Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .



DETAILED ACTION
This action is in response to the communication filed on 07/02/2019.
Claims 1-20 are under examination.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 4-5, 7-10, 12-13, 15-18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over May et al. (US 2015/0281277 A1) and Elsner et al. (US 2019/0349391 A1).
Regarding claim 1, May et al. discloses A method comprising: detecting, by one or more computers, computer-related actions performed by a user [par. 0056, “the controller 106 is configured to monitor network level interactions… user level activity of each user”]; computing, by one or more of the computers, one or more behavior-based risk scores for the user based on the user's computer-related actions [par. 0058, “computing a client reputation (CR) score for each user based on his/her network usage/interaction with reference to compliance/expected behavior”]; defining, by one or more of the computers, one or more behavior-based firewall rules depending on the user's one or more behavior-based risk scores [par. 0053, network appliance 104 such as firewall, par. 0054, “appliance 104 can be operatively coupled with, or can incorporate, a security rules database (not shown) that comprises all rules”, par. 0068, “client reputation (CR) score can be retrieved and evaluated for each user at the beginning of a session and based on the evaluation, network policies can be assigned at the beginning of the session itself. CR scores can also be updated/modified periodically based on user behavior, profile, interactions, preferences, among other like parameters, based on which policies assigned earlier can be replaced with more appropriate policies”]; and regulating, by one or more of the computers, the user's computer-related actions according to at least the one or more behavior-based firewall rules [par. 0013, “wherein the policy governs the manner in which the user can access the network via one or more interface mechanisms. In an instance, one policy can be configured to block, rate limit, or impose one or more network access restrictions on a first user”].


However Elsner et al. teaches logging, by one or more of the computers, the user's computer-related actions [par. 0007, “the system takes input from a data server that logs user activities”, par. 0036, “real-time log event”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Elsner et al. into the teaching of May et al. with the motivation for user behavior analysis that detects when users deviate from expected behavior as taught by Elsner et al. [Elsner et al.: abs.].
Regarding claim 2, the rejection of claim 1 is incorporated.
May et al. further discloses defining, without input from a user, the one or more behavior-based firewall rules depending on the user's one or more behavior-based risk scores [par. 0068, “CR scores can also be updated/modified periodically based on user behavior, profile, interactions, preferences, among other like parameters, based on which policies assigned earlier can be replaced with more appropriate policies”, par. 0073, “based on a change in grade and/or CR score, policy can also be dynamically updated so as to control access rights and privileges based on network level interactions and activities of the user”, par. 0081, “Any change in assignment of VLAN subsequent to first time assignment can be automatically/manually updated to appliance 304 along with also being updated in CRDB 308”].
Regarding claim 4, the rejection of claim 1 is incorporated.
[par. 0011, “CR scores, also interchangeably referred to as reputation scores hereinafter, indicate a quantitative and/or qualitative measure of level of network activity that a resource, say an internal resource, does with external resources. Such activity can relate to requests that internal resource sends out to network (traffic generated), requests that the resource receives (traffic received), types of events (such as blocked connections, virus transmissions, connections to undesired sites, websites visited, invalid DNS queries, among other like events) that the resource participates in, among other like activities, and attributes thereof”, par. 0071, “a user with a higher designation and/or more time with the organization and a given CR score can be categorized in a lower risk category”].
Regarding claim 5, the rejection of claim 1 is incorporated.
May et al. further discloses regulating the user's computer-related actions according to a firewall table comprising a plurality of firewall rules; and adding the one or more behavior-based firewall rules to the firewall table, wherein the user's computer-related actions are regulated according to the plurality of firewall rules of the firewall table and the one or more behavior-based firewall rules of the user [par. 0011, “CR scores, also interchangeably referred to as reputation scores hereinafter, indicate a quantitative and/or qualitative measure of level of network activity that a resource, say an internal resource, does with external resources. Such activity can relate to requests that internal resource sends out to network (traffic generated), requests that the resource receives (traffic received), types of events (such as blocked connections, virus transmissions, connections to undesired sites, websites visited, invalid DNS queries, among other like events) that the resource participates in, among other like activities, and attributes thereof”, par. 0071, “a user with a higher designation and/or more time with the organization and a given CR score can be categorized in a lower risk category”, par. 0087, “due to non-compliance with defined policies, the CR score of the user increases to 45. Based on this, a stricter VLAN policy 3 is dynamically assigned to the user”].
Regarding claim 7, the rejection of claim 1 is incorporated.
May et al. further discloses regulating the user's computer-related actions according to a firewall table comprising a plurality of firewall rules; and adding the one or more behavior-based firewall rules to the firewall table, wherein the user's computer-related actions are regulated according to the plurality of firewall rules of the firewall table and the one or more behavior-based firewall rules of the user [par. 0082, “FIG. 4 is an exemplary table 400 illustrating VLANs being associated with network security policies, and settings defined for VLAN for allowing network access in accordance with an embodiment of the present invention. As shown, each VLAN can be associated with its details such as bandwidth that its policy allows, configuration of filters that define network policy for the respective VLAN”, par. 0081, “In case an appropriate policy does not already exist, a new policy can also be created, or an existing policy can also be customized to define a desired policy for the user”].
Regarding claim 8, the rejection of claim 1 is incorporated.
[par. 0072, “wherein the policy governs the manner in which the user can access the network via one or more interface mechanisms. In an instance, one policy can be configured to block, rate limit, or impose one or more network access restrictions on a first user, whereas another policy can be configured to allow all web-level requests from a second user to be processed”].
Regarding claim 9, it recites limitations similar to claim 1. The reason for the rejection of claim 1 is incorporated herein.
Regarding claim 10, it recites limitations similar to claim 2. The reason for the rejection of claim 2 is incorporated herein.
Regarding claim 12, it recites limitations similar to claim 4. The reason for the rejection of claim 4 is incorporated herein.
Regarding claim 13, it recites limitations similar to claim 5. The reason for the rejection of claim 5 is incorporated herein.
Regarding claim 15, it recites limitations similar to claim 8. The reason for the rejection of claim 8 is incorporated herein.
Regarding claim 16, it recites limitations similar to claim 1. The reason for the rejection of claim 1 is incorporated herein.
Regarding claim 17, it recites limitations similar to claim 5. The reason for the rejection of claim 5 is incorporated herein.
Regarding claim 18, it recites limitations similar to claim 4. The reason for the rejection of claim 4 is incorporated herein.
Regarding claim 20, it recites limitations similar to claim 7. The reason for the rejection of claim 7 is incorporated herein.

