DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 08/25/2021 has been entered.
 
Response to Amendment
The Amendment filed on 08/02/2021 has been entered. 
The objections of claim 20 is withdrawn in view of the amendment.
Claims 1, 15 and 20 are amended.
Claims 1-20 are pending of which claims 1 and 15 are independent claims.

Response to Arguments
The applicant's arguments filed on 08/02/2021 regarding claims 1-20 have been fully considered but they are not persuasive.
	1) Regarding to argument “there is no disclosure in either reference of "receiving, via a collecting agent, a log comprising a plurality of items from one of a plurality of assets." Importantly, the collecting 
2) Regarding to argument for limitation “determining an exposure of the plurality of assets to the
suspicious item” that “inspecting suspect malware - not a suspicious item in a log file - and then classifying suspect objects”, examiner respectively disagree because the limitation as claimed didn’t specifically define the structure or algorithm for how to determining an exposure of the plurality of assets, secondly, as disclosed in Fig. 6, step (b) of Golshan, the inspection of suspected objects uses
plural inspection methods (i.e. rules) to create information about the nature of the potential threat posed by the suspect objects. therefore, prior arts teaches the argued limitation. Examiner suggest applicant to
amend the exposure check with more details from specification of the instant application, paragraph [0053-0054].
3) Regarding to argument for limitation “calculating a total score for the suspicious item based on the inspection, the exposure, and the enriching” that “Golshan discloses aggregating a plurality of scores, but does not disclose that the scores are based on inspection, exposure, and enriching. As noted above,
Golshan does not determine exposure, and it does not disclose that it determines a score for enriching - it
simply adds metadata to the suspect object. Therefore, Golshan cannot disclose this element”, examiner
respectively disagree because again, the argued limitation doesn’t provide any detailed algorithm or
structure about how the inspection, the exposure, and the enriching are being used in the aggregation
score calculation. Secondly, Golshan, Fig. 6 discloses that a plurality of scores are calculated after step (a) and (b) which is the inspection, the exposure, and the enriching. Therefore, aggregate from plural scores teaches the argued limitation.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:



