Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This Office Action is in response to the Amendment filed on 06/23/2021.
In the instant Amendment, Claims 1, 9, 10, 14 and 16 have been amended. Claims 1, 14 and 16 are independent claims.  Claims 1-20 have been examined and are pending.  This Action is made FINAL.
Information Disclosure Statement
The information disclosure statement (IDS), submitted on 08/06/2021, is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Response to Arguments
Applicants’ arguments with respect to claims 1-20 have been considered but are moot in view of the new ground(s) of rejection.
Priority
This application is a continuation of U.S. application No. 15/441,154, filed Feb. 23rd, 2017 (Now U.S. patent No. 10,536,478), which application claims priority to U.S. Provisional th, 2017 and to U.S. Provisional Application No.  62/300,715, filed Feb. 26th, 2016. 
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. 

“The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp. “
Claims 1-20 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-18 of U.S. Patent Application No. 15/441,154 (Now U.S. patent No. 10,536,478). Although the claims at issue are not identical, they are not patentably distinct from each other because pending application has all the limitations of U.S. patent No. 10,536,478.The examiner underlined the difference in claim language.
Current Application No. 16/741,501
Application No. 15/441,154 (Now U.S. patent No. 10,536,478)
Claims 1 and 14. A  computer-implemented method/ system comprising, at a computer system of a 2security management system:  
     3obtaining a file including data about network activity associated with a client 4device on a network of an organization, wherein the network activity is generated when the client 5device is operating as part of the network of the organization;  
     6identifying, using the data about the network activity, an application that has been 7accessed by the client device while the 
     11determining, using the data about the network activity, access information 12associated with the application, wherein the access information includes network activity 13indicating an access of the application from the client device;  
     14determining, using the access information, network domain information about the 15application, wherein the network domain information identifies the service provider;
     determining, using the network domain information, an organization associated with the application; 
     determining an organization-based security indicator for the organization; 
      determining, security information about the application, wherein the security information includes one or more indicators describing a security threat associated with the application; 
      computing, a measure of security for the application using a combination of the one or more indicators describing the security threat associated with the application and the organization-based security indicator for the organization; 16and  

       21performing, by applying a security policy based on the measure of security, a 22remediation action for the application.



       obtaining a file including data about network activity associated with a client device on a network of an organization, wherein the network activity is generated when the client device is operating as part of the network of the organization; 

         determining, using the data about the network activity, access information associated with the application, wherein the access information includes network activity indicating an access of the application from the client device; 
         determining, using the access information, domain information about the application, wherein the domain information identifies the service provider;  
        determining, using the domain information, security information about the application, wherein the security information comprises a first value indicative of a first security threat associated with the application and a second value indicative of a second security threat associated with the application; 
       computing a first weighted value that is based on multiplying the first value by a first weight value; 
       computing a second weighted value that is based on multiplying the second value by a second weight value; 
        computing a first sum that is based on a summation of the first weighted value and the second weighted value; computing a second sum that is based on a summation of the first weight value and the second weight value; 
         computing a measure of security based on dividing the first sum by the second sum; and 


Claim 5. The computer-implemented method of claim 1, further comprising: determining organization information for the application; and generating a graphical interface that displays information about the application, wherein the information about the application is displayed based on the organization information and the measure of security computed for the application, and wherein the graphical interface indicates the remediation action performed for the application.

wherein the security 2information includes a first value and a second value, wherein the first value is a first indicator of 3a first security threat associated with the application, wherein the second value that is a second 4indicator of a second security threat associated with the application, wherein the first indicator is 5obtained from a first data source, and wherein the second indicator is obtained from a second data source.  

Claim 2. The computer-implemented method of claim 1, wherein the first value is obtained from a first data source, and wherein the second value is obtained from a second data source.
Claim 4. The computer-implemented method of claim 3, wherein the first weight 2value is different from the second weight value, and wherein the first value is different from the 3second value.
Claim 3. The computer-implemented method of claim 1, wherein the first weight value is different from the second weight value, and wherein the first value is different from the second value.
Claims 5-13
Claims 4-12
Claim 16. A computer-implemented method comprising, at a computer system of a 2security management system:  

        6obtaining, from a second service provider system, second data about a second 7application, wherein the second application is accessed from the second service provider system, 8and wherein access of the second application is associated with the user; 
      9determining, using the first data and the second data, access information for a 10third application that has been accessed by the user;  
      11searching, using the access information, for network domain information about a 12provider system that provides the third application;  13determining security information about the third application;  
     determining, using the network domain information, an organization associated with the third application;
         determining an organization-based security indicator for the organization; 
        determining security information about the third application, wherein the security information includes one or more indicators describing a security threat associated with the third application; 
        computing, a measure of security for the third application using a combination of the one or more indicators describing the security threat associated with the application and the organization-based 
        16performing, by applying a security policy based on the measure of security, a remediation action for the third application.



