Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This Office Action is responsive to the communications filed on 27 February 2019.  Claims 1-20 are pending.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-3, 5-7, 9-12 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Teller et al. (US 2018/0349599 A1) in view of Wechsler (US 2017/0103194 A1).
Per claim 1, Teller discloses a cybersecurity system (e.g., Botnet detection system 130-2 as shown in Fig. 3; paragraph [0038], “FIG. 3 shows a simplified example of the server 130-2.  In one example, the server 130-2 may constitute a Botnet detection system configured to detect a computer included as part of a Botnet…”), comprising: 
at least one processor (e.g., processor 170 as shown in Fig. 3; paragraph [0038]; paragraph [0040]); 
 5a digital memory  (e.g., memory 180 as shown in Fig. 3; paragraph [0038]) in operable communication with the processor(paragraph [0038]); 
a machine learning model which has been trained using a collection of training-tuples (e.g., Step 512 illustrates wherein a supervised machine learning algorithm or machine learning model is trained using historical data and known labels associated with a plurality of different computers; paragraph [0062],” Continuing, at 510, weights are assigned to the features based on the probability data to provide weighted features.  At 512, a supervised machine learning algorithm is trained using historical data and known labels associated with a plurality of different computers (i.e., computers that are different than the computer that is being examined as a potential Botnet computer).”), each training-tuple including: a training-tuple actor-id identifying a training-tuple actor (e.g.. Step 504 as shown in Fig. 5; paragraphs [0061]), a training-tuple resource-id identifying a training-tuple resource in a guarded computing system 10(GCS) (e.g., Step 502 as shown in Fig. 5; paragraphs [0061]), and at least one rating based on how many times the training-tuple actor attempted to access the training-tuple resource(e.g., Step 512 as shown in Fig. 5; paragraph [0061], “ … At 508, probability data is generated based on the Netflow data and the passive DNS data.  The probability data indicates a probability that the computer accessed the one or more domains. “; paragraph [0062],” Continuing, at 510, weights are assigned to the features based on the probability data to provide weighted features.  At 512, a supervised machine learning algorithm is trained using historical data and known labels associated with a plurality of different computers (i.e., computers that are different than the computer that is being examined as a potential Botnet computer). “; paragraph [0065]; Examiner’s Note: Examiner is interpreting the weights assigned to the features based on the probability data as a rating since the probability data indicates a probability that a computer accessed one or more domains.  Thus, Teller discloses the at least one rating based on how many times the training-tuple actor attempted to access the training-tuple resource.); but does not expressly disclose:
 a risk assessor code which upon execution by the processor performs a process that includes (a) feeding a pair to the machine learning 15model, the pair including a pair actor-id identifying a pair actor and a pair resource-id identifying a pair resource in the GCS, (b) receiving from the machine learning model a recommendation score which is computed at least in part by collaborative filtering based on at least training from a plurality of the training-tuples, and (c) performing at 20least one cybersecurity action based on the recommendation score, including at least one of: a risk acceptance action which accepts a risk R, and a risk mitigation action which aids mitigation of the risk R, wherein R denotes a risk that the pair represents an unauthorized attempt by the pair actor to access the pair resource, 25and wherein the recommendation score has an inverse relationship to the risk R.  
Wechsler discloses a risk assessor code (e.g., method 300 as sown in Fig. 3; Abstract; paragraphs [0069-0070]) which upon execution by the processor performs a process that includes (a) feeding a pair to the machine learning 15model, the pair including a pair actor-id identifying a pair actor and a pair resource-id identifying a pair resource in the GCS (e.g., Step 105 as shown in Fig. 1; paragraph [0058]), (b) receiving from the machine learning model a recommendation score which is computed at least in part by collaborative filtering based on at least training from a plurality of the training-tuples (e.g., Steps 110 and 120 as shown in Fig. 1; paragraphs [0059-061]), and (c) performing at 20least one cybersecurity action based on the recommendation score(e.g., Step 125 as shown in Fig. 1; paragraph [0062]), including at least one of: a risk acceptance action which accepts a risk R, and a risk mitigation action which aids mitigation of the risk R, wherein R denotes a risk that the pair represents an unauthorized attempt by the pair actor to access the pair resource (e.g., Step 130 as shown in Fig. 1; paragraph [0063]), 25and wherein the recommendation score has an inverse relationship to the risk R (paragraph [0079]). 
