DETAILED ACTION

Currently pending claims are 1 – 20.

Response to Arguments
As per claim 1 (PART I / 2), Applicant's arguments with respect to the subject matter of the instant claims have been fully considered but are not persuasive.  Applicant asserts Oppenheimer does not teach the plurality of security devices generating the plurality of signals based on monitoring network traffic on the network (Remarks: Page 10).  Examiner respectfully disagrees with the following rationale.
(a) Oppenheimer teaches a plurality of security devices are collectively used to enhance security monitoring and identifying a source of security incidence associated with a predicted security incident (w.r.t. an expected usage) based on a machine learning model such as adaptive heuristics, neural network tecknologies and etc. (Oppenheimer: Col. 78 Line 19 – 62 and Col. 130 Line 61 – 67); and
(b) Oppenheimer further teaches the security signals can be collected based on monitoring network traffic such as frequency / timing of access when visiting different types of web sites (IP addresses), % of e-mails to/from previously used e-mail addresses, the rate at which e-mail addresses are added, % of calls/text messages, the locations (GPS location) of phone numbers called and etc. (Oppenheimer: Figure 13C / E-1360 & E-1355 and Col. 68 Line 48 – 58) and as such Applicant's arguments are respectfully traversed.

As per claim 1 (PART II / 2), Applicant's arguments with respect to instant claims have been fully considered but are moot in view of the new ground(s) of rejection necessitated by Applicant's amendment – please see the following section for the detail of rationale to make the corresponding prior-art(s) rejections as set forth below

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1 – 2, 6 – 9, 13 – 16 and 20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Oppenheimer (U.S. Patent 9,224,096).  

As per claim 1, 8 & 15 (PART I / 2), Oppenheimer teaches a system, comprising: 
a computing device comprising a processor device and a memory (Oppenheimer: Figure 13C / E-1355 & E-1360: (e.g.) a laptop computer); and 
machine-readable instructions stored in the memory that, when executed by the processor device (see above), cause the computing device to at least: 
analyze a plurality of signals received from a plurality of security devices to identify a predicted security incident associated with a network based on a machine learning model identifying a pattern among the plurality of signals that corresponds to a previous security incident, each of the plurality of signals indicating a potential security issue, the plurality of security devices generating the plurality of signals based on monitoring network traffic on the network (Oppenheimer: see above, Figure 13C / E-1360 & E-1355  & Col. 78 Line 19 – 62, Col. 130 Line 61 – 67, and Col. 68 Line 48 – 58, Col. 237 Line 22 – 28 and Col. 313 Line 37 – 60: 
(a) Oppenheimer teaches a plurality of security devices are collectively used to enhance security monitoring and identifying a source of security incidence associated with a predicted security incident (w.r.t. an expected usage) based on a machine learning model such as adaptive heuristics, neural network tecknologies and etc. (Oppenheimer: Col. 78 Line 19 – 62 and Col. 130 Line 61 – 67); 
(b) Oppenheimer further teaches the security signals can be collected based on monitoring network traffic such as frequency / timing of access when visiting different types of web sites (IP addresses), % of e-mails to/from previously used e-mail addresses, the rate at which e-mail addresses are added, % of calls/text messages, the locations (GPS location) of phone numbers called and etc. (Oppenheimer: Figure 13C / E-1360 & E-1355 and Col. 68 Line 48 – 58).
calculate a confidence score for the predicted security incident (Oppenheimer: see above & Figure 9C, Col. 35 Line 50 – 53 and Col. 63 Line 46 – 50: (a) determining whether a risk / confidence score exceeding a specified threshold for determining an anomaly incidence and (b) transmitting an alert message including (e.g.) an alert level (a likelihood of actual anomaly) as a numeric scale – i.e. confidence score (FIG. 9C/E-972)); 
evaluate at least one compliance policy to determine whether to perform a remedial action specified in the at least one compliance policy, wherein a determination to perform the remedial action is based at least in part on the confidence score (Oppenheimer: see above & Figure 9A / E-905 & E-920, Col. 202 Line 32 – 34 and Col. 170 Line 51 – 54: performing a remedial action such as (a) transmitting an alert messages to the users when a risk / confidence score exceeding the specified threshold, (b) shutting down the calling capability (i.e. blocking the access to a network) and ect.); and 
perform the remedial action in response to an evaluation of the at least one compliance policy (Oppenheimer: see above).  

As per claim 2, 9 and 16, Oppenheimer teaches sending a message to a client device associated with an administrative user, the message comprising a summary of the predicted security incident, the confidence score, and the remedial action (Oppenheimer: see above & Figure 3E / E-374 & Figure 9C and Col. 208 Line : transmitting (e.g.) a Text Alerts message which includes type of anomaly, alert signalling parameter and also an alert level (a likelihood of actual anomaly) as a numeric scale – i.e. confidence score (FIG. 9C/E-972)).  

As per claim 6 and 13, Oppenheimer teaches the remedial action specified in the compliance policy indicates that at least one client device is to be blocked from accessing a network (Oppenheimer: see above & Col. 170 Line 51 – 54: shutting down the calling capability (i.e. blocking the access to a network)).  