      obtaining, from a second service provider system, second data about a second application, wherein the second application is accessed from the second service provider system, and wherein access of the second application is associated with the user;   
       determining, using the first data and the second data, access information for a third application that has been accessed by the user; searching, using the access information, for domain information about a provider system that provides the third application; 
         determining security information about the third application, the security information comprising a first value indicative of a first security threat associated with the third application and a second value indicative of a second security threat associated with the third application; 
         computing a first weighted value that is based on multiplying the first value by a first weight value; 
        computing a second weighted value that is based on multiplying the second value by a second weight value; computing a first sum that is based on a summation of the first weighted value and the second weighted value; computing a second sum that is based on a summation of the first weight value and the second weight value; 
            computing a measure of security based on dividing the first sum by the second sum; and 
        performing, by applying a security policy based on the measure of security, a remediation action for the third application.
Claim 16. The computer-implemented method of claim 14, further comprising: determining organization information for the third application; and generating a graphical interface that displays information about the third application, wherein the information about the third application is displayed based on the organization information and the measure of security computed for the third application, and wherein the graphical interface indicates the remediation action performed for the third application.


Claims 15-17
Claim 20. The computer-implemented method of claim 16, wherein the security 2information includes a first value that is a first indicator of a first security threat by the third 3application and a second value that is a second indicator of a second security threat by the third 4application, wherein the first indicator is obtained from a first source, wherein the first value is 5different from the second value, wherein the second indicator is obtained from a second source, 6and wherein computing the measure of security includes:  7computing a first weighted value that is based on multiplying the first value by a 8first weight value;  9computing a second weighted value that is based on multiplying the second value 10by a second weight value, wherein the first weight value is different from the second weight value; ORA170578-US-CNT-195Attorney Docket No.: 088325-1168688 (185510US)12computing a first sum that is based on a summation of the first weighted value 13and the second weighted value; and  14computing a second sum that is based on a summation of the first weight value 15and the second weight value, wherein the measure of security is a value that is computed based on dividing the first sum by the second sum.



Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C.
102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.
Claims 1-2, 5-9 and 11-14 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu (US 2017/0063886), in view of Mahabir (US 2017/0244740) and further in view of Thakar (US 2016/0057165).
Regarding claim 1, Muddu discloses a computer-implemented method comprising, at a computer system of a 2security management system (Muddu abstract. Muddu teaches a security platform employs a variety techniques and mechanisms to detect security related anomalies and threats. See also fig. 1):  
     3obtaining a file including data about network activity (event data) associated with a client 4device on a network of an organization, wherein the network activity is generated when the client 5device is operating as part of the network of the organization (Muddu par. 0442-0444. Muddu teaches that threats and anomalies identified from event data generated from network activities. Event data comprises timestamped machine data related to network activity by various entities, including users, devices, and applications. "Users" are employees or others who are associated with an organization. A device may be operated by a user who is registered with the network. See also par. 0135 and 0147);  
     6identifying, using the data about the network activity, an application that has been 7accessed by the client device while the client device is operating as part of the network of the 8organization (Muddu par. 0442-0443 and 0445. Muddu teaches that threats and anomalies identified from event data generated from network activities. Event data comprises timestamped machine data related to network activity by various entities, including users, devices, and applications. “Application information" identifies a program that is executed on a network's servers or on a computer in communication), wherein the application is provided to the client device from a network of a service 9provider, wherein the network of the organization and the network of the service provider are 10different networks (outside the organization) (Muddu par. 0445. Muddu teaches that for example, an application might be run by a user without proper authorization, or by an intruder outside the organization);  
(information about application activity), wherein the access information includes network activity 13indicating an access of the application from the client device (Muddu par. 0442 and 0445. Muddu teaches that event data comprises timestamped machine data related to network activity by various entities, including users, devices, and applications. “Application information" identifies a program that is executed on a network's servers or on a computer in communication. Machine data that includes information about application activity is yet another example of event data.), 
     1116determining, security information about 17the application, wherein the security information includes one or more indicators describing a 18security threat  (feature scores) associated with the application (Muddu par. 0619 and 00622. Muddu teaches that feature scores are calculated on a per-entity basis. Therefore a plurality of feature scores is generated for a particular entity. For example, the table below lists feature scores f.sub.1 though f.sub.n for an example external domain, xyz.com. Generating the feature scores includes analyzing a sequencing of characters in an entity identifier (e.g., a domain name) associated with an entity (internal or external) and assigning a feature score based on the analysis. See also par. 0170, 0304 and 0398);  
      19computing, using the security information, a measure of security (scored with risk ratings) for the 20application (Muddu par. 0137 and 0398. Muddu teaches that the security platform can perform user behavioral analytics (UBA), or more generally user/entity behavioral analytics (UEBA), to detect the security related anomalies and threats. Additionally, by presenting analytical results scored with risk ratings. An external database may include a list of domains known to be associated with malicious beacon activity. The process continues with identifying a threat indicator if the particular entity substantially matches a known security risk contained in the external database.); and  
       21performing, by applying a security policy based on the measure of security, a 22remediation action for the application (Muddu abstract and  par. 0137. Muddu teaches that by presenting analytical results scored with risk ratings and supporting evidence, the security platform can enable network security administrators or analysts to respond to a detected anomaly or threat, and to take action promptly. See also par. 0171 and 0441).