Claims 1-5, 9,11-13, 15-18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Seigel (Pub. No.: US 2017/0031741) in view of Golshan et al. (Patent No.: US 9,686.293) and Varghese (Pub. No.: US 2009/0089869).
Regarding claim 15: Seigel discloses A system for automated detection and analysis of security threats, comprising: 
a plurality of assets (Seigel - [0014]: multiple agents); 
a watch rule database (Seigel - [0047]: one or more criteria); 
an electronic device comprising at least one computer processor; and a memory comprising a computer program (Seigel - [0071]: Fig. 7, The computing device 700 may include at least one processor 702, a memory 704); 
wherein the computer program performs the following: 
receiving, via a collecting agent, a log comprising a plurality of items from one of the plurality of assets (Seigel - [0039]: the agents 108, 110, and 112 may monitor activities associated with various network elements, such as the databases 102, the user devices 104, and the servers 106. The agents 108, 110, 112 may generate the one or more event logs 114 based on monitoring the activities. Each of the event logs 114 may be associated with one (or more) activities. The event logs 114 may be sent to the central server 116); 
identifying a suspicious item in the log by inspecting the plurality of items in the log using at least one rule from the watch rule database (Seigel - [0047]: to identify event logs associated with malicious activity, the criteria to determine whether an event log is interesting may be based on criteria indicative of malicious activity); 
However, Seigel doesn’t explicitly teach but Golshan discloses:
an exposure check rule database (Golshan - [Col. 5, Line 44]: pre-defined heuristics); and 
Golshan - [Col. 6, Line 11-12]: (a) identifying a plurality of suspect objects (602) comprising data about network transactions or computer operations suspected of being linked to a security risk; [Col. 5, Line 43-44]: the analytical facilities 408 may include classifying suspect objects on the basis of pre-defined heuristics); 
enriching the suspicious item with additional data (Golshan - [Col. 6, Line 13-14]: transmitting the suspect objects (604) along with metadata to an inspection service operating); 
calculating a total score for the suspicious item based on the inspection, the exposure, and the enriching (Golshan - [Col. 6, Line 24-26]: transmitting said one or more scores (608) to a correlation facility which aggregates a plurality of scores);
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Seigel with Golshan so that assets exposure to the suspicious item is identified and additional data with suspect objects are obtained to derive a final score. The modification would have allowed the system to aggregate risk score from different analysis for enhancing security. 
However the combination of Seigel and Golshan doesn’t explicitly teach, but Varghese discloses generating an alert for the item based on the total score exceeding a threshold (Varghese - [0019]: generating an alert from an administrator of the software application if the risk score exceeds a predefined threshold).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Seigel and Golshan with Varghese so that an alert is generated when the risk score is exceeded to a threshold. The modification would have allowed the system to be alerted when a risk is presented and taking actions. 
Regarding claim 1: The limitations of claim 1 are substantially similar to the limitations of claim 15, thus it is interpreted and rejected for the reasons set forth above in the rejection of claim 15.
Regarding claims 2 and 16: Seigel as modified discloses wherein the asset comprises an end host, a server, a network appliance, and/or a third party application (Seigel - [0021]: Each of agents 112(1) to 112(P) may be associated with a particular one of the servers 106(1) to 106(P)).
Regarding claims 3 and 17: Seigel as modified discloses wherein the log comprises a Windows event log, a Linux Syslog, an Apache access log, a firewall log, and/or a cloud API call log (Seigel - [0017]: event logs that are generated in a computing system. For example, the auditing software may, in real time, generate audits, alerts and reports on changes and deletions made to … Active Directory™, Exchange®, SharePoin®, VMware™, EMC™, NetApp™, SQL Server™, Windows® file servers).
Regarding claims 4 and 18: Seigel as modified discloses wherein the log is pulled from the asset by a collecting agent (Seigel - [0014]: monitor (e.g., in real time) event logs generated by multiple agents).
Regarding claim 5: Seigel as modified discloses wherein the at least one rule comprises signature analysis rule and/or a statistical analysis rule (Seigel - [0047]: the criteria to determine whether an event log is interesting may be based on criteria indicative of malicious activity, such as a number of failed login attempts within a predetermined (e.g., short) period of time occurring at one of the user devices 104, a large number of transactions being processed within a predetermined (e.g., short) period of time by one of the databases 102 or by one of the servers 106).
Regarding claim 9: Seigel as modified discloses further comprising: adding the suspicious item to a suspicious list based on the inspection using the at least one rule (Varghese - [0172]: the first application fingerprint may be transmitted to flagging rules engine 1210 of FDM 1200, which applies rules definitions 1220 and adds the fingerprint to a black list or white list as appropriate).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Seigel and Golshan with Varghese so that an application fingerprint is added to the blacklist/white list based on rules. The modification would have allowed the system to persistent the suspicious item. 
Regarding claim 11: Seigel as modified discloses wherein the additional data comprises a virus scanning report, IP geolocation data, IP registration information, and/or an IP to physical location mapping (Varghese - [0123]: The data sources processing modules also preferably receives data from external third-party data providers. These sources can include geolocation service 612, black list service 614, white list service 616, and the like. Geolocation service 612 provides approximate geographic latitude and longitude corresponding to a user device IP address).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Seigel and Golshan with Varghese so that additional data can be geolocation. The modification would have allowed the system to acquire geolocation data. 
Regarding claim 12: Seigel as modified discloses wherein the additional data is received from a third party (Varghese - [0123]: The data sources processing modules also preferably receives data from external third-party data providers).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Seigel and Golshan with Varghese so that additional data can be acquired from a third-party. The modification would have allowed the system to acquire geolocation data from the third-party. 
Regarding claim 13: Seigel as modified discloses further comprising calculating a confidence level in the enrichment (Golshan - [Col. 4, Line 58-63]: a database of objects which have been previously scored by their reputation among users of end-point machines who have used or executed the objects. Such scores may for example be based on data collected by the systems described in this disclosure, or from third-party sources).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Seigel with Golshan and Varghese so that score is calculated based on data collected from third-party sources. The modification would have allowed the system to derive a score based on data collected from third-party sources. 
Regarding claim 20: Seigel as modified discloses wherein the additional data is received from a third party (Varghese - [0123]: The data sources processing modules also preferably receives data from external third-party data providers), and the additional data comprises a virus scanning report, IP geolocation data, IP registration information, and/or IP to physical location mapping (Varghese - [0123]: The data sources processing modules also preferably receives data from external third-party data providers. These sources can include geolocation service 612, black list service 614, white list service 616, and the like. Geolocation service 612 provides approximate geographic latitude and longitude corresponding to a user device IP address).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Seigel and Golshan with Varghese so that additional data can be geolocation from third-party. The modification would have allowed the system to acquire geolocation data from third-party. 

