Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION

1.        This action is in response to application amendments filed on 9-8-2021.  
2.        This application was filed on 4-12-2019.  Claims 1 - 22 are pending.  Claims 1, 4, 7 have been amended.  Claims 1, 4, 7 are independent.   

Response to Arguments

3.    Applicant’s arguments, see Arguments/Remarks Made in an Amendment, filed 9-8-2021, with respect to the rejection(s) under Holeman have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Holeman in view of Vora.

A.  The 101 Rejection for Claims 7 - 22 is withdrawn due to claim amendments. 

B.  Applicant argues on page 8 of Remarks:    ...   teaches or suggests any use of a “second entity model”   ...   . 

    The Examiner respectfully disagrees.   Holeman discloses policy information utilized to define a model for managing control (permitted activities) of an asset.  (see Holeman paragraph [0102], lines 25-33: stored policy information defining a set of criteria for monitoring observation points (i.e. events, application monitoring); (selected: application 

C.  Applicant argues on page 8 of Remarks:    ...   wherein the second entity model for the entity is adapted for use by the greater computational resources of the threat management facility”   ...   . 

    The Examiner respectfully disagrees.  Vora discloses a remote object that has greater compute resources than a local object and utilized in event message/response management.  (see Vora col 18, ll 9-14: data associated with event stored at remote control application; which has greater available resources than local (i.e. embedded system); maximize efficient usage of local (embedded) system; (i.e. remote computing system has greater compute resources than local system))

D.  Applicant argues on page 8 of Remarks:    ...   amended independent claims 1, 4, and 7 are believed to be in condition for allowance.

    Independent claims 4 and 7 have similar limitations as independent claim 1.  Responses to arguments against independent claim 1 also answer arguments against independent claims 4 and 7.     

E.  Applicant argues on page 8 of Remarks:    ...   Each of the remaining dependent claims is believed to be allowable for at least the same reasons that the claim from which it depends is believed to be allowable. 

    Responses to arguments against the independent claims also answer arguments against the associated dependent claims.     

Claim Rejections - 35 USC § 103  

4.        The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

5.        Claims 1 - 15, 17, 19, 20, 22 are rejected under 35 U.S.C. 103 as being unpatentable over Holeman et al. (US PGPUB No. 20180191766) in view of Vora et al. (US Patent No. 9,426,185).     	

Regarding Claim 1, Holeman discloses a computer program product for assessing and responding to risk in an enterprise network, the computer program product comprising computer executable code embodied in a non-transitory computer-readable medium that, when executing on one or more computing devices, performs the steps of:
a)  instrumenting a compute instance in the enterprise network with a number of sensors to detect events from a number of computing objects associated with the compute instance; (see Holeman paragraph [0041], lines 1-4: multiple instances of processor unit coupled to interconnect; paragraph [0023], lines 1-6: endpoint computer system includes apparatuses such as sensors and network connectivity that enables these objects to collect and exchange data; paragraph [0047], lines 1-7: system event and configuration sensors to collect information 
b)  storing a first entity model for an entity associated with the compute instance at a local security agent for the compute instance, the entity including at least one of a domain controller, a physical device, a user, an operating system, or an application associated with the compute instance, and the first entity model characterizing a pattern of events expected from the number of sensors in a vector space; (see Holeman paragraph [0102], lines 25-33: stored policy information defining a set of criteria for monitoring observation points (i.e. events, application monitoring); (selected: application associated with compute instances))     
c)  receiving events from the number of computing objects at the local security agent on the compute instance; (see Holeman paragraph [0026], lines 1-10: information collected at endpoints (i.e. events) are sent to devices in the network such as network analyzers that use the information to supplement flow information collected within the network infrastructure)    
d)  collecting a plurality of the events into an event vector in the vector space; (see Holeman paragraph [0026], lines 1-10: information collected at endpoints are sent to devices in the network such as network analyzers that use the information to supplement flow information collected within the network infrastructure) and    
e)  calculating a first risk score with the local security agent based on a first distance between the event vector and the first entity model in the vector space; and 

Furthermore, Holeman discloses the following:
h)  transmitting the event vector to the threat management facility; (see Holeman paragraph [0071], lines 1-11: information associated with a network flow supplemented with endpoint information; paragraph [0072], lines 3: network and endpoint information (i.e. event information) forwarded to threat and anomaly detection module) and 
i)   calculating a second risk score with the threat management facility based on a second distance between the event vector and the second entity model; and
j)   when the second risk score exceeds a second threshold, deploying a second remedial action for the compute instance from the threat management facility. 

