Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This is in response to the original filing of October 7th, 2017 and preliminary amendment of August 13th, 2021.   Claims 19-22 have been cancelled. Claim 23 has been amended.  Claims 1-18 and 23 are pending and have been considered.

Priority
16594538, filed 10/07/2019 is a continuation of 15620439, filed 06/12/2017, now U.S. Patent #10439884; 15620439 claims priority from Provisional Application 62490817, filed 04/27/2017.

Drawings
The drawings filed on 10/17/2019 are accepted.

Specification
The specification filed on 10/17/2019 is accepted.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 10/17/2019 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Election/Restrictions
During a telephone conversation with James E. Mrose, Reg. No.33, 264 on 08/13/2021 a provisional election was made without traverse to prosecute the invention of group 1, claim1-18.  Affirmation of this election must be made by applicant in replying to this Office action.  Claims 19-23 withdrawn from further consideration by the examiner, 37 CFR 1.142(b), as being drawn to a non-elected invention.

Status of Claims
Non-elected claims 19-22 have been cancelled.  Non-elected claim 23 has been amended. Claims 1-19 and 23 are pending.

Claim Objections
Claim 23 is objected to because of the following informalities: claim 23 is presented as being withdrawn and currently amended, for examination purpose only claim 23 is considered as being depending on claim 1.  Appropriate correction is required.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-18 and 23 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-24 of U.S. Patent No. 10,439884 B1. Although the claims at issue are not identical, they are not patentably distinct from each other because application claim 1 is anticipated by patent claim 1.  Patent claim 1 of Forte et al 884 recites receiving details of new …… cybersecurity incident (line6-10) localizing a set or subset …..incident (lines 11-19);  creating a custom playbook……..feature space (lines20-29); presenting to a user…. Incident (lines30-33); the user of the security….incident (lines 34-37).  Therefore patent claim 1 of Forte et al 884 is in essence a “species” of the generic invention of application claim 1.  It has been held that a generic invention is anticipated by a species within the scope of the generic invention.  See In re Goodman, 29 USPQ2d2010 (Fed. Cir. 1993).

16.594,538
10,439,884 B1
1. A method of responding to cybersecurity incidents, comprising:
 at a security incident response platform, registering a new cybersecurity incident;
at a playbook generation system:
receiving details of the new cybersecurity incident from the security incident response platform, at least some of the 
localizing a set or subset of nearest neighbors of the new cybersecurity incident in a feature space, the nearest neighbors of the new cybersecurity incident being other cybersecurity incidents having a distance from the new cybersecurity incident within the feature space that is defined by differences in features of the nearest neighbors with respect to the set of features of the new cybersecurity incident; and 
creating a custom playbook for responding to the new cybersecurity incident, the custom playbook having one or more prescriptive procedures, for responding to the new cybersecurity incident registered by the security incident response platform, that are based on occurrences of prescriptive procedures 
presenting to a user of the security incident response platform the custom playbook containing the one or more prescriptive procedures for responding to the new cybersecurity incident; and
the user of the security incident response platform initiating the one or more prescriptive procedures contained in the custom playbook to respond to the new cybersecurity incident.
2.    A method in accordance with claim 1, wherein the details of the new cybersecurity incident are contained in fields of a log record, and the playbook generation system transforms the details contained in at least some of the fields into the set of features..
4.    A method in accordance with claim 2, wherein the fields are Common Event Format fields.
5.    A method in accordance with claim 2, wherein the playbook generation system transforms the details into features using Boolean encoding for fields having a type that is Boolean by nature or that represents presence verses absence, and using one hot encoding for fields having a type that contains a finite set of possible values.
3.    A method in accordance with claim 2, wherein the at least some of the fields includes a field defining a category of the new cybersecurity incident and at last one filed containing details other than a category of the new cybersecurity incident

7.    A method in accordance with claim 6, wherein the metric applied to the set of features is computed as an average of weighted feature values.
8. A method in accordance with claim 7, wherein the feature values are weighted according to user-settable weights having a numerical value corresponding to relative importance of each feature in the set of features.
9. A method in accordance with claim 1, wherein the set or subset of nearest 
10.    A method in accordance with claim 1, wherein the set or subset of nearest neighbors of the new cybersecurity incident has a predefined cardinality K, and if the playbook generation system cannot localize K nearest neighbors of the new cybersecurity incident, but one or more incidents in the feature space are identical to the new cybersecurity incident, then the playbook generation system localizes the one or more identical incidents as the set or subset of nearest neighbors.
18. A computer-readable, non-transitory, tangible medium comprising software that, when executed by a processor, causes the processor to perform a method of 
at a security incident response platform, registering a new cybersecurity incident;
at a playbook generation system:
receiving details of the new cybersecurity incident from the security incident response platform, at least some of the details corresponding to a set of features of the new cybersecurity incident;
localizing a set or subset of nearest neighbors of the new cybersecurity incident in a feature space, the nearest neighbors of the new cybersecurity incident being other cybersecurity incidents having a distance from the new cybersecurity incident within the feature space that is defined by differences in features of the nearest neighbors with respect to the set of features of the new cybersecurity incident; and creating a 
presenting to a user of the security incident response platform the custom playbook containing the one or more prescriptive procedures for responding to the new cybersecurity incident; and
permitting the user of the security incident response platform to initiate the one or more prescriptive procedures contained in 
 