Muddu teaches 3obtaining a file including data about network activity;      6identifying, an application has been accessed and computing, using the security information a measure of security (Muddu abstract and par. 0442-0445); however Muddu does not explicitly teaches determining, using the network domain information, an organization associated with the application; determining an organization-based security indicator for the organization; computing, a measure of security for the application using a combination of the one or more indicators describing the security threat associated with the application and the organization-based security indicator for the organization. 
However, in an analogous field, Mahabir teaches wherein determining, using the network domain information, an organization associated with the application (Mahabir par. 0006. Mahabir teaches that a list of software applications operating within the subscriber organization network; a plurality of properties for each of the software applications, wherein each property in the plurality of properties for each of the software applications is indicative of accessibility of predetermined critical data within the subscriber organization network; and a list of organizational nodes within the subscriber organization); 
(Mahabir par. 0006. Mahabir teaches that determining a risk assessment score for the subscriber organization based on respective software application risk assessment scores) ; 
computing, a measure of security for the application using a combination of the one or more indicators describing the security threat associated with the application and the organization-based security indicator for the organization (Mahabir par. 0006. Mahabir teaches that determining a risk assessment score for the subscriber organization based on respective software application risk assessment scores of each of the list of software applications and respective organizational node risk assessment scores of each of the list of organizational nodes. See also par. 0015 and claim 1).
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the data about the network activity of Muddu using the data about the network activity taught in Mahabir in order to enhancing the security of computer systems in a networked environment and alerting to data security risks (Mahabir par. 0001).
Muddu and Mahabir teach 3obtaining a file including data about network activity;      6identifying, an application has been accessed and computing, using the security information a measure of security (Muddu abstract and par. 0442-0445) and computing, a measure of security for the application using a combination of the one or more indicators describing the security threat associated with the application and the organization-based security indicator for the organization (Mahabir par. 0006) ; however Muddu and Mahabir do not explicitly teaches determining, using the access information, network domain 
However, in an analogous field, Thakar teaches wherein 14determining, using the access information, network domain information about the 15application, wherein the network domain information identifies the service provider (its source) (Thakar claim 15 and par. 0015. Thakar teaches a method of identifying Domain Generated Algorithm (DGA) malware, comprising: identifying a domain name by monitoring activity of a network. One or more software programs or appliances may be used to monitor and analyze network activity and conduct an analysis of NX domains in the network to detect DGA malware and identify its source. See also par. 0031). 
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the data about the network activity of Muddu and Mahabir using the data about the network activity taught in Thakar in order to determine if the domain name is likely to be part of a domain generated algorithms malware to provide network security management (Thakar abstract and 0001).
Regarding claim 2, Muddu, Mahabir and Thakar disclose the computer-implemented method of claim 1,
Muddu further discloses wherein the security 2information includes a first value and a second value, wherein the first value is a first indicator of 3a first security threat associated with the application, wherein the second value that is a second 4indicator of a second security threat associated with the application, wherein the first indicator is 5obtained from a first data source, and wherein the second indicator is obtained from a  (Muddu abstract and par. 0339. Muddu teaches that the security platform can include both real-time and batch paths/modes for detecting anomalies and threats.  A first engine can first use a particular machine learning model to process a first set of data to produce a score for detecting a network security-related issue, and in doing so, the particular model is trained by the first engine with the first set of data. Thereafter, a second engine uses the same particular machine learning model to process a second set of data for producing a score for detecting a network security-related issue. See also par. 0650). 
Regarding claim 5, Muddu, Mahabir and Thakar disclose the computer-implemented method of claim 1,
Muddu further discloses wherein obtaining the file 2that includes the data about the network activity includes obtaining one or more files from one or 3more network devices on the network of the organization (Muddu par. 0442-0444. Muddu teaches that threats and anomalies identified from event data generated from network activities. Event data comprises timestamped machine data related to network activity by various entities, including users, devices, and applications. "Users" are employees or others who are associated with an organization), wherein the network of the 4organization is protected in a computing environment of the organization, the computing 5environment being secure from a public network (Muddu par. 0442-0443. Muddu teaches that users may be employees or others who are associated with an organization. Users might have unlimited rights or privileges to access an organization's network, or they might be authorized to have only limited network access). 