Claims 6 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Seigel (Pub. No.: US 2017/0031741) in view of Golshan et al. (Patent No.: US 9,686.293) and Varghese (Pub. No.: US 2009/0089869) and CHOCKLER et al. (Pub. No.: US 2009/0106737, hereinafter CHOCKLER).
Regarding claim 6: Seigel as modified doesn’t explicitly teach but CHOCKLER discloses wherein the rule detects a rare windows persistence point, a rare user program execution, a rare PowerShell execution, a rare new autorun entry, and/or an antivirus alert (CHOCKLER - [0014]: The performance function is utilized to measure the outcome of each test execution based on maximizing the occurrence of a rare event that constitutes a hard to discover error in the program during normal execution).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Seigel, Golshan and Varghese with CHOCKLER so that a measure is used to detect occurrence of rare event in the program execution. The modification would have allowed the system to increase security. 
Regarding claim 19: Seigel as modified discloses wherein the at least one rule comprises at least one of a signature analysis rule and a statistical analysis rule (Seigel - [0047]: the criteria to determine whether an event log is interesting may be based on criteria indicative of malicious activity, such as a number of failed login attempts within a predetermined (e.g., short) period of time occurring at one of the user devices 104, a large number of transactions being processed within a predetermined (e.g., short) period of time by one of the databases 102 or by one of the servers 106). 
CHOCKLER - [0014]: The performance function is utilized to measure the outcome of each test execution based on maximizing the occurrence of a rare event that constitutes a hard to discover error in the program during normal execution).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Seigel, Golshan and Varghese with CHOCKLER so that a measure is used to detect occurrence of rare event in the program execution. The modification would have allowed the system to increase security. 

Claims 7 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Seigel (Pub. No.: US 2017/0031741) in view of Golshan et al. (Patent No.: US 9,686.293) and Varghese (Pub. No.: US 2009/0089869) and MOSCOVC et al. (Pub. No.: US 2017/0214702, hereinafter MOSCOVC).
Regarding claim 7: Seigel as modified doesn’t explicitly teach but MOSCOVC discloses wherein the rule detects a known bad signature (MOSCOVC - [0007]: The filters can include rule-based filters that detect signatures of known malicious behavior).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Seigel, Golshan with MOSCOVC so that a known malicious behavior signature is detected. The modification would have allowed the system to increase security. 
Regarding claim 19: Seigel as modified discloses wherein the at least one rule comprises a signature analysis rule and/or a statistical analysis rule (Seigel - [0047]: the criteria to determine whether an event log is interesting may be based on criteria indicative of malicious activity, such as a number of failed login attempts within a predetermined (e.g., short) period of time occurring at one of the user devices 104, a large number of transactions being processed within a predetermined (e.g., short) period of time by one of the databases 102 or by one of the servers 106). 
However, Seigel as modified doesn’t explicitly teach but MOSCOVC discloses the at least one rule detects at least one of a rare windows persistence point, a rare user program execution, a rare PowerShell execution, a rare new autorun entry, an antivirus alert, a known bad signature, a potential unknown malware, and/or a potential unknown application being executed (MOSCOVC - [0007]: The filters can include rule-based filters that detect signatures of known malicious behavior).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Seigel, Golshan and Varghese with MOSCOVC so that a known malicious behavior signature is detected. The modification would have allowed the system to increase security.