at a security incident response platform, registering a new cybersecurity incident;
 at a playbook generation system: 
receiving details of the new cybersecurity incident from the security incident response platform, at least some of the 
 localizing a set or subset of nearest neighbors of the new cybersecurity incident in a feature space, the nearest neighbors of the new cybersecurity incident being other cybersecurity incidents having a distance from the new cybersecurity incident within the feature space that is defined by differences in features of the nearest neighbors with respect to the set of features of the new cybersecurity incident; and 
creating a custom playbook for responding to the new cybersecurity incident, the custom playbook having one or more prescriptive procedures, for responding to the new cybersecurity incident registered by the security incident response platform, that are based on occurrences of prescriptive procedures previously 
 presenting to a user of the security incident response platform the custom playbook containing the one or more prescriptive procedures for responding to the new cybersecurity incident;
 the user of the security incident response platform initiating the one or more prescriptive procedures contained in the custom playbook to respond to the new cybersecurity incident;
 wherein the details of the new cybersecurity incident are contained in fields of a log record, and the playbook generation system transforms the details contained in at least some of the fields into the set of features; and wherein the playbook generation system transforms the details into features using Boolean encoding for fields having a type that is Boolean by nature or that represents presence verses absence, and using one hot encoding for fields having a type that contains a finite set of possible values. 
    




2. A method in accordance with claim 1, wherein the at least some of the fields includes a field defining a category of the new cybersecurity incident and at last one filed containing details other than a category of the new cybersecurity incident. 

    5. A method in accordance with claim 4, wherein the metric applied to the set of features is computed as an average of weighted feature values. 
    6. A method in accordance with claim 5, wherein the feature values are weighted according to user-settable weights having a numerical value corresponding to relative importance of each feature in the set of features. 
    7. A method in accordance with claim 1, wherein the set or subset of nearest 
    8. A method in accordance with claim 1, wherein the set or subset of nearest neighbors of the new cybersecurity incident has a predefined cardinality K, and if the playbook generation system cannot localize K nearest neighbors of the new cybersecurity incident, but one or more incidents in the feature space are identical to the new cybersecurity incident, then the playbook generation system localizes the one or more identical incidents as the set or subset of nearest neighbors. 
    16. A computer-readable, non-transitory, tangible medium comprising software that, when executed by a processor, causes the processor to perform a method of 
at a security incident response platform, registering a new cybersecurity incident;
 at a playbook generation system: 
receiving details of the new cybersecurity incident from the security incident response platform, at least some of the details corresponding to a set of features of the new cybersecurity incident; 
localizing a set or subset of nearest neighbors of the new cybersecurity incident in a feature space, the nearest neighbors of the new cybersecurity incident being other cybersecurity incidents having a distance from the new cybersecurity incident within the feature space that is defined by differences in features of the nearest neighbors with respect to the set of features of the new cybersecurity incident; and creating a 
 presenting to a user of the security incident response platform the custom playbook containing the one or more prescriptive procedures for responding to the new cybersecurity incident;
 permitting the user of the security incident response platform to initiate the one or more prescriptive procedures contained in 
 wherein the details of the new cybersecurity incident are contained in fields of a log record, and the playbook generation system transforms the details contained in at least some of the fields into the set of features; and wherein the playbook generation system transforms the details into features using Boolean encoding for fields having a type that is Boolean by nature or that represents presence verses absence, and using one hot encoding for fields having a type that contains a finite set of possible values. 


Claims 1-18 and 23 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 11,074,512 B1. Although the claims at issue are not identical, they are not patentably distinct from each other because application claim 18 is anticipated by patent claim 1.  Patent claim 1 of Forte et al 512 recites receiving details of new …… cybersecurity incident (lines 8-11); localizing a set or Forte et al 512 is in essence a “species” of the generic invention of application claim 1.  It has been held that a generic invention is anticipated by a species within the scope of the generic invention.  See In re Goodman, 29 USPQ2d2010 (Fed. Cir. 1993).
16/594,538
11,074,512 B2
18. A computer-readable, non-transitory, tangible medium comprising software that, when executed by a processor, causes the processor to perform a method of responding to cybersecurity incidents, comprising:
 at a security incident response platform, registering a new cybersecurity incident; at a playbook generation system: receiving details of the new cybersecurity incident from the security incident response platform, at least some of the details corresponding to a set of features of the new cybersecurity incident; 

presenting to a user of the security incident response platform the custom playbook containing the one or more prescriptive procedures for responding to the new cybersecurity incident; and 
permitting the user of the security incident response platform to initiate the one or more prescriptive procedures contained in the custom playbook to respond to the new cybersecurity incident. 


 at a security incident response platform, registering a cybersecurity incident; at a playbook generation system: receiving details of the cybersecurity incident from the security incident response platform, at least some of the details corresponding to a set of features of the cybersecurity incident; 


at the security incident response platform, 
presenting the playbook containing the one or more prescriptive procedures for responding to the cybersecurity incident; and
 at the security incident response platform, initiating the one or more prescriptive procedures contained in the playbook to respond to the cybersecurity incident; 
wherein the differences in features of the nearest neighbors with respect to the set of features of the cybersecurity incident are calculated, for at least one feature, using a present-or-equal metric having a first value if both values of the feature are missing or both values are present and equal, a second value if only one value of the feature is missing, but the other value is present, and a third value if both values of the feature are present, but not equal. 
   


Conclusion
The following prior art are cited to further show the state of the art at the time of applicant’s invention.
Han et al U.S. 9,628,506 B1 Systems and methods for detecting security events.
Hillard et al U.S. 2018/0191763 A1 SYSTEM AND METHOD FOR DETERMINING NETWORK SECURITY THREATS.
McGrew et al U.S. 2018/0191748 A1 ASSOCIATING A USER IDENTIFIER DETECTED FROM WEB TRAFFIC WITH A CLIENT ADDRESS.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FATOUMATA TRAORE whose telephone number is (571)270-1685.  The examiner can normally be reached on 6:30-3:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached on 5712724219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.







Saturday, August 14, 2021
/FATOUMATA TRAORE/                         Primary Examiner, Art Unit 2436