It would have been obvious for a person of ordinary skill in the art before the effective filing date of the claimed invention to use the active authentication of Wechsler in the botnet detection of Teller for the purpose of preventing unauthorized actions and improving security as suggested by Wechsler.
Per claim 2, Teller and Wechsler disclose the system of claim 1, wherein the actor-ids each identify at least one of the following: a username, an account, a group of accounts, a role, an 30agent, a service, a process, a device, one or more IP addresses, or one or more ports (Teller, paragraph [0005], “ … The botnet detection application may be configured to obtain (i) Netflow data indicating one or more IP addresses accessed by a computer and (ii) passive Domain Name System (DNS) data indicating respective one or more domains associated with each of the one or more IP addresses ...   “; paragraph [0008]; paragraph [0061]).  
Per claim 3, Teller and Wechsler disclose the system of claim 1,  wherein the resource-ids each identify at least one of the following: a storage resource, a virtual machine, a database, a database table, an application program interface, one or more IP addresses, a device, an object, an application program, a network interface, a service, a blob, 5a block, a log, a queue, a container, or a file (Teller, paragraph [0061], “ … The method 500 begins at 502 where Netflow data is obtained from one or more routers.  The Netflow data indicates one or more IP addresses accessed by a computer ….  “).  
Per claim 5,  Teller and Wechsler disclose the system of claim 1, further comprising at least one of the following optimization codes: 






a clustering code which upon execution clusters actors-ids and resource- ids based at least in part on co-occurrence (Wechsler, paragraph [0048]; paragraph [0051], “… Collaborative filtering may leverage crowd outsourcing and neighborhood methods, in general, and clustering, ratings or rankings, and similarity, for example, to learn about others including imposters or unauthorized users and to model them (e.g., similar to Universal Background Models (UBM)).  “; paragraph [0066]).  Wechsler discloses the clustering code.
Per claim 6, Teller and Wechsler disclose the system of claim 1, wherein the machine learning model 30comprises clustered pairs (Wechlser, paragraph [0073]; paragraph [0079], “…Transactions such as pair-wise transactions that may be similar to challenge-response pairs used for security purposes may be collected and either clustered (e.g., as described in the method 400 of FIG. 4) or used in raw form.  During an ongoing session or engagement and/or interaction with the device, a recommendation or prediction such as a filtering recommendation or prediction may be determined or made about what "response" may come next (e.g., by an authorized or legitimate user)…  “).  
Per claim 7, Teller and Wechsler disclose the system of claim 1, wherein the machine learning model comprises matrix factorization code (Wechlser, paragraph [0054]).  
Per claim 9
forming a pair in response to an actor attempting to access a resource of a guarded computing system (GCS), the pair including: an actor-id identifying the actor, a resource-id identifying the resource(e.g., Step 506 as shown in Fig. 5; paragraph [0061], “ … At 506, features associated with the computer are generated based on the Netflow data and passive DNS data ….  “); but does not expressly disclose:
submitting the pair to a risk assessor code which in turn feeds the pair to a machine learning model which has been trained using a collection of training-tuples, each training-tuple including: a training-tuple actor-id identifying a training-tuple actor, a training-tuple resource-id identifying a training-tuple resource, and at least one rating based 25on how many times the training-tuple actor attempted to access the training-tuple resource, the machine learning model configured to perform collaborative filtering;
 receiving from the machine learning model a recommendation score of the pair computed using collaborative filtering; 
 30implementing an inverse relationship between the recommendation score and a risk score, whereby a high recommendation score52 corresponds to a low risk score and a low recommendation score corresponds to a high risk score; and 
performing at least one of the following cybersecurity actions based at least in part on the risk score or recommendation score or both:  5mitigating a risk by preventing or terminating access by the actor to the resource, mitigating a risk by alerting an administrator, mitigating a risk by alerting a security tool, mitigating a risk by flagging the actor or the resource or both as a 10candidate for further 
Wechsler discloses:
