DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
The Amendment filed 07/14/2021 has been entered. Claims 1, 5, 11, 15-16 and 20 have been amended. Claims 4, 14 and 19 are canceled. Claims 21-23 have been added. Claims 1-3, 5-13, 15-18 and 20-23 are pending in this application.

Response to Argument
Applicant’s remarks submitted on 07/14/2021, regarding 35 USC 102 have been fully considered but they are moot in light of new grounds of rejection necessitated by applicant’s amendments. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was.


Claims 21-23 are rejected under 35 U.S.C. 103 as being unpatentable over Carver et al. (U.S Pub No. 2015/0365438 A1, referred to as Carver), in view of Vasseur et al. (U.S Pub No. 2016/0028764 A1, referred to as Vasseur.
Regarding claims 21-23, Carver teaches:
A computer-implemented method for identifying cyber adversary behavior on a computer network (Carver: ¶ 0012), the computer-implemented method comprising: 
receiving individual security events from multiple threat intelligence data sources (Carver: Fig. 1, Items 102, 110 (multiple threat intelligence data sources); ¶ 0014, “The threat intelligence component 102 can receive information from one or more intelligence feeds 110.”, “In some implementations, a service may receive security threat information (individual security events) from multiple peer sources”; ¶ 0015).
Carver does not explicitly disclose, however Vasseur teaches:
matching a security incident corresponding to an attack on at least one element of the computer network, the security incident being described by the individual security events received from the multiple threat intelligence data sources, to a defined cyber adversary objective in a structured framework of a plurality of defined cyber adversary objectives and a related technique associated with the defined cyber adversary objective used by a cyber adversary in the attack to achieve the defined cyber adversary objective (Vasseur: Fig. 5, Step 515; ¶ 0065, “At step 515, the DoS attack management node may determine attack information relating to the attack traffic (matching a security incident corresponding to an attack on at least one element of the computer network). The attack information may include, for example, a type of the DoS attack (a related technique associated with the defined cyber adversary objective) and an intended target of the DoS attack (adversary objective), in addition to an identity of the attacker (adversary), an identity of the RDE 410, an intensity of the DoS attack, and 410.”); and 
performing a set of mitigation actions on the computer network based on the matching of the security incident corresponding to the attack on the computer network to the defined cyber adversary objective and the related technique (Vasseur: ” ¶ 0043, “the attacker can change attack source and/or vector, thus requiring traffic flagging and mitigation to be performed again. Furthermore, when the system being attacked is able to mitigate the attack by stopping the attacking traffic, the attacker may potentially retro-engineer the protection in place to continue “improving” the attacks to find the weakness in the defending infrastructure, or worse yet, could target the detection infrastructure itself by overloading it (which can be common with stateful firewalls, for example).”; ¶ 0056; Fig. 5, Step 520; ¶ 0066, “For example, a trap server 450 may be utilized, where, in one instance, the attack traffic may be redirected to the trap server 450, such that the trap server responds to the incoming attack traffic in a manner which mimics the behavior of the intended target of the DoS attack. As another example, a remote proxy 420 may be utilized, where, the remote proxy is hosted on an edge device in the network and may perform one or more actions on behalf of the intended target of the DoS attack).
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Carver by Vasseur and have system which when the network is under attack, the system would be capable of determining a type of the DoS attack and an intended target of the DoS attack in order to take an action to mitigate the attack (Vasseur: ¶ 0043; ¶ 0065; ¶ 0066).
Allowable Subject Matter

Claims 1-3, 5-13, 15-18 and 20 are allowed.	
The following is an examiner’s statement of reasons for allowance:

The closest prior arts made of records are, Carver et al. (U.S Pub No. 2015/0365438 A1, referred to as Carver), Vasseur et al. (U.S Pub No. 2016/0028764 A1, referred to as Vasseur) and Amsler (U.S Pub No. 2014/0201836A1, referred to as Amsler).

Carver discloses methods for implementing a response to one or more security incidents in a computing network. One of the methods includes identifying a security incident based on detecting one or more indicators of compromise associated with the security incident, comparing the security incident with a predefined ontology that maps the security incident to one or more courses of action, selecting a response strategy that includes one or more of the courses of action, and implementing the response strategy as an automated response.

Vasseur discloses a method for mitigating the success of an attack. The method includes attack traffic corresponding to a detected DoS attack from one or more attacker nodes is received at a denial of service (DoS) attack management node in a network. The DoS attack management node determines attack information relating to the attack traffic, including a type of the DoS attack and an intended target of the DoS attack. 

Amsler discloses a risk assessment and managed security system for network users provides security services for dealing with formidable cyber threats, malware creations and phishing techniques. Automated solutions in combination with human-driven solutions establish an always-alert positioning for incident anticipation, mitigation, discovery and response.

However, regarding claims 1 and 16, the prior art of Carver, Vasseur and Amsler when taken in the context of the claim as a whole do not disclose nor suggest, “presenting the security incident as compared to the defined cyber adversary objective and the related technique matched to the security incident on a security attack graph.”.

regarding claim 11, the prior art of Carver, Vasseur and Amsler when taken in the context of the claim as a whole do not disclose nor suggest, “present the security incident as compared to the defined cyber adversary objective and the related technique matched to the security incident on a security attack graph.”.

Claims 2-3 and 5-10 depend on claim 1, claims 12-13 and 15 depend on claim 11, and claims 17-18 and 20 depend on claim 16, and are of consequence allowed.

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:  See PTO-892.  

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HASSAN SAADOUN whose telephone number is (571)272-8408.  The examiner can normally be reached on Mon-Fri 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/HASSAN SAADOUN/Examiner, Art Unit 2435

/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435