Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This action is in response to the claims filed on 6/11/2019.  Claims 27-46 are pending.  Claims 27 (a method), 34 (a machine), and 41 (a non-transitory CRM) are independent.

Response to Arguments
Applicant’s arguments, see page 11, filed 6/01/2021, with respect to the rejection(s) of claim(s) 27-46 under Halperin in view of Muddu have been fully considered and are persuasive.  Halperin in view of Muddu does not disclose security postures or policy frameworks. Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Halperin, US 2004/0111632 (filed 2003-05), in view of Liang, US 2015/0106867 (filed 2013-10).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 27, 30-34, 37-41, and 44-46 is/are rejected under 35 U.S.C. 103 as being unpatentable over Halperin, US 2004/0111632 (filed 2003-05), in view of Liang, US 2015/0106867 (filed 2013-10).

As to claims 27, 34, and 41, Halperin discloses the method/machine/CRM comprising:
(regarding the memory, processor, and computer readable medium of claims 34 and 41, Halperin ¶ 92 discloses: “methods and apparatus described herein may be readily implemented in hardware or software using conventional techniques.”  A software implementation inherently comprises memory/CPU to execute the software instructions; for example, in the server (108) of Halperin)
generating, by a device, a behavior profile for another device; (“one or more target behavior profiles are defined for computers 500. Each target behavior profile describes behavior that should be the subject of correlation analysis as described in greater detail hereinbelow.” Halperin ¶ 38)
detecting, by the device, one or more real-time (“if the time slot is 5 minutes, it gets all the events that took place in the past 5 minutes.” Halperin ¶ 90. A description of real-time observations. See also Halperin ¶ 59) observations; (“After collecting information regarding target behavior detected at two or more of computers 500,” Halperin ¶ 47)
comparing, by the device, the one or more real-time observations and the behavior profile; (“After collecting information regarding target behavior detected at two or more of computers 500, server 502 may then correlate the presence of target 
generating, by the device and based on comparing the one or more real-time observations and the behavior profile, one or more anomalies; (“in order to determine whether the correlated target behavior corresponds to a predefined suspicious behavior pattern” Halperin ¶ 47) 
…
generating, by the device …, an incident alert; and (“should the server receive an invalid decoy message, or should suspicious behavior be detected for multiple computers, the buffer delay period may be increased by a predetermined amount of time, and users may be notified.” Halperin ¶ 59)
wherein the one or more anomalies is associated with a particular type of behavior, and (Halperin ¶ 47)
…
quarantining (“virus containment actions such as, but not limited to: Suspending any or all messages sent by computer 100” Halperin ¶¶ 23-24), by the device and based on the incident alert, data associated with the other device. (“During the increased delay period, should additional suspicious messages be received, or should other suspicious behavior be detected, if the user and/or system administrator who is authorized to do so has not indicated that the activity is not virus related, only then does the server perform one or more virus containment actions.” Halperin ¶ 59.  See Halperin ¶ 24, suspending all messages from a computer.)

Halperin does not disclose: 
Wherein the other device is associated with a particular security posture;
determining, by the device, whether the one or more anomalies is associated with a particular address; 
and based on, the particular security posture, and a policy framework, [an incident alert],
wherein the policy framework defines different types of behaviors, including the particular type of behavior, and different types of incident alerts, including the incident alert, generated for different security postures including the particular security posture;

Liang discloses:
Wherein the other device is associated with a particular security posture; (“AssetValue is a parameter that represents the importance level of an asset.” Liang ¶ 42 see Applicant’s specification ¶ 29)
determining, by the device, whether the one or more anomalies is associated with a particular address; (“in correlation policy DB 310, a logical correlation policy may define events having the same source IP address, destination IP address,” Liang ¶ 39)
and based on, the particular security posture, (the value of the asset determines risk “The security events extracted or generated by logical correlation engine 301 is sent to asset correlation engine 302.” Liang ¶ 39. “the corresponding asset value is extracted and a risk level of the security event may be calculated based on the asset value.” Liang ¶ 41) and a policy framework, (“Correlation policy DB 310 is used for defining what 
wherein the policy framework defines different types of behaviors, including the particular type of behavior, (“Logical correlation engine 301 reads the original events from event DB and logically correlates the original events based on logical correlation policies defined in correlation policy DB 310” Liang ¶ 39) and different types of incident alerts, including the incident alert, (“At block 405, the SIEM device reports the risk level of the security event to the administrator of network.” Liang ¶ 58. See also Liang figures 5-9, and associated disclosure, discussing calculation of risk level.) generated for different security postures including the particular security posture; (“At block 404, the SIEM device estimates a risk level of the security event based on correlation of the security event and asset attributes of the network.” Liang ¶ 57. See Liang figure 4, correlation with asset attributes, asset value, is the security posture of the relevant asset)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Halperin with Liang by incorporating the logical correlation and risk level estimation of Liang in the system of Halperin to aggregate the anomalous behaviors of Halperin.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Halperin with Liang in order to provide for efficient reporting of security events by avoiding duplicate security events and prioritizing the events based on which devices 

As to claims 30, 37, and 44, Halperin in view of Liang discloses the method/machine/CRM of claims 27, 34, and 41, and further discloses: 
analyzing network traffic patterns; and (“Some examples of target behavior profiles include:…. Sending a file attached to a message several times from the same user;…. Attempting to contact previously unused or unknown IP addresses or IP Sockets.” Halperin ¶¶ 38-46)
wherein detecting the one or more real-time observations comprises: 
detecting the one or more real-time observations based on analyzing the network traffic patterns. (“Some examples of target behavior profiles include:…. Sending a file attached to a message several times from the same user;…. Attempting to contact previously unused or unknown IP addresses or IP Sockets.” Halperin ¶¶ 38-46)