submitting the pair to a risk assessor code which in turn feeds the pair to a machine learning model which has been trained using a collection of training-tuples(e.g., Step 105 as shown in Fig. 1; paragraph [0058]), each training-tuple including: a training-tuple actor-id identifying a training-tuple actor, a training-tuple resource-id identifying a training-tuple resource, and at least one rating based 25on how many times the training-tuple actor attempted to access the training-tuple resource, the machine learning model configured to perform collaborative filtering (e.g., Steps 110 and 120 as shown in Fig. 1; paragraphs [0059-061]);
 receiving from the machine learning model a recommendation score of the pair computed using collaborative filtering (e.g., Step 125 as shown in Fig. 1; paragraph [0062], “At 125, scores or results for the collaborative filtering and/or covert challenges, prompts, and/or triggers may be received and analyzed or evaluated...”); 
 30implementing an inverse relationship between the recommendation score and a risk score, whereby a high recommendation score52 corresponds to a low risk score and a low recommendation score corresponds to a high risk score(paragraph [0079]); and
 performing at least one of the following cybersecurity actions based at least in part on the risk score or recommendation score or both:  5mitigating a risk by preventing or terminating access by the actor to the resource(e.g., Step 130 as shown in Fig. 1; paragraph [0063]), mitigating a risk by alerting an administrator, mitigating a risk by alerting a security tool, mitigating a risk by flagging the actor or the resource or both as a 10candidate for further security investigation, accepting a risk by marking the pair as accepted, accepting a risk by logging the pair as accepted, accepting a risk by allowing the actor to access the resource, or accepting a risk by allowing the actor to continue an access to the 15resource which has started.  Examiner’s Note: Wechsler discloses mitigating a risk by preventing or terminating access by the actor to the resource

It would have been obvious for a person of ordinary skill in the art before the effective filing date of the claimed invention to use the active authentication of Wechsler in the botnet detection of Teller for the purpose of preventing unauthorized actions and improving security as suggested by Wechsler.
Per claim 10, Teller and Wechsler disclose the method of claim 9, further comprising training the machine learning model using a training set of training-tuples (Teller, e.g., Step 512 as shown in Fig. 5; paragraph [0062]).  
Per claim 11,
reading data from the resource (Teller, e.g., Step 502 as shown in Fig. 5; paragraph [0061]; Examiner’s Note: Teller discloses reading data from one or more routers .); 






Per claim 12, Teller and Wechsler disclose the method of claim 9,  wherein forming the pair is further characterized in that:  53
the actor-id identifies at least one of the following: a username, an account, a group of accounts, a role, an agent, a service, a process, a device, one or more IP addresses, or one or more ports (Teller, e.g., Step 504 as shown in Fig. 5; paragraph [0061]); and
 the resource-id identifies at least one of the following: a storage resource, 5a virtual machine, a database, a database table, an application program interface, one or more IP addresses, a device, an object, an application program, a network interface, a service, a blob, a block, a log, a queue, a container, or a file (Teller, e.g., Step 502 as shown in Fig. 5; paragraph [0061]; Teller identifies a router device.).  
Per claim 14, Teller and Wechsler disclose the method of claim 9, further comprising calculating ratings of training-tuples using code which gives greater relative .  
Claims 4 is rejected under 35 U.S.C. 103 as being unpatentable over Teller et al. (US 2018/0349599 A1) in view of Wechsler (US 2017/0103194 A1), and further in view of Devi Reddy et al. (Hereinafter, Devi Reddy, US 2017/0118240 A1).
Per claim 4, Teller and Wechsler disclose the system of claim 1, but do not expressly disclose wherein a plurality of the training-tuple ratings give greater relative weight to lower access attempt counts than to higher access attempt counts.  
Devi Reddy discloses wherein a plurality of the training-tuple ratings give greater relative weight to lower access attempt counts than to higher access attempt counts (paragraph [0097]; paragraph [0093]; paragraph [0099]).  Figure 5 illustrates allowing entities having low threat scores to continue behaviors; entities having high threat scores to be quarantined; and 
It would have been obvious for a person of ordinary skill in the art before the effective filing date of the claimed invention to use the security threat detection of Devi Reddy with the botnet detection of Teller and Wechsler for the purpose of preventing unauthorized actions and improving security as suggested by Wechsler.
Claims 8 and 15 are  rejected under 35 U.S.C. 103 as being unpatentable over Teller et al. (US 2018/0349599 A1) in view of Wechsler (US 2017/0103194 A1), and further in view of Ng et al. (Hereinafter, Ng, US 2016/0248800 A1).
