DETAILED ACTION

1.	Claims 1-11 are presented for consideration.

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

2.	Claims 1-11 are rejected under 35 U.S.C. 103 as being unpatentable over Mead et al. [ US Patent Application No 2017/0201530 ], in view of Rossigneux et al. [ US Patent Application No 2015/0026801 ].

3.	As per claim 1, Mead discloses the invention as claimed including an alert frequency control device comprising: 
	processing circuitry if an attack activity that belongs to any of a plurality of phases of a cyber-attack is detected [ i.e. cyber-attacks can be categorized into phases ] [ paragraphs 0014, and 0047 ], to calculate an occurrence interval regarding an attack scenario composed of a representative attack activity of each phase, using activity interval data including each occurrence interval of one or more attack activities for each phase  [ i.e. compute the trajectories of cumulative events through the multi-dimensional spaces of observations that correspond to a 
	Mead does not specifically disclose
	to determine whether or not an alert is necessary, based on the occurrence interval of the attack scenario.
	Rossigneux discloses
	to determine whether or not an alert is necessary, based on the occurrence interval of the attack scenario [ i.e. generation of true alarms triggered during monitoring operations of a data network ] [ paragraphs 0038, and 0049 ].
	It would have been obvious to a person skill in the art before the effective filing date of the claimed invention to combine the teaching of Mead and Rossigneux because the teaching of Rossigneux would enable to improve the generation of true alarms triggered during monitoring operations of a data network [ Rossigneux, paragraph 0038 ].
 
4.	As per claim 2, Mead discloses wherein the processing circuitry selects a representative occurrence interval of each phase from the activity interval data, and calculates a sum of the selected representative occurrence intervals as the occurrence interval of the attack scenario [ i.e. cumulative rolling wave is the sum ] [ Figure 5; and paragraphs 0033, and 0046 ]. 
 
5.	As per claim 3, Mead discloses wherein the processing circuitry obtains an occurrence interval corresponding to a detected attack activity from the activity interval data, selects from an activity registration file that includes a scenario interval corresponding to each attack activity for each phase, a representative scenario interval of a phase before the phase to which the 
 
6.	As per claim 4, Mead discloses wherein the processing circuitry sets the occurrence interval of the attack scenario to the activity registration file, as a scenario interval corresponding to the detected attack activity [ i.e. baseline cumulative trajectories ] [ paragraph 0036 ]. 
 
7.	As per claim 5, Mead discloses wherein the activity registration file includes a corresponding scenario that is information of the attack scenario corresponding to each attack activity for each phase, and wherein the processing circuitry obtains from the activity registration file, a representative corresponding scenario of a phase before the phase to which the detected attack activity belongs, and sets the representative corresponding scenario and the detected attack activity to the activity registration file, as a corresponding scenario that corresponds to the detected attack activity [ i.e. comparing the baseline cumulative trajectory of the event with the operational cumulative trajectory of the event ] [ Abstract; and paragraphs 0026, and 0036 ]. 
 
8.	As per claim 6, Rossigneux discloses wherein the processing circuitry determines that the alert is necessary if the occurrence interval of the attack scenario is longer than reference time [ 
 
9.	As per claim 7, Rossigneux discloses wherein the processing circuitry compares the occurrence interval of the attack scenario with a provisional interval, updates the provisional interval to the occurrence interval of the attack scenario if the occurrence interval of the attack scenario is larger than the provisional interval, determines that the alert is unnecessary if the occurrence interval of the attack scenario is larger than the provisional interval, and does not determine whether or not the alert is necessary, if it is determined that the alert is unnecessary [ i.e. cancel or discontinue first alarm ] [ paragraphs 0049, and 0132 ]. 
 
10.	As per claim 8, Rossineux discloses wherein the processing circuitry decides the reference time, calculates each temporary occurrence interval of one or more attack scenarios before the reference time is decided, determines that the alert is necessary if each temporary occurrence interval is longer than provisional time, and measures, as estimated frequency, frequency at which it has been determined, before the reference time is decided, that the alert is necessary, and decides the reference time based on the estimated frequency [ i.e. event and decision making ] [ paragraphs 0107, 0108, and 0132 ]. 
 
11.	As per claim 9, Rossigneux discloses wherein the processing circuitry decides the provisional time to be the reference time if the estimated frequency satisfies an update suspension condition, updates the provisional time if the estimated frequency does not satisfy the update suspension condition, calculates one or more new temporary occurrence intervals 
 
12.	As per claim 10, Rossigneux discloses wherein the processing circuitry to measures, as present frequency, frequency at which it has been determined that the alert is necessary, based on the reference time, and adjust the reference time if the present frequency satisfies an adjustment condition [ i.e. reference emission time ] [ paragraph 0131 ]. 

13.	As per claim 11, it is rejected for similar reasons as stated above in claim 1.

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to DUSTIN NGUYEN whose telephone number is (571)272-3971. The examiner can normally be reached Monday-Friday 9-6 PST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Brian Gillis can be reached on 571-2727952. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/DUSTIN NGUYEN/Primary Examiner, Art Unit 2446