Claims 8 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Seigel (Pub. No.: US 2017/0031741) in view of Golshan et al. (Patent No.: US 9,686.293) and Varghese (Pub. No.: US 2009/0089869) and Harris et al. (Pub. No. : US 2018/0278631, hereinafter Harris).
Regarding claim 8: Seigel as modified doesn’t explicitly teach but Harris discloses wherein the rule detects a potential unknown malware or a potential unknown application being executed (Harris - [0248]: the detection rules 1022 are a specific set of rules that identify a particular sequence of IOCs 1006 as malicious, untrustworthy, unknown).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Seigel, Golshan and Varghese with Harris so that an unknown sequence is detected. The modification would have allowed the system to increase security. 
Regarding claim 19: Seigel as modified discloses wherein the at least one rule comprises a signature analysis rule and a statistical analysis rule (Seigel - [0047]: the criteria to determine whether an event log is interesting may be based on criteria indicative of malicious activity, such as a number of failed login attempts within a predetermined (e.g., short) period of time occurring at one of the user devices 104, a large number of transactions being processed within a predetermined (e.g., short) period of time by one of the databases 102 or by one of the servers 106). 
However, Seigel as modified doesn’t explicitly teach but Harris discloses the at least one rule detects at least one of a rare windows persistence point, a rare user program execution, a rare PowerShell execution, a rare new autorun entry, an antivirus alert, a known bad signature, a potential unknown malware, and/or a potential unknown application being executed (Harris - [0248]: the detection rules 1022 are a specific set of rules that identify a particular sequence of IOCs 1006 as malicious, untrustworthy, unknown).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Seigel, Golshan and Varghese with Harris so that an unknown sequence is detected. The modification would have allowed the system to increase security.

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Seigel (Pub. No.: US 2017/0031741) in view of Golshan et al. (Patent No.: US 9,686.293) and Varghese (Pub. No.: US 2009/0089869) and SHULMAN et al. (Pub. No.: US 2016/0261616, hereinafter SHULMAN).
Regarding claim 10: Seigel as modified doesn’t explicitly teach but SHULMAN discloses wherein the suspicious list further comprises an identification of the rule that caused the suspicious item to be added to the suspicious list and a timestamp (SHULMAN - [0104]: The activity context 520 may include: 1) the rule identifier 535, which is “15” in this case; … 4) a timestamp indicating when the access occurred).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Seigel, Golshan and Varghese with SHULMAN so that a list of items contains rule idnetifier and timestamp. The modification would have allowed the system to keep a list of context with rule and timestamp.

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Seigel (Pub. No.: US 2017/0031741) in view of Golshan et al. (Patent No.: US 9,686.293) and Varghese (Pub. No.: US 2009/0089869) and Piccirillo et al. (Patent Number: 5,557,278, hereinafter SHULMAN).
Regarding claim 14: Seigel as modified doesn’t explicitly teach but Piccirillo discloses further comprising: suppressing a subsequent alert for the same suspicious item (Piccirillo - [Col. 10, Line 45-47]: Repetitive alerts can be suppressed where subsequent alerts for the same targets and same conditions may not be reissued).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Seigel, Golshan and Varghese with Piccirillo so that subsequent alerts for the same targets and same conditions may not be reissued. The modification would have allowed the system to increase efficiency and usability.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Muddu et al. (Patent No.: US 9,516,053) - Network security threat detection by user/user-entity behavioral analysis
Norrman et al. (Pub. No.: US 2013/0,096,980) - USER-DEFINED COUNTERMEASURES
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MENG LI whose telephone number is (571)272-8729.  The examiner can normally be reached on M-F 8:30-5:30.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s acting supervisor, Kristine Kincaid can be reached on (571) 272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8729.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MENG LI/
Primary Examiner, Art Unit 2437