Regarding claim 6, Muddu, Mahabir and Thakar disclose the computer-implemented method of claim 1,
Muddu further discloses further comprising:  2determining organization information for the application; and 3generating a graphical interface that displays information about the application, 4wherein the information about the application is displayed based on the organization information 5and the measure of security computed for the application (Muddu par. 0140 and Fig. 39A. Muddu teaches that the security platform can include a graphical user interface (GUI) that can create visualizations of the detected anomalies and threats within an organization), and wherein the graphical interface 6indicates the remediation action performed for the application (Muddu par. 0140 and 0441. Muddu teaches that the security platform can include a graphical user interface (GUI) that can create visualizations of the detected anomalies and optionally, map the threats across an attack kill-chain in a visual way, which the security analysts in the organization can quickly and easily assimilate. Once a user reviews sufficient information to draw a conclusion about a threat, the GUI also enables a user to "take action." See also par. 0171). 
Regarding claim 7, Muddu, Mahabir and Thakar disclose the computer-implemented method of claim 1,
Muddu further discloses wherein the data about the 2network activity is for communications on the network of the organization, wherein identifying the application includes processing the data to identify a communication corresponding to a ORA170578-US-CNT-191Attorney Docket No.: 088325-1168688 (185510US)4request for the application (Muddu par. 0442-0443 and 0445. Muddu teaches that threats and anomalies identified from event data generated from network activities. Event data comprises timestamped machine data related to network activity by various entities, including users, devices, and applications. “Application information" identifies a program that is executed on a network's servers or on a computer in communication), and wherein the communication indicates application information 5about the request for the application, the application information being used to identify the 6application as being accessed by the client device (Muddu par. 0445. Muddu teaches that “Application information" identifies a program that is executed on a network's servers or on a computer in communication).
Regarding claim 8, Muddu, Mahabir and Thakar disclose the computer-implemented method of claim 7,
Muddu further discloses wherein the access 2information is determined using the communication, and wherein the access information 3indicates a timestamp of the network activity for the application, an IP address of a system that 4provides the application, a media access control (MAC) address of a device used to access the 5application, and user information about a user of the client device (Muddu par. 0232 and 0443. Muddu teaches that after the entities in event data that represents an event are extracted (e.g., by the field mapper 808), the identity resolution module 812 can identify whether the event data includes a user identifier and/or a machine identifier. A machine identifier is an identifier that can be associated with a machine, a device, or a computing system; for example, a machine identifier can be a media access control (MAC) address, or an Internet Protocol (IP) address. Event data comprises timestamped machine data related to network activity by various entities, including users, devices, and applications. See also par. 0207).
Regarding claim 9, Muddu, Mahabir and Thakar disclose the computer-implemented method of claim 1,
Muddu further discloses wherein the access 2information indicates an IP address of a system that provides the application, wherein 3determining the network domain information includes performing a query, based on the IP address of the 4application, for the network domain information corresponding to a domain that hosts the application (Muddu par. 0232 and 0215. Muddu teaches that the identity resolution module 812 can identify whether the event data includes a user identifier and/or a machine identifier. A machine identifier is an identifier that can be associated with a machine, a device, or a computing system; for example, a machine identifier can be a media access control (MAC) address, or an Internet Protocol (IP) address. For example, an event that records a GET command (which is an action) may indicate that the user is using a machine with a certain IP address to visit a certain website. See also par. 0680).
Regarding claim 11, Muddu, Mahabir and Thakar disclose the computer-implemented method of claim 1,
Muddu further discloses wherein applying the 2security policy includes determining whether the measure of security satisfies a risk threshold for 3the application (Muddu par. 0317. Muddu teaches that the model deliberation process thread generates a security-related conclusion based on the score. The security-related conclusion can identify the event or the sequence of events corresponding to the time slice as a security-related anomaly, threat indicator or threat. In one example, the model deliberation process compares the score against a constant threshold and makes the security-related conclusion based on the comparison. See also par. 0186 and 0361), and wherein the remediation action is to configure the network of the 4organization to prevent the application from being accessed on the network of the organization (Muddu par. 0137 and 0140. Muddu teaches that by presenting analytical results scored with risk ratings and supporting evidence, the security platform can enable network security administrators or analysts to respond to a detected anomaly or threat, and to take action promptly. The security platform can detect anomalies and threats produced by a user, a device, or an application, for example, regardless of whether the entity that causes the anomalies or threats is from outside or inside the organization's network. See also par. 0171).
Regarding claim 12, Muddu, Mahabir and Thakar disclose the computer-implemented method of claim 1,
Muddu further discloses wherein the data about the 2network activity includes network activity associated with a plurality of users, wherein the 3plurality of users are a tenant on the network of the organization (Muddu par. 0442-0444. Muddu teaches that threats and anomalies identified from event data generated from network activities. Event data comprises timestamped machine data related to network activity by various entities, including users, devices, and applications. "Users" are employees or others who are associated with an organization. A device may be operated by a user who is registered with the network), and wherein the remediation 4action is to prevent access to the application by the plurality of users (Muddu par. 0137 and 0171. Muddu teaches that by presenting analytical results scored with risk ratings and supporting evidence, the security platform can enable network security administrators or analysts to respond to a detected anomaly or threat, and to take action promptly. The threats may be provided to a user interface (UI) system 350 for review by a human operator 352. As an example, a visualization map and a threat alert may be presented to the human operator 352 for review and possible action. The output of the analysis module 330 may also automatically trigger actions such as terminating access by a user, terminating file transfer, or any other action that may neutralize the detected threats).