As per claim 7, 14 and 20, Oppenheimer teaches wherein the plurality of signals are stored in a data store accessible to the computing device (Oppenheimer: see above & Figure 13B: the computing device has remote accessing capability to a plurality of signals collected by the security devices).  

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 3 – 4, 10 – 11 and 17 – 18 are rejected under 35 U.S.C.103 as being unpatentable over Oppenheimer (U.S. Patent 9,224,096), in view of Roguine et al. (U.S. Patent 10,303,877).  

As per claim 3 – 4, 10 – 11 and 17 – 18, Roguine (& Oppenheimer) teaches ausing the computing device to at least F01426perform the remedial action (i) in response to a reply received from the client device associated with the administrative user and (ii) in response to a failure to receive a reply from the client device associated with the administrative user within a predefined period of time (Oppenheimer: see above & Figure 9A / E-905 & E-920, Col. 202 Line 32 – 34 and Col. 170 Line 51 – 54: (a) transmitting an alert messages to the users when a risk / confidence score exceeding the specified threshold and (b) (e.g.) shutting down the calling capability (i.e. blocking the access to a network)) || (Roguine: Col. 10 Line 4 – 6 / Line 60 – 67: performing an aggressive BLOCK mode incorporated with an user interaction such as (i) either suspending or stopping the malicious process based on the user’s selection (Roguine: Col. 10 Line 66 – 67) or (ii) including further associated with a warning for a period of time).   
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of performing the remedial action in response to a reply received from the client device associated with the administrative user and in response to a failure to receive a reply from the client device associated with the administrative user within a predefined period of time because Roguine teaches to alternatively, effectively and securely provide a comprehensive security mechanism by performing an aggressive BLOCK mode incorporated with an user interaction such as (i) either suspending or stopping the malicious process based on the user’s selection or (ii) including further associated with a warning for a period of time (see above) within the Oppenheimer’s system of sending an alert messages to the users when a risk / confidence score exceeding the specified threshold and (b) (e.g.) shutting down the calling capability (i.e. blocking the access to a network) (see above). 

Claims 5, 12 and 19 are rejected under 35 U.S.C.103 as being unpatentable over Oppenheimer (U.S. Patent 9,224,096), in view of Rossman et al. (U.S. Patent 9,967,285).  

As per claim 5, 12 and 19, Rossman (& Oppenheimer) teaches analyze the plurality of signals to identify the predicted security incident implement a Bayesian network to identify the predicted security incident (Oppenheimer: see above & Col. 130 Line 51 – 66: providing a machine learning module that employes various algorithms including at least adaptive heuristics and neural networks techniques) || (Rossman: Col. 12 Line 40 – 50: employing a plurality of extensive machine learning algorithms using a wide variety of combination of learning methods including at least a Bayesian network technique).  
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of analyzing the plurality of signals to identify the predicted security incident implement a Bayesian network to identify the predicted security incident because Rossman teaches to alternatively, effectively and securely employing a plurality of extensive machine learning algorithms using a wide variety of combination of learning methods including at least a Bayesian network technique (see above) within the Oppenheimer’s system of providing a machine learning module that employes various algorithms including at least adaptive heuristics and neural networks techniques (see above). 

Claims 1 – 2, 6 – 9, 13 – 16 and 20 are rejected under 35 U.S.C.103 as being unpatentable over Yu (U.S. Patent 9,083,677), and in view of Oppenheimer (U.S. Patent 9,224,096).  

As per claim 1, 8 & 15 (PART II / 2), Yu teaches a system, comprising:
a computing device comprising a processor device and a memory (Yu: Figure 2); and 
machine-readable instructions stored in the memory that, when executed by the processor device (see above), cause the computing device to at least: 
analyze a plurality of signals received from a plurality of security devices to identify a predicted security incident associated with a network based on a machine learning model (see below) identifying a pattern among the plurality of signals that corresponds to a previous security incident, each of the plurality of signals indicating a potential security issue, the plurality of security devices generating the plurality of signals based on monitoring network traffic on the network (Yu: Col. 5 Line 26 – 31, Col. 6 Line 36 – 45, Col. 8 Line 6 – 14 and Col. 10 Line 9 – 26: analyzing network traffic on a security threat / risk by using measured data collected from a plurality of security devices).
However, Yu does not teach expressly using a machine learning model. 
Oppenheimer (& Yu) teaches using a machine learning model (Oppenheimer: Col. 130 Line 61 – 67, Col. 68 Line 48 – 58 and Figure 13C / E-1360 & E-1355: (a) utilizing a machine learning model such as adaptive heuristics, neural network tecknologies and etc. to (b) collect the security signals based on monitoring network traffic such as frequency / timing of access when visiting different types of web sites (IP addresses) and etc).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of using a machine learning model because Oppenheimer teaches to alternatively, effectively and securely utilize a machine learning model such as adaptive heuristics, neural network tecknologies and etc. to  collect the security signals based on monitoring network traffic such as frequency / timing of access when visitng different types of web sites (IP addresses) and etc (see above) within the Yu’s system of analyzing network traffic on a security threat / risk by using measured data collected from a plurality of security devices (see above).
calculate a confidence score for the predicted security incident (Yu: see above & Col. 8 Line 61 – 67: (a) determining whether a risk / confidence score exceeding a specified threshold for detecting an anomaly and (b) utilizing a weight factor to combine different scanning results from a plurality of security devices) || (Oppenheimer: see above); 
evaluate at least one compliance policy to determine whether to perform a remedial action specified in the at least one compliance policy, wherein a determination to perform the remedial action is based at least in part on the confidence score (Yu: see above & Figure 5 / E-507: accordingly, denying the (high-risk) network access) || (Oppenheimer: see above); and 
perform the remedial action in response to an evaluation of the at least one compliance policy (Yu: see above) || (Oppenheimer: see above).  

