (see Andres col 17, lines 8-17: vulnerabilities are exploited by threat types of assets, external hyperlinks that point to addition information concerning the threats; (hyperlinks providing access via clicking on link to display additional threat related information))    

6.        Claims 6, 10, 24 are rejected under 35 U.S.C. 103(a) as being unpatentable over Andres in view of Eberhardt and further in view of Osborn et al. (US PGPUB No. 20070239495).     	

Regarding Claims 6, 24, Andres-Eberhardt discloses the method and computer readable storage medium of claims 2, 1 including a graphical user interface. 
Andres-Eberhardt does not specifically disclose for a): graphical user interface provides a prompt for filtering entities, and for b): filtering entities view to include only entities associated with scores corresponding to user’s selection. 
However, Osborn discloses:
a)  wherein the graphical user interface provides a prompt for filtering the displayed plurality of anomalies according to score, (see Osborn paragraph [0011], lines 5-9: display information associated with risk scores for applications (assets) and permit filtering to study only a portion of said information; paragraph [0045], lines 10-13: user selects a risk level) and
b)  upon selection by a user of a score via the graphical user interface, filtering the displayed plurality of anomalies to include only the anomalities associated with scores corresponding to the user’s selection. (see Osborn paragraph [0011], lines 5-9: display information associated with risk scores for applications (assets) and permit filtering to study only a portion of said information; paragraph [0045], lines 10-13: user selects a risk level)   
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Andres-Eberhardt for a): 

Regarding Claim 10, Andres-Eberhardt discloses the method of claim 1, 
a)  wherein the entities view includes, for each application, the date of the most recent update regarding the application’s participation in anomaly. (see Andres col 8, lines 43-48: threat intelligence module assembles threat alerts containing information about threats that have been added to threat intelligence database) 

Furthermore, Andres discloses for b): view according to date, and for c): selection by a user of a temporal range, view to include only the entities associated with a date of most recent update falling within the selected temporal range. (see Andres col 2, lines 43-50: compliance tracking module receives user input specifying compliance goals; periodically (over a specified time range) determine compliance goal and display a time-based compliance measure indicative of actual compliance with goal; compliance processing associated with a particular set of assets over a particular time range; col 3, lines 10-15: threat correlation module requests threat information according to a schedule set by a user; (user sets a schedule (or a time range) for processing threat information))

Andres-Eberhardt does not specifically disclose for b): provides a prompt for filtering entities, and for c): filtering entities view to include only applications associated with filtering.
However, Osborn discloses:
b)  wherein the graphical user interface provides a prompt for filtering the entities view, (see Osborn paragraph [0011], lines 5-9: display information associated with risk scores for applications (assets) and permit filtering to study only a portion of said information; paragraph [0045], lines 10-13: user selects a risk level) and
c)  upon selection by a user of a filter via the graphical user interface, filtering the entities view to include only the applications associated with filtering. (see Osborn paragraph [0011], lines 5-9: display information associated with risk scores for applications (assets) and permit filtering to study only a portion of said information; paragraph [0045], lines 10-13: user selects a risk level)    
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Andres-Eberhardt for b): provides a prompt for filtering application, and for c): filtering entities view to include only applications associated with filtering as taught by Osborn. One of ordinary skill in the art would have been motivated to employ the teachings of Osborn for the benefits achieved from the flexibility of a system that enables the evaluating both risks and controls implemented to mitigate risks associated with multiple objects. (see Osborn paragraph [0009], lines 1-3)  

s 12, 14 are rejected under 35 U.S.C. 103(a) as being unpatentable over Andres in view of Eberhardt and further in view of Eggert et al. (US PGPUB No. 20130041796).     	