Regarding claim 13, Muddu, Mahabir and Thakar disclose the computer-implemented method of claim 1,
Muddu further discloses wherein the remediation action for the application includes:  ORA170578-US-CNT-192Attorney Docket No.: 088325-1168688 (185510US) 3generating a graphical interface (Muddu par. 0140 and Fig. 39A. Muddu teaches that the security platform can include a graphical user interface (GUI) that can create visualizations of the detected anomalies and threats within an organization); and 4causing the graphical interface to display a prompt requesting adjustment of a 5configuration operation of the application, wherein the adjustment is based on the security policy 6applied to the measure of security (Muddu par. 0140 and 0219. Muddu teaches that the security platform can include a graphical user interface (GUI) that can create visualizations of the detected anomalies and threats within an organization, and optionally, map the threats across an attack kill-chain in a visual way, which the security analysts in the organization can quickly and easily assimilate. The data input and preparation stage then can automatically adjust to understand the new data format, identify identities and relationships in event data in the new format, and create event relationship graphs therefrom).
Regarding claim 14, Muddu discloses a security management system comprising:  2one or more processors (Muddu Fig.85; (8510)); and 3a memory accessible to the one or more processors, wherein the memory stores 4one or more instructions which, upon execution by the one or more processors (Muddu par. 0743 and Fig. 85 (8520). Muddu teaches that Processor(s) configured to execute the software code and manipulate the data structures. Processing and memory implementations, including various machine-readable storage media, may be used for storing and executing program instructions pertaining to the techniques), causes the one or 5more processors to perform operations comprising:  
3obtaining a file including data about network activity (event data) associated with a 7client device on a network of an organization, wherein the network activity is generated 8when the client device is operating as part of the network of the organization (Muddu par. 0442-0444. Muddu teaches that threats and anomalies identified from event data generated from network activities. Event data comprises timestamped machine data related to network activity by various entities, including users, devices, and applications. "Users" are employees or others who are associated with an organization. A device may be operated by a user who is registered with the network. See also par. 0135 and 0147);  
     6identifying, using the data about the network activity, an application that 10has been accessed by the client device while the client device is operating as part of the 11network of the organization (Muddu par. 0442-0443 and 0445. Muddu teaches that threats and anomalies identified from event data generated from network activities. Event data comprises timestamped machine data related to network activity by various entities, including users, devices, and applications. “Application information" identifies a program that is executed on a network's servers or on a computer in communication), wherein the application is provided to the client device from 12a network of a service provider, wherein the network of the organization and the network 13of the service provider are different networks (outside the organization) (Muddu par. 0445. Muddu teaches that for example, an application might be run by a user without proper authorization, or by an intruder outside the organization);  
determining, using the data about the network activity, access information 15associated with the application (information about application activity), wherein the access information includes network activity 16indicating an access of the application from the client device (Muddu par. 0442 and 0445. Muddu teaches that event data comprises timestamped machine data related to network activity by various entities, including users, devices, and applications. “Application information" identifies a program that is executed on a network's servers or on a computer in communication. Machine data that includes information about application activity is yet another example of event data.),  
determining security information about the application, the security 20information including one or more indicators describing a security threat (feature scores) associated with 21the application1116 (Muddu par. 0619 and 00622. Muddu teaches that feature scores are calculated on a per-entity basis. Therefore a plurality of feature scores is generated for a particular entity. For example, the table below lists feature scores f.sub.1 though f.sub.n for an example external domain, xyz.com. Generating the feature scores includes analyzing a sequencing of characters in an entity identifier (e.g., a domain name) associated with an entity (internal or external) and assigning a feature score based on the analysis. See also par. 0170, 0304 and 0398);  
    computing, using the network domain information and the security 23information, a measure of security (scored with risk ratings) for the application 19(Muddu par. 0137 and 0398. Muddu teaches that the security platform can perform user behavioral analytics (UBA), or more generally user/entity behavioral analytics (UEBA), to detect the security related anomalies and threats. Additionally, by presenting analytical results scored with risk ratings. An external database may include a list of domains known to be associated with malicious beacon activity. The process continues with identifying a threat indicator if the particular entity substantially matches a known security risk contained in the external database.); and  
      21performing, by applying a security policy based on the measure of 25security, a remediation action for the application (Muddu abstract and  par. 0137. Muddu teaches that by presenting analytical results scored with risk ratings and supporting evidence, the security platform can enable network security administrators or analysts to respond to a detected anomaly or threat, and to take action promptly. See also par. 0171 and 0441).