Furthermore, Holeman discloses for g) storing a second entity model for the entity at a threat management facility accessible through the enterprise network, the second entity model characterizing a second pattern of events expected from the number of sensors in the vector space. (see Holeman paragraph [0102], lines 25-33: stored policy information defining a set of criteria for monitoring observation points; (criteria utilized to manage processing of event information))
Holeman does not specifically disclose for g) entity model has greater computational resources than local security agent, and is remotely accessible by local security 
However, Vora discloses: 
g)  a second entity model that has greater computational resources than the local security agent and that is remotely accessible by the local security agent through the enterprise network, the second entity model characterizing a second pattern of events, where the second entity model for the entity is adapted for use by the greater computational resources of the threat management facility. (see Vora col 18, ll 9-14: data associated with event stored at remote control application; which has greater available resources than local (i.e. embedded system); maximize efficient usage of local (embedded) system; (i.e. remote computing system has greater compute resources than local system))  
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Holeman for g) entity model has greater computational resources than local security agent, and is remotely accessible by local security agent, and second entity model is adapted for use by greater computational resources as taught by Vora. One of ordinary skill in the art would have been motivated to employ the teachings of Vora for the benefits achieved from a system that enables more efficient usage of resources of local system by utilizing remote compute resources. (see Vora col 18, ll 9-14)  

Regarding Claim 2, Holeman-Vora discloses the computer program product of claim 1 wherein at least one of the first threshold and the second threshold is algorithmically 

Regarding Claim 3, Holeman-Vora discloses the computer program product of claim 1 wherein calculating the second risk score includes evaluating the second risk score based on an event stream from two or more compute instances within the enterprise network. (see Holeman paragraph [0081], lines 5-11: identify a first frequency at which observation points are enabled for determining a risk assessment (i.e. a score) and a determination when the risk score exceeds a threshold (first, second); and identify a second threshold (i.e. score compared against a second threshold))    

Regarding Claim 4, Holeman discloses a method for assessing and responding to risk in an enterprise network, the method comprising:
a)  instrumenting a compute instance in the enterprise network with a number of sensors to detect events from a number of computing objects associated with the compute instance; (see Holeman paragraph [0041], lines 1-4: multiple instances of processor unit coupled to interconnect; paragraph [0023], lines 1-6: endpoint computer system include apparatuses such as sensors and network connectivity that enables these objects to collect and exchange data; paragraph [0047], lines 1-7: system event and configuration sensors to collect information regarding configuration of endpoint computer system or events occurring on such systems)     

c)  receiving events from the number of computing objects at a local security agent on the compute instance; (see Holeman paragraph [0026], lines 1-10: information collected at endpoints are sent to devices in the network such as network analyzers that use the information to supplement flow information collected within the network infrastructure)    
d)  collecting a plurality of the events into an event vector in the vector space; (see Holeman paragraph [0026], lines 1-10: information collected at endpoints are sent to devices in the network such as network analyzers that use the information to supplement flow information collected within the network infrastructure)    
e)  calculating a first risk score with the local security agent based on a first distance between the event vector and the first entity model in the vector space; and 
f)   when the first risk score exceeds a first threshold, deploying a first remedial action for the compute instance from the local security agent. (see Holeman paragraph [0018], lines 8-17: analyzer processes information (i.e. data usable to identify potential risks and performance, threats and anomalies) and determines assessments about the risk to a system; paragraph [0081], lines 1-11: thresholds for monitoring specified in terms of risk; identify a first frequency at which 
Furthermore, Holeman discloses the following:
i)   when the second risk score exceeds a second threshold, deploying a second remedial action for the compute instance from the threat management facility. (see Holeman paragraph [0018], lines 8-17: analyzer processes information (i.e. data usable to identify potential risks and performance, threats and anomalies) and determines assessments about the risk to a system; paragraph [0081], lines 1-11: thresholds for monitoring specified in terms of risk; identify a first frequency at which observation points are enabled for determining a risk assessment (i.e. a risk score) and a determination when the score exceeds a first threshold and identify a second threshold (i.e. risk score compared against a second threshold); paragraph [0082], lines 1-16: define threshold for taking appropriate control actions (i.e. first, second remedial actions) to maintain components within policy guidelines, to mitigate risk exposure actions include process suspension or termination on endpoint computer system; paragraph [0097], lines 5-9: profiles determined algorithm in conjunction with policy to govern continuous observation point monitoring and/or determination of control actions to be taken based upon 