As to claims 31 and 38, Halperin in view of Liang discloses the method/machine/CRM of claims 27 and 34, and further discloses: 
wherein the one or more anomalies include one or more of: a network anomaly (“Attempting to contact previously unused or unknown IP addresses or IP Sockets.” Halperin ¶ 46), a device anomaly (Halperin ¶¶ 40-43), or a user anomaly. (“Sending messages not as a result of a direct user interaction with the Graphic User Interface (GUI) of the message software” Halperin ¶ 40)


wherein the particular address is associated with at least one of: a detected malware infection (“In order to “bait” computer viruses that selectively choose for propagation addresses from address book 102 and folders 104 based on usage, such as by selecting addresses to which computer 100 most recently sent message or to which computer 100 most frequently sends messages, computer 100 preferably sends decoy messages to different decoy addresses at various frequencies in order not to distinguish the pattern of decoy messages from computer 100's normal message-sending patterns.” Halperin ¶ 33), a control-and-command activity, or a security policy (Halperin ¶ 33) (sending a message to the decoy address triggers the security assessment. It is also a security policy).

As to claims 33, 40, and 46 Halperin in view of Liang discloses the method/machine/CRM of claims 27, 34, and 41, and further discloses: 
wherein the other device is a first other device; 
wherein the data associated with the other device is first data; and (“Forwarding messages that are addressed to a decoy address to a third party for analysis, such as a company or other body that produces anti-virus software.” Halperin ¶ 25. The second data also being the message.)
wherein the method further comprises at least one of: 
transferring, based on the incident alert, second data to a second other device, or (“Forwarding messages that are addressed to a decoy address to a third party for 
adding, based on the incident alert, a security protocol to access the first data.

Claim 28, 29, 35, 36, 42, and 43 is/are rejected under 35 U.S.C. 103 as being unpatentable over Halperin, US 2004/0111632 (filed 2003-05), in view of Liang, US 2015/0106867 (filed 2013-10), and Muddu et al., US 2017/0063905 (filed 2015-10).
As to claim 28, 35, and 42, Halperin in view of Liang discloses the method/machine/CRM of claims 27, 34, and 41, but does not disclose:
wherein the behavior profile includes information regarding at least one of: 
a role of a particular user in a network, authorization to use the other device on the network, one or more activities the particular user performs on the other device, one or more addresses that have been connected to the other device, time durations of connections to the other device, a quantity of data transferred to the other device, a quantity of data transferred from the other device, or a total quantity of data transferred.

Muddu discloses: 
wherein the behavior profile includes information regarding at least one of: (“FIG. 6 shows an example representation of a process of building behavior baselines to support the detection of anomalies.” Muddu ¶ 183)
a role of a particular user in a network, 
authorization to use the other device on the network, 
based on event data indicative of network activities of user 602. Likewise, a human administrative user 604 other than user 602 may employ the server 606 to access the data stored in the servers 608. A baseline profile 614 specific for access activities of user 604 can also be generated over time by the security platform 300, based on event data indicative of network activities of user 604.” Muddu ¶ 183)
one or more addresses that have been connected to the other device, (“illustrates raw event data 900 received by the data intake and preparation stage…. uses the IP address “10.33.240.240” to communicate with an external IP address “74.125.239.107” Muddu ¶ 217)
time durations of connections to the other device, 
a quantity of data transferred to the other device, 
a quantity of data transferred from the other device, or 
a total quantity of data transferred.

A person of ordinary skill in the art before the effective filing date of the claimed invention would have modified Halperin in view of Liang with Muddu by incorporating the profile data used in Muddu.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Halperin in view of Liang with Muddu in order to adaptively vary behavior profiles based on individual users and devices, thereby detecting individualized deviations from the historic baseline (Muddu ¶¶ 182 and 185).

As to claim 29, 36, and 43 Halperin in view of Liang discloses the method/machine/CRM of claims 27, 34, and 41, but does not disclose:
wherein generating the behavior profile comprises: 
generating the behavior profile based on one or more of: 
network traffic patterns, or 
behavior patterns of the other device. 

Muddu discloses:
wherein generating the behavior profile comprises: 
generating the behavior profile based on one or more of: 
network traffic patterns, or (“illustrates raw event data 900 received by the data intake and preparation stage…. uses the IP address “10.33.240.240” to communicate with an external IP address “74.125.239.107” Muddu ¶ 217)
behavior patterns of the other device. (“the security platform 300 can generate a baseline profile 612 for access activities of user 602, based on event data indicative of network activities of user 602. Likewise, a human administrative user 604 other than user 602 may employ the server 606 to access the data stored in the servers 608. A baseline profile 614 specific for access activities of user 604 can also be generated over time by the security platform 300, based on event data indicative of network activities of user 604.” Muddu ¶ 183)


.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892, particularly:
Chahal et al., US 2016/0191567, discloses a system for configuring the security posture of mobile devices. 
Teeple et al., US 2016/0308898, discloses a system for analyzing events to determine correlation to a kill-chain. 
Tang et al., US 2018/0048667, discloses correlating events for administering enterprise security.
Bassett, US 20160205122, discloses a system for performing security analysis based on risk importance and security posture. 
Nicodemus et al., US 9,923,918, discloses controlling device permissions based on a security posture. 
.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL W CHAO whose telephone number is (571)272-5165.  The examiner can normally be reached on M, W-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/MICHAEL W CHAO/Examiner, Art Unit 2492