Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


DETAILED ACTION

Notice to Applicants
This communication is in response to the Amendment filed on 08/05/2021.
Claims 1, 3-6, 8-9, 11-19 and 21-22 are under examination.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such amendment, it MUST be submit no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone conversation with Applicant’s representative on 10/19/2021, and followed by Email confirmation dated 10/19/2021.

Please replace the current listing of claims with the following:


detecting, by one or more computers, computer-related actions performed by a user;
logging, by one or more of the computers, a logged event that includes the user's detected computer-related actions and the user that performed the detected computer-related actions;
computing, by one or more of the computers, one or more behavior-based risk scores for the user based on the user's computer-related actions;

receiving, by a rule builder, the logged event;
		building, by the rule builder, one or more new behavior-based firewall rules for each different type of detected computer-related action by the user wherein the one or more new behavior-based firewall rules are based on the detected computer-related actions included in the logged event and the one or more behavior-based risk scores for the user;
		inserting, by the rule builder, the one or more new behavior-based firewall rules into a firewall table;
periodically updating the user's one or more behavior-based risk scores as additional computer-related actions by the user are detected and logged; 
updating the user's one or more behavior-based firewall rules by deleting previously built behavior-based firewall rules and building new behavior-based firewall rules based on the user's updated one or more behavior-based risk scores; 
regulating, by one or more of the computers, the user's computer-related actions according to at least the one or more new behavior-based firewall rules inserted into the firewall table.
2. (Cancelled)  
3. (Cancelled)    
4. (Original) The method of claim 1, wherein the one or more behavior-based risk scores include one or more of a risk score associated with failed login attempts, of a risk score associated with accessing files, of a risk score associated with accessing servers in the enterprise, 
5. (Original) The method of claim 1, wherein the user's computer-related actions are associated with corresponding vulnerability ratings, wherein the user's one or more behavior- based risk scores are computed using the vulnerability ratings corresponding to the user's computer-related actions.  
6. (Cancelled)    
7. (Cancelled)  
8. (Original) The method of claim 1, wherein regulating the user's computer-related actions includes at least one of allowing or denying the user from logging onto a computer system, allowing or denying the user access to a file or a server, allowing, denying, or redirecting a destination of a network access, allowing or denying the user from installing software, and allowing or denying execution of a process.  
9. (Amended) A non-transitory computer-readable storage medium having stored thereon computer executable instructions, which when executed by a computer device, cause the computer device to: 
detect computer-related actions performed by a user; 
log the user's computer-related actions as a logged event that includes the user's detected computer-related actions and the user that performed the detected computer-related actions; 
compute one or more behavior-based risk scores for the user based on the user's computer-related actions; 

receive, by a rule builder, the logged event; 
build, by the rule builder, one or more new behavior-based firewall rules for each different type of detected computer-related action by the user wherein the one or more new behavior-based firewall rules are based on the detected computer-related actions included in the logged event and the one or more behavior-based risk scores for the user; 
insert, by the rule builder, the one or more new behavior-based firewall rules into a firewall table; 
periodically updating the user's one or more behavior-based risk scores as additional computer-related actions by the user are detected and logged; 
updating the user's one or more behavior-based firewall rules by deleting previously built behavior-based firewall rules and building new behavior-based firewall rules based on the user's updated one or more behavior-based risk scores; 
regulate the user's computer-related actions according to at least the one or more new behavior-based firewall rules inserted into the firewall table.  
10. (Cancelled)  
11. (Cancelled)   
12. (Original) The non-transitory computer-readable storage medium of claim 9, wherein the one or more behavior-based risk scores include one or more of a risk score associated with failed login attempts, of a risk score associated with accessing files, of a risk score associated with accessing servers in the enterprise, of a risk score associated with accessing the network, of a risk score associated with installing software, and of a risk score associated with executing processes.  
13. (Original) The non-transitory computer-readable storage medium of claim 9, wherein the user's computer-related actions are associated with corresponding vulnerability ratings, wherein the user's one or more behavior-based risk scores are computed using the vulnerability ratings corresponding to the user's computer-related actions.  
14. (Cancelled)    