As per claim 2, 9 and 16, Yu as modified teaches sending a message to a client device associated with an administrative user, the message comprising a summary of the predicted security incident, the confidence score, and the remedial action (Yu: see above) || (Oppenheimer: see above & Figure 3E / E-374 & Figure 9C and Col. 208 Line : transmitting (e.g.) a Text Alerts message which includes type of anomaly, alert signalling parameter and also an alert level (a likelihood of actual anomaly) as a numeric scale – i.e. confidence score (Yu: see above) || (Oppenheimer: FIG. 9C/E-972)).  

As per claim 6 and 13, Yu as modified teaches the remedial action specified in the compliance policy indicates that at least one client device is to be blocked from accessing a network (Yu: see above) || (Oppenheimer: see above & Col. 170 Line 51 – 54: shutting down the calling capability (i.e. blocking the access to a network)).  

As per claim 7, 14 and 20, Yu as modified teaches wherein the plurality of signals are stored in a data store accessible to the computing device (Yu: see above) || (Oppenheimer: see above & Figure 13B: the computing device has remote accessing capability to a plurality of signals collected by the security devices).  

Claims 3 – 4, 10 – 11 and 17 – 18 are rejected under 35 U.S.C.103 as being unpatentable over Yu (U.S. Patent 9,083,677), Oppenheimer (U.S. Patent 9,224,096), and in view of Roguine et al. (U.S. Patent 10,303,877).  

As per claim 3 – 4, 10 – 11 and 17 – 18 (PART II / 2), Roguine (& Yu as modified) teaches ausing the computing device to at least F01426perform the remedial action (i) in response to a reply received from the client device associated with the administrative user and (ii) in response to a failure to receive a reply from the client device associated with the administrative user within a predefined period of time (Yu: Col. 2 Line 34 – 35: malicious network malware can be identified and blocked by the security devices) || (Roguine: Col. 10 Line 4 – 6 / Line 60 – 67: performing an aggressive BLOCK mode incorporated with an user interaction such as (i) either suspending or stopping the malicious process based on the user’s selection (Roguine: Col. 10 Line 66 – 67) or (ii) including further associated with a warning for a period of time).   
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of performing the remedial action in response to a reply received from the client device associated with the administrative user and in response to a failure to receive a reply from the client device associated with the administrative user within a predefined period of time because Roguine teaches to alternatively, effectively and securely provide a comprehensive security mechanism by performing an aggressive BLOCK mode incorporated with an user interaction such as (i) either suspending or stopping the malicious process based on the user’s selection or (ii) including further associated with a warning for a period of time (see above) within the Yu’s system of identifying and blocking malicious network malware by the security devices (see above). 

Claims 5, 12 and 19 are rejected under 35 U.S.C.103 as being unpatentable over Yu (U.S. Patent 9,083,677), Oppenheimer (U.S. Patent 9,224,096), and in view of Rossman et al. (U.S. Patent 9,967,285).  


As per claim 5, 12 and 19 (PART II / 2), Rossman (& Yu as modified) teaches analyze the plurality of signals to identify the predicted security incident implement a Bayesian network to identify the predicted security incident (Yu: see above: analyzing network traffic on a security threat / risk by using measured data collected from a plurality of security devices) || (Rossman: Col. 12 Line 40 – 50: employing a plurality of extensive machine learning algorithms using a wide variety of combination of learning methods including at least a Bayesian network technique).  
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of analyzing the plurality of signals to identify the predicted security incident implement a Bayesian network to identify the predicted security incident because Rossman teaches to alternatively, effectively and securely employing a plurality of extensive machine learning algorithms using a wide variety of combination of learning methods including at least a Bayesian network technique (see above) within the Yu’s system of analyzing network traffic on a security threat / risk by using measured data collected from a plurality of security devices (see above). 

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to LONGBIT CHAI whose telephone number is (571)272-3788.  The examiner can normally be reached on Monday - Friday 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D. Feild can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


---------------------------------------------------
                  /Longbit Chai/
           Longbit Chai E.E. Ph.D.
    Primary Examiner, Art Unit 2431
                   No. #2290 – 2021
---------------------------------------------------