DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 12/07/2020, 06/04/2021 and 08/18/2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

The following is a quotation of pre-AIA  35 U.S.C. 112, fourth paragraph:
Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA  35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

Claim 12 is rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends.  
Claim 12 is an improper dependent claim because it doesn’t further limit the claim it depends from. Instead, it claims a system of a method claim 5. It extend the scope of claim 5. Therefore, it is .
Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Milazzo et al. (Pub . No .: US 2020/0186569) in view of Will et al. (Pub. No.: US 2020/0220885).
Regarding claim 1: Milazzo discloses A computer-implementable for performing a security operation, comprising:
monitoring an entity, the monitoring observing at least one electronically-observable data source (Milazzo - [0070]: Security monitoring engines may comprise agents deployed on such endpoint devices which collect security events);
deriving an observable based upon the monitoring of the electronically-observable data source (Milazzo - [0033]: the security monitoring engines may identify internal security events that are internal to monitored computing environment, log them, and provide the security logs as internal security event data that may be analyzed by the SIEM rule management system);
identifying a security related activity of the entity, the security related activity being based upon the observable derived from the electronic data source, the security related activity being of analytic utility (Milazzo - [0085]: Fig. 2A, one or more corpora of security knowledge source content are ingested by a cognitive computing system and evaluated to identify content describing security attacks/threats and extracting indicators of compromise (IoCs) (step 212). [0070]: The security monitoring engine(s) may apply SIEM rules to perform some analysis of these security events to identify patterns indicative of suspicious activity that may be indicative of a security attack or vulnerability);
However, Milazzo doesn’t explicitly teach, but Will discloses:
associating the security related activity with a component of a cyber kill chain (Will - [0063]: identify security incidents containing observables found in private or public threat intelligence data; identification of observable data intelligence indicating correspondence to an advanced cyber kill chain stage); and,
performing a security operation on the security related activity via a security system, the security operation disrupting performance of the component of the cyber kill chain by affecting performance of the security related activity by the entity (Will - [0092]: If the computer determines that the adjusted magnitude of the selected security incident is greater than the security incident magnitude threshold level, yes output of step 566, then the computer performs a set of mitigation action steps corresponding to the selected security incident (step 568). The set of mitigation action steps may include, for example, sending a security alert to the security analyst for review and possible action).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Milazzo with Will so that identified security incidents are associated with ciber kill chain and security actions is taken to mitigate the security incident. The modification would have allowed the system to mitigate security incidents related to cyber kill chain for enhancing security.
Regarding claim 2: Milazzo as modified discloses, further comprising:
converting the security related activity to entity behavior catalog data, the entity behavior catalog providing an inventory of entity behaviors (Milazzo - [0086]: Fig. 2A, The attack characteristics are categorized into predetermined categories of one or more category types (step 218)); and,
 accessing an entity behavior catalog based upon the entity behavior catalog data when performing the security operation (Milazzo - [0028]: The SIEM rules management system utilizes the machine learning model's evaluation of the IoC relative to the client data and the particular industry, as well as the identification of attack characteristics from the ingested information, their categorization, and the comparison to previously identified security threats or attacks as specified in the security event history trend database, to determine if an attack or threat is recognized in the ingested security event information from the cognitive computing system).
Regarding claim 3: Milazzo as modified discloses wherein:
an entity behavior has an associated attribute, the associated attribute comprising at least one of a user entity attribute associated with the user entity behavior and a non-user entity attribute associated with the non-user entity behavior (Milazzo - [0021]: the term “attack characteristics” refers to combinations of attack vectors/methods/behaviors and/or Indicators of Compromise (IOC) that define and characterize the way that an attack works. Furthermore, in the context of this description, the term “Indicator of Compromise (IoC)” refers to an individual element that is used as a means to compromise a computer system. These IoCs could take the form of IP addresses, file hashes, URLs, executable files, etc. … the attack characteristics of a bank robbery are: the time of the day, the behavior of the individual).
Regarding claim 4: Milazzo as modified discloses wherein:
the entity behavior catalog comprises an entity behavior catalog repository, the entity behavior catalog repository comprising at least one of a security vulnerability scenarios repository, a risk use cases repository, an entity behavior profiles repository, an entity attributes repository, an entity behaviors repository, an activities repository and an observables repository (Milazzo - [0074]: These attack characteristics may be used to populate and/or update a security event history trend database 140 which stores entries specifying security events that represent security threats (or attacks)).
Regarding claim 5: Milazzo as modified discloses wherein:
the cyber kill chain comprises an associated security vulnerability scenario stored within the security vulnerability scenarios repository (Will - [0061]: indicators related to the security incident that are associated with advanced kill chain stage).
The reason to combine is similar to claim 1.
Regarding claim 6: Milazzo as modified discloses wherein:
Will - [0061]: indicators related to the security incident that are associated with advanced kill chain stage, such as, for example Command and Control instructions or data exfiltration); and,
performance of the component of the cyber kill chain is disrupted by affecting completion of the risk use case (Will - [0092]: the set of mitigation action steps may include the computer automatically blocking or terminating an activity or network session corresponding to the security incident).
the cyber kill chain comprises an associated security vulnerability scenario stored within the security vulnerability scenarios repository (Will - [0061]: indicators related to the security incident that are associated with advanced kill chain stage).
Regarding claims 7-12: Claims are directed to apparatus/system claims and do not teach or further define over the limitations recited in claims 1-6. Therefore, claims 7-12 are also rejected for similar reasons set forth in claims 1-6. 
Regarding claims 13-18: Claims are directed to computer readable medium claims and do not teach or further define over the limitations recited in claims 1-6. Therefore, claims 13-18 are also rejected for similar reasons set forth in claims 1-6. 
Regarding claim 19: Milazzo as modified discloses wherein: the computer executable instructions are deployable to a client system from a server system at a remote location (Milazzo - [0070]: Security monitoring engines may comprise agents deployed on such endpoint devices which collect security events).
Regarding claim 20: Milazzo as modified discloses wherein: the computer executable instructions are provided by a service provider to a user on an on-demand basis (Milazzo - [0070]: The security monitoring engine(s) may apply SIEM rules to perform some analysis of these security events to identify patterns indicative of suspicious activity that may be indicative of a security attack or vulnerability, triggering a corresponding action to be performed. Moreover, the security monitoring engine(s) may provide such security event log information to the SIEM rules management system 100 for further evaluation).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Stockdale et al. (Pub. No.: US 2020/0244673) - Multivariate network structure anomaly detector
HASAN (Pub. No.: US 2016/0330219) - Method and device for managing security in a computer network
Berger et al. (Pub. No.: US 2015/0264077) - Computer Implemented Techniques for Detecting, Investigating and Remediating Security Violations to IT Infrastructure
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MENG LI whose telephone number is (571)272-8729.  The examiner can normally be reached on M-F 8:30-5:30.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s acting supervisor, Kristine Kincaid can be reached on (571) 272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8729.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MENG LI/
Primary Examiner, Art Unit 2437