Muddu teaches 3obtaining a file including data about network activity;      6identifying, an application has been accessed and computing, using the security information a measure of security (Muddu abstract and par. 0442-0445); however Muddu does not explicitly teaches determining, using the network domain information, an organization associated with the application; determining an organization-based security 
However, in an analogous field, Mahabir teaches wherein determining, using the network domain information, an organization associated with the application (Mahabir par. 0006. Mahabir teaches that a list of software applications operating within the subscriber organization network; a plurality of properties for each of the software applications, wherein each property in the plurality of properties for each of the software applications is indicative of accessibility of predetermined critical data within the subscriber organization network; and a list of organizational nodes within the subscriber organization); 
     determining an organization-based security indicator for the organization (Mahabir par. 0006. Mahabir teaches that determining a risk assessment score for the subscriber organization based on respective software application risk assessment scores) ; 
computing, a measure of security for the application using a combination of the one or more indicators describing the security threat associated with the application and the organization-based security indicator for the organization (Mahabir par. 0006. Mahabir teaches that determining a risk assessment score for the subscriber organization based on respective software application risk assessment scores of each of the list of software applications and respective organizational node risk assessment scores of each of the list of organizational nodes. See also par. 0015 and claim 1).
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the data about the network 
Muddu and Mahabir teach 3obtaining a file including data about network activity;      6identifying, an application has been accessed and computing, using the security information a measure of security (Muddu abstract and par. 0442-0445) and computing, a measure of security for the application using a combination of the one or more indicators describing the security threat associated with the application and the organization-based security indicator for the organization (Mahabir par. 0006) ; however Muddu and Mahabir do not explicitly teaches determining, using the access information, network domain information about the 15application, wherein the domain information identifies the service provider. 
However, in an analogous field, Thakar teaches wherein 14determining, using the access information, network domain information about the 15application, wherein the network domain information identifies the service provider (its source) (Thakar claim 15 and par. 0015. Thakar teaches a method of identifying Domain Generated Algorithm (DGA) malware, comprising: identifying a domain name by monitoring activity of a network. One or more software programs or appliances may be used to monitor and analyze network activity and conduct an analysis of NX domains in the network to detect DGA malware and identify its source. See also par. 0031). 
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the data about the network  (Thakar abstract and 0001).
Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Muddu (US 2017/0063886), in view of Mahabir (US 2017/0244740), in view of Thakar (US 2016/0057165) and further in view of Fissel (US 8,495,746).
Regarding claim 10, Muddu, Mahabir and Thakar disclose the computer-implemented method of claim 1,
Muddu, Mahabir and Thakar failed to discloses but Fissel discloses wherein the access 2information indicates source information of the application, the source information indicating a 3location of the application provided by a host, and wherein determining the network domain information 4includes sending, to the host, a request for a certificate of the application based on the source 5information of the application (Fissel col. 5; lines 3-9 and col. 12; lines 49-53 and Fig.4D (485, 488). Fissel teaches that the ASMP may allow a security professional to search local cached data from all data sources. For example, in one implementation, the ASMP may form a query based on an application ID and/or application acronym specified by a user to search for relevant security data with the specified application among the local cached data from multiple sources. As another example, a query may be formed based on a specified IP address, and the security data associated with the host under the specified IP address may be returned and the ASMP may then determine whether the application is certified 485. For example, in one implementation, if the action review score is greater than 80, then the ASMP may label the application as "certified" 488 to indicate that the high-risk application has been analyzed to mitigate the risk).
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the access information of Muddu, Mahabir and Thakar using the access information taught in Fissel in order to create an application security management platform to evaluate the security performance of the application (Fissel abstract).
Claims 16-19 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu (US 2017/0063886), in view of Mahabir (US 2017/0244740), in view of Fissel (US 8,495,746) and further in view of Thakar (US 2016/0057165).