Furthermore, Holeman discloses for g) transmitting the event vector to a threat management facility (see Holeman paragraph [0071], lines 1-11: information associated with a network flow supplemented with endpoint information; paragraph [0072], lines 3: network and endpoint information forwarded to threat and anomaly detection module), and for h) calculating a second risk score with the threat management facility based on a second distance between the event vector and the second entity model in the vector space. (see Holeman paragraph [0018], lines 8-17: analyzer processes information (i.e. data usable to identify potential risks and performance, threats and anomalies) and determines assessments about the risk to a system; paragraph [0081], lines 1-11: thresholds for monitoring specified in terms of risk; identify a first frequency at which observation points are enabled for determining a risk assessment (i.e. a risk score) and a determination when the score exceeds a first threshold and identify a second threshold (i.e. risk score compared against a second threshold)) 
Holeman does not specifically disclose for g) threat management facility has greater computational resources than local security agent and is remotely accessible by local security agent, and for h) second entity model is adapted for use by greater computational resources. 
However, Vora discloses: 
g)  threat management facility that has greater computational resources than the local security agent and that is remotely accessible by the local security agent through the enterprise network; (see Vora col 18, ll 9-14: data associated with event stored at remote control application; which has greater available resources than local (i.e. embedded system); maximize efficient usage of local (embedded) system; (i.e. remote computing system has greater compute resources than local system)) and    
h)  wherein the second entity model for the entity is adapted for use by the greater computational resources of the threat management facility. (see Vora col 18, ll 9-14: data associated with event stored at remote control application; which has greater available resources than local (i.e. embedded system); maximize efficient usage of local (embedded) system; (i.e. remote computing system has greater compute resources than local system))  
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Holeman for g) threat management facility has greater computational resources than local security agent and is remotely accessible by local security agent, and for h) second entity model is adapted for use by greater computational resources as taught by Vora. One of ordinary skill in the art would have been motivated to employ the teachings of Vora for the benefits achieved from a system that enables more efficient usage of resources of local system by utilizing remote compute resources. (see Vora col 18, ll 9-14)

Regarding Claim 5, Holeman-Vora discloses the method of claim 4 wherein the second entity model includes one or more events from a second compute instance in the 

Regarding Claim 6, Holeman-Vora discloses the method of claim 4 wherein the second entity model includes one or more events from a second entity in the enterprise network. (see Holeman paragraph [0041], lines 1-4: multiple instances of processor unit coupled to interconnect; paragraph [0023], lines 1-6: endpoint computer system includes apparatuses such as sensors and network connectivity that enables these objects to collect and exchange data; paragraph [0102], lines 25-33: stored policy information defining a set of criteria for monitoring observation points (i.e. event information processing model))    

Regarding Claim 7, Holeman discloses a system comprising:
a)  a local security agent on a compute instance in an enterprise network, the local security agent executing on a processor of the compute instance to receive events from sensors on the compute instance, generate one or more event vectors each including a collection of events for an entity associated with the compute instance (see Holeman paragraph [0041], lines 1-4: multiple instances of processor unit coupled to interconnect; paragraph [0023], lines 1-6: endpoint 
Furthermore, Holeman discloses the following: 
b)  a threat management facility for the enterprise network executing on a processor that is remote from the compute instance to operate on an event stream including event vectors reported from each of a plurality of compute instances including the compute instance (see Holeman paragraph [0071], lines 1-11: information associated with a network flow supplemented with endpoint information; 