16. (Amended) An apparatus comprising: 
one or more computer processors; and 
a computer-readable storage medium comprising instructions for controlling the one or more computer processors to be operable to: 
detect computer-related actions performed by a user; 
log the user's computer-related actions as a logged event that includes the user's detected computer-related actions and the user that performed the detected computer-related actions; 
compute one or more behavior-based risk scores for the user based on the user's computer-related actions; 

receive, by a rule builder, the logged event; 
build, by the rule builder, one or more new behavior-based firewall rules for each different type of detected computer-related action by the user wherein the one or more new behavior-based firewall rules are based on the detected computer-related actions included in the logged event and the one or more behavior-based risk scores for the user; 
insert, by the rule builder, the one or more new behavior-based firewall rules into a firewall table; 
periodically updating the user's one or more behavior-based risk scores as additional computer-related actions by the user are detected and logged; 
updating the user's one or more behavior-based firewall rules by deleting previously built behavior-based firewall rules and building new behavior-based firewall rules based on the user's updated one or more behavior-based risk scores; 
regulate the user's computer-related actions according to at least the one or more new behavior-based firewall rules inserted into the firewall table.  
17. (Original) The apparatus of claim 16, wherein the user's computer-related actions are associated with corresponding vulnerability ratings, wherein the user's one or more behavior-based risk scores are computed using the vulnerability ratings corresponding to the user's computer-related actions.  
18. (Original) The apparatus of claim 16, wherein the one or more behavior-based risk scores include one or more of a risk score associated with failed login attempts, of a risk score associated with accessing files, of a risk score associated with accessing servers in the enterprise, of a risk score associated with accessing the network, of a risk score associated with installing software, and of a risk score associated with executing processes.  
19. (Cancelled)   
20. (Cancelled)  
21. (Previously presented) The apparatus of claim 16, wherein the computer-readable storage medium further comprises instructions for controlling the one or more computer processors to be operable to regulate the user's computer-related actions includes at least one of allowing or denying the user from logging onto a computer system, allowing or denying the user access to a file or a server, allowing, denying, or redirecting a destination of a network access, allowing or denying the user from installing software, and allowing or denying execution of a process.  
22. (Cancelled)  


Allowable Subject Matter
Claims 1, 4-5, 8-9, 12-13, 15-18 and 21 are allowed.
The following is an examiner's statement of reasons for allowance: The following is an examiner's statement of reasons for allowance: This communication warrants No Examiner's Reason for Allowance, applicant's reply make evident the reasons for allowance, satisfying the “record as a whole” proviso of the rule 37 CFR 1.104(e). Specifically, applicant’s arguments filed on 08/05/2021 and Examiner’s amendment make the record clear as to the reasons for allowance for this application, as such the reasons for allowance are in all probability evident from the record and no statement is deemed necessary (see MPEP 1302.14).
Any comments Applicants considers necessary must be submitted no later than the payment of the Issue Fee and to avoid processing delays, should preferable accompany the Issue Fees. Such submission should be clearly labeled "Comments on Statement of Reasons for Allowance". In event of any post-allowance papers (e.g. IDS, 312 amendment, petition, etc.), Applicant is exhorted to mail papers to the Production Control branch in Publications or faxed to post-allowance papers correspondence branch at (703) 308-5864 to expedite issuing process or call PUB's Customer Service if any questions at (703) 305-8497.



Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicant’s disclosure: 
US 20170134412 A1		ADAPTIVE BEHAVIOR PROFILING AND ANOMALY SCORING THROUGH CONTINUOUS LEARNING
US 20190260782 A1		ARTIFICIAL INTELLIGENCE RESEARCHER ASSISTANT FOR CYBERSECURITY ANALYSIS
US 20180375884 A1		DETECTING USER BEHAVIOR ACTIVITIES OF INTEREST IN A NETWORK
US 10348771 B2		Learned behavior based security
US 20200285737 A1		DYNAMIC CYBERSECURITY DETECTION OF SEQUENCE ANOMALIES
US 20200028862 A1		Distributed machine learning for anomaly detection
US 10904277 B1		Threat intelligence system measuring network threat levels
US 20160182556 A1		SECURITY RISK SCORE DETERMINATION FOR FRAUD DETECTION AND REPUTATION IMPROVEMEN
US 20080115190 A1		Methods, network services, and computer program products for dynamically assigning users to firewall policy groups
US 20190342286 A1		BIOMETRIC CYBERSECURITY AND WORKFLOW MANAGEMENT		
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON CHIANG whose telephone number is (571)270-3393.  The examiner can normally be reached on 9 AM to 6 PM.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JASON CHIANG/Primary Examiner, Art Unit 2431