Regarding claim 16, Muddu discloses a computer-implemented method comprising, at a computer system of a 2security management system (Muddu abstract. Muddu teaches a security platform employs a variety techniques and mechanisms to detect security related anomalies and threats. See also fig. 1):  
obtaining, from service provider system (a computing system), first data about a first application (applications that execute on computer systems), 4and wherein 5access of the first application is associated with a user 3(Muddu par. 0135 and 0140. Muddu teaches that the example of a security platform is used that may generate machine data from which events can be derived include: web servers, application servers, databases, firewalls, routers, operating systems, and software applications that execute on computer systems, mobile devices, sensors, Internet of Things (IoT) devices, etc. The data generated by such data sources can include, for example, server log files, activity log files, configuration files, messages, network packet data, performance measurements, sensor measurements, etc., which are indicative of performance or operation of a computing system in an information technology environment. The security platform can detect anomalies and threats produced by a user, a device, or an application. See also par. 0442-0444);  
obtaining, from service provider system (a computing system), second data about a second 7application (applications), 8and wherein access of the second application is associated with the user (Muddu par. 0135 and 0140. Muddu teaches that the example of a security platform is used that may generate machine data from which events can be derived include: web servers, application servers, databases, firewalls, routers, operating systems, and software applications that execute on computer systems, mobile devices, sensors, Internet of Things (IoT) devices, etc. The data generated by such data sources can include, for example, server log files, activity log files, configuration files, messages, network packet data, performance measurements, sensor measurements, etc., which are indicative of performance or operation of a computing system in an information technology environment. The security platform can detect anomalies and threats produced by a user, a device, or an application. See also par. 0442-0444);
     determining, using the data, access information for an 10application that has been accessed by the user (Muddu par. 0442 and 0445. Muddu teaches that event data comprises timestamped machine data related to network activity by various entities, including users, devices, and applications. “Application information" identifies a program that is executed on a network's servers or on a computer in communication. Machine data that includes information about application activity is yet another example of event data.)

1116 (Muddu par. 0619 and 00622. Muddu teaches that feature scores are calculated on a per-entity basis. Therefore a plurality of feature scores is generated for a particular entity. For example, the table below lists feature scores f.sub.1 though f.sub.n for an example external domain, xyz.com. Generating the feature scores includes analyzing a sequencing of characters in an entity identifier (e.g., a domain name) associated with an entity (internal or external) and assigning a feature score based on the analysis. See also par. 0170, 0304 and 0398);  
14computing, using the network domain information and the security information, a 15measure of security for the application that has been accessed 
19(Muddu par. 0137, 0398 and 0442. Muddu teaches that the security platform can perform user behavioral analytics (UBA), or more generally user/entity behavioral analytics (UEBA), to detect the security related anomalies and threats. Additionally, by presenting analytical results scored with risk ratings. An external database may include a list of domains known to be associated with malicious beacon activity. The process continues with identifying a threat indicator if the particular entity substantially matches a known security risk contained in the external database. “Application information" identifies a program that is executed on a network's servers or on a computer in communication); and  
     16performing, by applying a security policy based on the measure of security, a remediation action for the application (Muddu abstract and  par. 0137. Muddu teaches that by presenting analytical results scored with risk ratings and supporting evidence, the security platform can enable network security administrators or analysts to respond to a detected anomaly or threat, and to take action promptly. See also par. 0171 and 0441).
 determining, using the network domain information, an organization associated with the application (Mahabir par. 0006. Mahabir teaches that a list of software applications operating within the subscriber organization network; a plurality of properties for each of the software applications, wherein each property in the plurality of properties for each of the software applications is indicative of accessibility of predetermined critical data within the subscriber organization network; and a list of organizational nodes within the subscriber organization); 
     determining an organization-based security indicator for the organization (Mahabir par. 0006. Mahabir teaches that determining a risk assessment score for the subscriber organization based on respective software application risk assessment scores) ; 
computing, a measure of security for the application using a combination of the one or more indicators describing the security threat associated with the application and the organization-based security indicator for the organization (Mahabir par. 0006. Mahabir teaches that determining a risk assessment score for the subscriber organization based on respective software application risk assessment scores of each of the list of software applications and respective organizational node risk assessment scores of each of the list of organizational nodes. See also par. 0015 and claim 1).
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the data about the network activity of Muddu using the data about the network activity taught in Mahabir in order to enhancing the security of computer systems in a networked environment and alerting to data security risks (Mahabir par. 0001).
(Muddu abstract and par. 0442-0445) and computing, a measure of security for the application using a combination of the one or more indicators describing the security threat associated with the application and the organization-based security indicator for the organization (Mahabir par. 0006) ; however Muddu and Mahabir do not explicitly teaches the first application and second application are accessed from the first service provider system and second service provider system; data about first, second and third application and searching, using the access information, for network domain information about a 12provider system that provides the third application. 
However, in an analogous field, Fissel teaches wherein the first application and second application are accessed from the first service provider system and second service provider system (collect security data from scan results of applications, computers, and network ports) (Fissel column 2; lines 5-9; lines 16-19 lines 39-49; column 5: lines 3-12. Fissel teaches that ASMP systems may, in one embodiment, implement a live dashboard platform on a computerized system, whereby the platform may receive security data associated with a running application from multiple security tracking systems, evaluate the security performance of the application. The ASMP may employ a scanning management tool to collect security data from scan results of applications, computers, and network ports that have been scanned by the SATS. The ASMP may download security data from a plurality of security data sources, wherein the security data is associated with different applications. The ASMP may form a query based on an application ID and/or application acronym specified by a user to search for relevant security data with the specified application among the local cached data from multiple sources) and data about first, second and third application (applications) (Fissel column 2; lines 16-19, and Fig. 3, (315, 320 and 345). Fissel teaches that the ASMP may download security data from a plurality of security data sources, wherein the security data is associated with different applications implemented at hosts and terminals within the LAN of the entity. The ASMP may analyze the security risk associated with an application based on its risk scores. The ASMP may plot and display an application score trend curve to illustrate the evolution of the risk score of any specific application within a time period, and compared to the overall average risk score of all applications).
