Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 9/8/21 has been entered.
 
Claims 1, 3, 5-11, 14, and 18-22 are amended.  Claims 1-22 are pending.


Response to Arguments

Applicant’s arguments with respect to claim(s) 1, 14, and 22 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.


Claim Rejections - 35 USC § 102
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1-9, 11, and 13-22 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by USP Application Publication 2018/0139227 to Martin et al., hereinafter Martin.
As per claim 1, Martin teaches  storing a plurality of entity models for a plurality of different types of entities at a threat management facility for an enterprise network (Fig. 1, security risk model), the plurality of different types of entities including at least one of an identity and access management system, a domain controller, a physical device, a user, an operating system, or an application associated with the enterprise network (0012, 0040), and each of the plurality of entity models characterizing a baseline of expected events (0014) in an event vector space (0031) based on events from a corresponding entity over an historical window (0014 and 0031); 
instrumenting one or more compute instances associated with two or more of the plurality of different types of entities to report event vectors based on one or more events from one or more sensors associated with the one or more compute instances (0031 and 0032); 
receiving an event stream at the threat management facility, the event stream including a plurality of event vectors from the one or more compute instances (Fig. 3, S111 and S121; 0069, 0071, and 0077); 

selecting a remedial action for the one or more compute instances when the risk score exceeds a threshold (0065 and 0083).

As per claims 14 and 22, they are rejected for the same reasons as claim 1.  Additionally Martin teaches a multi-dimensional vector distance (0031, 0050, and 0059)

As per claims 2 and 15, Martin teaches the threshold is algorithmically determined (Fig. 3, S130 and 0071).

As per claims 3 and 16, Martin teaches the threat management facility stores a plurality of entity models for a plurality of entities within the enterprise network (Fig 1, security risk model and 0013).

As per claims 4 and 17, Martin teaches the event stream includes event vectors from a plurality of compute instances associated with the enterprise network (0031).

As per claims 5 and 18, Martin teaches the event stream includes event vectors from two or more different entities associated with the one or more compute instance (0031 and 0069). 

As per claim 7, Martin teaches code that performs the step of refining one of more of the plurality of the entity models based on additional event vectors in the event stream received after the entity model is created (0041, 0042).
As per claim 8, Martin teaches instrumenting the compute instance includes configuring the one or more of compute instance to normalize at least one of the events from at least one of the sensors (0062).
As per claim 9, Martin teaches configuring the one or more compute instances to tokenize at least one of the events from at least one of the one or more sensors (0065 and 0066).
As per claim 11, Martin teaches instrumenting the compute instance includes prioritizing at least one of the events from at least one of the sensors (0071).
As per claim 13, Martin teaches the distance is evaluated using a k-nearest neighbor algorithm (0059 and 0079).
As per claim 19, Martin teaches the entity includes at least one of a domain controller, a physical device, a user, an operating system, and an application (0012 and 0040).
As per claim 21, Martin teaches calculating the risk score includes evaluating the vector distance in the event vector space using a k-nearest neighbor algorithm (0059 and 0079).



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Martin in view of USP Application Publication 2017/0085539 to Wishard.

As per claim 10, Martin is silent in explicitly teaching instrumenting the compute instance includes configuring the compute instance to encrypt at least one of the events from at least one of the sensors.  On the other hand, the sensor reports of Wishard are encrypted before being sent to the management node (0010).  Encryption simply offers more security and prevents unauthorized access to the network’s events.  Only the management facility of Martin need have access to the data in order to formulate its models.  The claim is obvious because one of ordinary skill in the art can combine known methods which do not produce unpredictable results.  Encrypting the data for safety does not yield any unpredictable result.

Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Martin in view of USP 8,769,676 to Kashyap.

As per claim 12, Martin is silent in explicitly teaching the distance is at least one of a Mahalanobis distance, a Euclidean distance, and a Minkowski distance.  Kashyap teaches the distance is at least one of a Mahalanobis distance, a Euclidean distance, and a Minkowski distance. (col. 7, lines 31).  Martin also looks for unusual activities by using a model and teaches many possible algorithms to detect drift from normal behavior. Thus, his invention is not limited to a specific algorithm.  The claim is obvious because one of ordinary skill in the art can substitute known methods which do not produce unpredictable results.  Substituting one modeling algorithm for another does not produce unpredictable results.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL R. VAUGHAN whose telephone number is (571)270-7316.  The examiner can normally be reached on Monday - Thursday, 7:30am - 5:00pm, EST.  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  

/MICHAEL R VAUGHAN/
Primary Examiner, Art Unit 2431