Claims 3 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over May et al. (US 2015/0281277 A1) and Elsner et al. (US 2019/0349391 A1) as applied to claims 1-2, 4-5, 7-10, 12-13, 15-18 and 20 above, and further in view of Satish et al. (US 8,353021 B1).
Regarding claim 3, the rejection of claim 1 is incorporated.
May et al. further discloses periodically updating the user's one or more behavior-based risk scores as additional computer-related actions by the user are detected and logged; and updating the user's one or more behavior-based firewall rules [par. 0067, par. 0068, “CR scores can also be updated/modified periodically based on user behavior, profile, interactions, preferences, among other like parameters, based on which policies assigned earlier can be replaced with more appropriate policies”].  
May et al. and Elsner et al. do not explicitly disclose updating the user's one or more behavior-based firewall rules by deleting previously defined behavior-based firewall rules and defining new behavior-based firewall rules.
However Satish et al. teaches updating the user's one or more behavior-based firewall rules by deleting previously defined behavior-based firewall rules and defining new behavior-[col. 5, lines 55-57, “the firewall monitoring module 320 of client 100A detects 402 a new firewall rule applied to the firewall 120A of that client 100A. This new firewall rule may be a completely new rule, or it may be a change to or deletion of an existing firewall rule”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Satish et al. into the teaching of May et al. and Elsner et al. with the motivation to apply new firewall rules or change existing ones as taught by Satish et al. [Satish et al.: col. 5, lines 31-32].
Regarding claim 11, it recites limitations similar to claim 3. The reason for the rejection of claim 3 is incorporated herein.

Claims 6, 14 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over May et al. (US 2015/0281277 A1) and Elsner et al. (US 2019/0349391 A1) as applied to claims 1-2, 4-5, 7-10, 12-13, 15-18 and 20 above, and further in view of Cullimore et al. (US 2013/0061313 A1).
Regarding claim 6, the rejection of claim 1 is incorporated.
May et al. discloses defining a behavior-based firewall rule for computer-related action.
May et al. and Elsner et al. do not explicitly defining a firewall rule for each different kind of computer-related action by the user.
However Cullimore et al. teaches defining a firewall rule for each different kind of computer-related action by the user [par. 0016, “The predetermined firewall policies may comprise predetermined policies based on IP addresses and/or protocols, applications, user identity, and network activity”].
[Cullimore et al.: par. 0014].
Regarding claim 14, it recites limitations similar to claim 6. The reason for the rejection of claim 6 is incorporated herein.
Regarding claim 19, it recites limitations similar to claim 6. The reason for the rejection of claim 6 is incorporated herein.

 
Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicant’s disclosure:
US 20170134412 A1		ADAPTIVE BEHAVIOR PROFILING AND ANOMALY SCORING THROUGH CONTINUOUS LEARNING
US 20190260782 A1		ARTIFICIAL INTELLIGENCE RESEARCHER ASSISTANT FOR CYBERSECURITY ANALYSIS
US 20180375884 A1		DETECTING USER BEHAVIOR ACTIVITIES OF INTEREST IN A NETWORK
US 10348771 B2		Learned behavior based security
US 20200285737 A1		DYNAMIC CYBERSECURITY DETECTION OF SEQUENCE ANOMALIES

US 10904277 B1		Threat intelligence system measuring network threat levels
US 20160182556 A1		SECURITY RISK SCORE DETERMINATION FOR FRAUD DETECTION AND REPUTATION IMPROVEMEN		

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON CHIANG whose telephone number is (571)270-3393.  The examiner can normally be reached on 9 AM to 6 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.