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the data about an application of Muddu and Mahabir using the security data of an application taught in Fissel in order to create an application security management platform to evaluate the security performance of the application (Fissel abstract).
Muddu, Mahabir and Fissel teach 3obtaining a file including data about network activity;      6identifying, an application has been accessed and computing, using the security information a measure of security (Muddu abstract and par. 0442-0445) and computing, a measure of security for the application using a combination of the one or more indicators describing the security threat associated with the application and the organization-based security indicator for the organization (Mahabir par. 0006) ; however Muddu, Mahabir and Fissel do not explicitly teaches determining, using the access information, network domain information about the 15application, wherein the domain information identifies the service provider. 
 14determining, using the access information, network domain information about the 15application, wherein the network domain information identifies the service provider (its source) (Thakar claim 15 and par. 0015. Thakar teaches a method of identifying Domain Generated Algorithm (DGA) malware, comprising: identifying a domain name by monitoring activity of a network. One or more software programs or appliances may be used to monitor and analyze network activity and conduct an analysis of NX domains in the network to detect DGA malware and identify its source. See also par. 0031). 
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the data about the network activity of Muddu, Mahabir and Fissel using the data about the network activity taught in Thakar in order to determine if the domain name is likely to be part of a domain generated algorithms malware to provide network security management (Thakar abstract and 0001).
Regarding claim 17, Muddu, Mahabir, Fissel and Thakar disclose the computer-implemented method of claim 16,
Muddu further discloses wherein first service 2provider system is different from second service provider system, wherein the first service 3provider system provides access to the first application as a first cloud service, and wherein the 4second service provider system provides access to the second application as a second cloud 5service (Muddu par. 0141 and 0155. Muddu teaches that the security platform can be deployed at any of various locations in a network environment. A cloud computing infrastructure is shown, represented in part by a virtualization layer 104. Various cloud computing operating systems or platforms, such as OpenStack.TM., VMware.TM., Amazon Web Services.TM., or GoogleCloud.TM. may be employed in virtualization layer 104 to create public clouds or private clouds).
Regarding claim 18, Muddu, Mahabir, Fissel and Thakar disclose the computer-implemented method of claim 16,
Muddu further discloses further comprising: 2determining organization information for the application; and 3generating a graphical interface that displays information about the 4application, wherein the information about the application is displayed based on the 5organization information and the measure of security computed for the application, and 6wherein the graphical interface indicates the remediation action performed for the 7application (Muddu par. 0140, 0441 and Fig. 39A. Muddu teaches that the security platform can include a graphical user interface (GUI) that can create visualizations of the detected anomalies and optionally, map the threats across an attack kill-chain in a visual way, which the security analysts in the organization can quickly and easily assimilate. Once a user reviews sufficient information to draw a conclusion about a threat, the GUI also enables a user to "take action." See also par. 0171).
Fissel further discloses a third application (Fissel column 2; lines 16-19, and Fig. 3, (315, 320 and 345). Fissel teaches that the ASMP may download security data from a plurality of security data sources, wherein the security data is associated with different applications implemented at hosts and terminals within the LAN of the entity).
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the data about an application  (Fissel abstract).
Regarding claim 19, Muddu, Mahabir, Fissel and Thakar disclose the computer-implemented method of claim 16,
Muddu further discloses wherein the first data indicates that the first application has been accessed by the user through the application, wherein the second data indicates that the second application has been accessed by the user through the application (Muddu par. 0445. Muddu teaches that for example, an application might be run by a user without proper authorization, or by an intruder outside the organization), and wherein determining the access information includes determining that the application has been accessed to provide access to the application (Muddu par. 0445. Muddu teaches that “Application information" identifies a program that is executed on a network's servers or on a computer in communication).
Fissel further discloses first, second and third application (Fissel column 2; lines 16-19, and Fig. 3, (315, 320 and 345). Fissel teaches that the ASMP may download security data from a plurality of security data sources, wherein the security data is associated with different applications implemented at hosts and terminals within the LAN of the entity).
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the data about an application of Muddu using the security data of an application taught in Fissel in order to create an  (Fissel abstract).
Allowable Subject Matter
Claims 3-4, 15 and  20 objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims and if the rejection(s) under nonstatutory obviousness-type double patenting rejection(s), set forth in this Office action is resolved.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SANCHIT K SARKER whose telephone number is (571)270-7907.  The examiner can normally be reached on M-F 8:30 AM-5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, FARID HOMAYOUNMEHR can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/SANCHIT K SARKER/Examiner, Art Unit 2495                                                                                                                                                                                                        
/JASON K GEE/Primary Examiner, Art Unit 2495