Holeman does not specifically disclose threat management facility having greater computational resources than local security agent, and remote from compute instance, and second entity model adapted for use by greater computational resources of threat management facility. 
However, Vora discloses: 
having greater computational resources than the local security agent, the threat management facility executing on a processor that is remote from the compute instance and a second entity model wherein the second entity model for the entity is adapted for use by the greater computational resources of the threat management facility. (see Vora col 18, ll 9-14: data associated with event stored at remote control application; which has greater available resources than local (i.e. embedded system); maximize efficient usage of local (embedded) system; (i.e. remote computing system has greater compute resources than local system))
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Holeman for threat management facility having greater computational resources than local security agent, and remote from compute instance, and second entity model adapted for use by greater computational resources of threat management facility as taught by Vora. One of ordinary skill in the art would have been motivated to employ the teachings of Vora for the benefits achieved from a system that enables more efficient usage of resources of local system by utilizing remote compute resources. (see Vora col 18, ll 9-14)
      
Regarding Claim 8, Holeman-Vora discloses the system of claim 7 wherein the threat management facility is configured to deploy a remedial measure for the compute instance when at least one of the first risk score and the second risk score exceeds a threshold. (see Holeman paragraph [0082], lines 1-10: policy may indicated that a 

Regarding Claim 9, Holeman-Vora discloses the system of claim 8 wherein the threshold is algorithmically determined. (see Holeman paragraph [0097], lines 5-9: profiles determined algorithm in conjunction with policy to govern continuous observation point monitoring and/or determination of control actions to be taken based upon analyzed performance factors; (algorithm utilized in management of event information))    

Regarding Claim 10, Holeman-Vora discloses the system of claim 7 wherein the first risk score is indicative of deviations from an activity baseline for the event vectors for the compute instance. (see Holeman paragraph [0089], lines 1-13: assesses system risk factors (i.e. risk scores) such as network interfaces, storage devices, ... , and conformity with security and management requirements, aggregate exposed vulnerabilities, deviations from normal operating patterns (i.e. deviations from baseline or normal operation), etc.)    

Regarding Claim 11, Holeman-Vora discloses the system of claim 10 wherein the activity baseline is determined based on a historical window of event vectors for the compute instance. (see Holeman paragraph [0055], lines 8-18: historical information collected such as process creation and termination times, process hierarchy 

Regarding Claim 12, Holeman-Vora discloses the system of claim 11 wherein the activity baseline is periodically recalculated for a new historical window. (see Holeman paragraph [0055], lines 8-18: historical information collected such as process creation and termination times, process hierarchy information, means of process creation; (historical information utilized in event information collection and processing))     

Regarding Claim 13, Holeman-Vora discloses the system of claim 7 wherein the second risk score is indicative of deviations from an activity baseline for the event stream received at the threat management facility. (see Holeman paragraph [0089], lines 1-13: assesses system risk factors (i.e. risk scores) such as network interfaces, storage devices, ... , and conformity with security and management requirements, aggregate exposed vulnerabilities, deviations from normal operating patterns (i.e. deviations from baseline or normal operation), etc.)    

Regarding Claim 14, Holeman-Vora discloses the system of claim 13 wherein the activity baseline is determined based on a historical window for the event stream. (see Holeman paragraph [0055], lines 8-18: historical information collected such as process creation and termination times, process hierarchy information, means of process creation, etc.; (historical information utilized in event information collection and processing))    

Regarding Claim 15, Holeman-Vora discloses the system of claim 7 wherein the first risk score is calculated based on a distance between at least one of the event vectors and the entity model in a vector space. (see Holeman paragraph [0081], lines 5-11: identify a first frequency at which observation points are enabled for determining a risk assessment (i.e. risk score) and a determination when risk score exceeds a threshold)     

Regarding Claim 17, Holeman-Vora discloses the system of claim 7 wherein the second risk score is calculated based on a distance between the event stream and the one or more corresponding entity models in a vector space. (see Holeman paragraph [0081], lines 5-11: identify a first frequency at which observation points are enabled for determining a risk assessment (i.e. risk score) and a determination when risk score exceeds a threshold; and identify a second threshold (i.e. risk score compared against a second threshold))     