Regarding Claim 12, Andres-Eberhardt discloses the method of claim 1, wherein the detailed view further includes illustrating changes associated with the application over a period of time. (see Andres col 9, lines 61-67: threat correlation module refers to information stored in database to compile a list of threats to display to users; allow users to select a threat for more detailed information and for correlation about threat data with data about actual vulnerabilities stored in vulnerabilities database; (display detailed information associated with a particular threat); col 2, lines 43-50: compliance tracking module receives user input specifying compliance goals; periodically determine compliance goal and display a time-based compliance measure indicative of actual compliance with goal) 
   
Andres-Eberhardt does not specifically disclose a trends graph illustrating changes in threat (or risk) information associated with an entity. 
However, Eggert discloses wherein a trends graph illustrating any changes associated with the entity. (see Eggert paragraph [0048], lines 1-7: displaying a trending report assessment data; tracks changes to data over a specified period of time; trending report depicted in a graphical format)  
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Andres-Eberhardt for a trends graph illustrating changes associated with an entity as taught by Eggert.  One of ordinary skill 

Regarding Claim 14, Andres-Eberhardt discloses the method of claim 1, wherein the detailed view further includes an illustration of how recent network activities associated with the entity have varied from a baseline of activity. (see Andres col 9, lines 61-67: threat correlation module refers to information stored in database to compile a list of threats to display to users; allow users to select a threat for more detailed information and for correlation about threat data with data about actual vulnerabilities stored in vulnerabilities database; (display detailed information associated with a particular threat); col 2, lines 43-50: compliance tracking module receives user input specifying compliance goals; periodically determine compliance goal and display a time-based compliance measure indicative of actual compliance with goal (i.e. calculations associated with a compliance baseline)) 
 
Andres-Eberhardt does not specifically disclose a graph that provides a view of variation from a baseline.
However, Eggert discloses a line graph that provides a view of variation from a baseline of activity.  (see Eggert paragraph [0048], lines 1-7: displaying a trending report assessment data; tracks changes to data over a specified of time; trending report depicted in a graphical format; (graphical denotes an illustration format for network compromise information)) 


8.        Claim 15 is rejected under 35 U.S.C. 103(a) as being unpatentable over Andres in view of Eberhardt in further in view of Linn et al. (US Patent No. 8,181,264).

Regarding Claim 15, Andres-Eberhardt discloses the method of claim 2, 
b)  upon receiving a selection by a user of a tag, associating the tag with the selected application such that the tag is included in the additional data provided in response to subsequent requests to generate the detailed view of the selected application. (see Andres col 9, lines 61-67: threat correlation module refers to information stored in database to compile a list of threats to display to users; allow users to select a threat for more detailed information and for correlation about threat data with data about actual vulnerabilities stored in vulnerabilities database; (display detailed information associated with a particular threat); (select a threat utilizing a user interface interaction (i.e. a click) for detailed analysis such as an evaluation at a future time))    

Furthermore, Andres discloses for a): the detailed view provides a prompt for a user application. (see Andres col 12, lines 33-37: select a particular threat and request that it be correlated with a set of assets to determine which assets are affected by the selected threat)

Andres-Eberhardt does not specifically disclose for a): tagging a selected application for future tracking.
However, Linn discloses for a): tag the selected application for future tracking. (see Linn col 4, lines 32-35: content is tagged with a security indicator that indicates content is subject to security evaluation at a later time) 
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Andres-Eberhardt for a): tagging a selected application for future tracking as taught by Linn.  One of ordinary skill in the art would have been motivated to employ the teachings of Linn for the benefits achieved from the flexibility of a system that enables more effective security evaluations due to additional opportunities to gather information about an entity before actual security evaluation. (see Linn col 2, lines 26-30) 




Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMAD W REZA whose telephone number is (571)272-6590.  The examiner can normally be reached on Monday-Friday 8:30-5:30 ET.
Examiner interviews are available via telephone, in-person, and video 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 571-272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MOHAMMAD W REZA/Primary Examiner, Art Unit 2436                                                                                                                                                                                                        



/CJ/
June 21, 2021