Regarding Claim 19, Holeman-Vora discloses the system of claim 7 wherein the entity of the entity model is at least one of a domain controller, a physical device, a user, an operating system, and an application associated with the compute instance. (see Holeman paragraph [0089], lines 1-13: risk factors includes components such as network interfaces, storage devices, operating system versions, etc.; (selected: an operating system))    

Regarding Claim 20, Holeman-Vora discloses the system of claim 7 wherein the one or more corresponding entity models include models for a number of entities within the enterprise network selected from the group consisting of a domain controller, an identity and access management system, a physical device, a user, an operating system, and an application associated with the compute instance. (see Holeman paragraph [0089], lines 1-13: risk factors includes components such as network interfaces, storage devices, operating system versions, etc.; (selected: an operating system))    

Regarding Claim 22, Holeman-Vora discloses the system of claim 7 wherein event vectors in the event stream are at least one of tokenized, encrypted, compressed, and prioritized. (see Holeman paragraph [0048], lines 1-9: collection of system compliance information (i.e. event vector information) such as OS version, installed, patches installed, encryption status, etc.; (selected: encrypted))    

6.        Claims 16, 18 are rejected under 35 U.S.C. 103 as being unpatentable over Holeman in view of Vora and further in view of Martin et al. (US PGPUB No. 20180139227).

Regarding Claim 16, Holeman-Vora discloses the system of claim 7, including a first risk score. (see Holeman paragraph [0081], lines 5-11: identify a first frequency at which observation points are enabled for determining a risk assessment (i.e. a score) and a determination when the score exceeds a threshold)
Holeman-Vora does not specifically disclose score evaluated using k-nearest neighbor algorithm. 

        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Holeman-Vora for score evaluated using a k-nearest neighbor algorithm as taught by Martin. One of ordinary skill in the art would have been motivated to employ the teachings of Martin for the benefits achieved from a system that enables multiple techniques to be used identify entities for processing of event data within a network environment. (see Martin paragraph [0059], lines 11-14)  

Regarding Claim 18, Holeman-Vora discloses the system of claim 7, including determination of a risk score. (see Holeman paragraph [0081], lines 5-11: identify a first frequency at which observation points are enabled for determining a risk assessment (i.e. a score) and a determination when the score exceeds a threshold)
Holeman-Vora does not specifically disclose score evaluated using k-nearest neighbor algorithm.  
However, Martin discloses wherein a score (i.e. similarity scores) evaluated using a k-nearest neighbor algorithm. (see Martin paragraph [0059], lines 11-14: implements clustering techniques such as k-means clustering, nearest neighbor)  
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Holeman-Vora for score evaluated using k-nearest neighbor algorithm as taught by Martin. One of ordinary skill in the art would have been motivated to employ the teachings of Martin for the benefits achieved from a       

7.        Claim 21 is rejected under 35 U.S.C. 103 as being unpatentable over Holeman in view of Vora and further in view of Rothman et al. (US PGPUB No. 20180247713).

Regarding Claim 21, Holeman-Vora discloses the system of claim 7. 
Holeman-Vora does not specifically disclose a plurality of anonymized event vectors. 
However, Rothman discloses wherein the event stream includes a plurality of anonymized event vectors. (see Rothman paragraph [0201], lines 12-17: identity treated so that no identifiable information can be determined; or geographic location is generalized so that a particular location cannot be determined; (removal of identification information from event information))
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Holeman-Vora for a plurality of anonymized event vectors as taught by Rothman. One of ordinary skill in the art would have been motivated to employ the teachings of Rothman for the benefits achieved from a system that provides additional security by enabling a user to have control over how information is collected and used by event processing systems. (see Rothman paragraph [0201], lines 17-19)      

Conclusion

THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
 Any inquiry concerning this communication or earlier communications from the examiner should be directed to CARLTON JOHNSON whose telephone number is (571)270-1032.  The examiner can normally be reached on Work: 12-9PM (most days).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 571-272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.







/CJ/
September 13, 2021

                                                                                                                                                                                                   
/FATOUMATA TRAORE/Primary Examiner, Art Unit 2436