Per claim 8,
a training-tuple actor-id which contributed to the recommendation score; 
a training-tuple resource-id which contributed to the recommendation score; a name or description or both of a latent feature of the trained machine 10learning model which has a qualitative correlation with the recommendation score; 
a recommendation score threshold for performing a risk acceptance action; or 
a recommendation score threshold for performing a risk mitigation action.  
Ng discloses an explanation code 5which upon execution displays one or more of the following: 



a recommendation score threshold for performing a risk mitigation action (paragraph [0052], “In response to calculating a diversity and/or similarity score, the recommendation module 140 can be executed to provide the end user with some type of actionable feedback.  For example, the recommendation module 140 can provide the end user one or more actions to the end user based on the diversity score and the clusters of similar variables.  These one or more actions potentially increase the diversity score if enacted by the end user.
It would have been obvious for a person of ordinary skill in the art before the effective filing date of the claimed invention to use the cyber-attack vulnerability analyses of Ng with the botnet detection of Teller and Wechsler for the purpose of reducing cyber security vulnerabilities as suggested by Ng.
Per claim 15, Teller and Wechsler disclose the method of claim 9, but do not disclose the method as further comprising displaying one or more of the following: 
a training-tuple actor-id which contributed to the recommendation score;  25
a training-tuple resource-id which contributed to the recommendation score; 
a name or description or both of a latent feature of the trained machine learning model which has a qualitative correlation with the recommendation score;  30
a recommendation score threshold for performing a risk acceptance action; or 
a recommendation score threshold for performing a risk mitigation action.  
Ng discloses an explanation code 5which upon execution displays one or more of the following: 




a recommendation score threshold for performing a risk mitigation action (paragraph [0052], “In response to calculating a diversity and/or similarity score, the recommendation module 140 can be executed to provide the end user with some type of actionable feedback.  For example, the recommendation module 140 can provide the end user one or more actions to the end user based on the diversity score and the clusters of similar variables.  These one or more actions potentially increase the diversity score if enacted by the end user.”; paragraph [0062]; paragraph [0072-0073]).    Ng discloses feedback in response to feedback from an end user in response to providing the diversity score or recommendation score threshold.
It would have been obvious for a person of ordinary skill in the art before the effective filing date of the claimed invention to use the cyber-attack vulnerability analyses of Ng with the botnet detection of Teller and Wechsler for the purpose of reducing cyber security vulnerabilities as suggested by Ng.
Claims 13 is rejected under 35 U.S.C. 103 as being unpatentable over Teller et al. (US 2018/0349599 A1) in view of Wechsler (US 2017/0103194 A1), and further in view of Baker (US 2020/0143240 A1).
Per claim 13, Teller and Wechsler disclose the method of claim 9 but do not disclose the method, further comprising:
testing the machine learning model using a testing set of testing-tuples which includes multiple tuples that were not used as training-tuples; and 
tuning the machine learning model by adjusting at least one of the 15following hyperparameters: a number of latent features, a maximum number of iterations, a fitting accuracy, or a learning rate.
Baker discloses: 
testing the machine learning model using a testing set of testing-tuples which includes multiple tuples that were not used as training-tuples (e.g., Step 1205 as Examiner’s Note: Baker teaches  testing the machine learning model using a testing set outside of the baseline.); and 
tuning the machine learning model by adjusting at least one of the 15following hyperparameters: a number of latent features, a maximum number of iterations, a fitting accuracy, or a learning rate (paragraph [0099]; paragraph [0109]; paragraph [0110]; Baker teaches  changing a hyperparameter called the learning rate.).
It would have been obvious for a person of ordinary skill in the art before the effective filing date of the claimed invention to use the robust anti-adversarial machine learning of Baker with the botnet detection of Teller and Wechsler for the purpose of making machine learning more robust as suggested by Baker.
Claims 16 is rejected under 35 U.S.C. 103 as being unpatentable over Teller et al. (US 2018/0349599 A1) in view of Wechsler (US 2017/0103194 A1), and further in view of Tang et al. (Hereinafter, Tang, US 2017/0148085 A1).
Per claim 16, Teller and Wechsler disclose the method of claim 9 but do not disclose the method, further comprising computing the recommendation score, and wherein computing the recommendation score comprises doing a matrix factorization.  
Tang discloses computing the recommendation score (e.g., Block 408 as shown in Fig. 4; paragraph [0045]), and wherein computing the recommendation score comprises doing a matrix factorization(Abstract; e.g., Block 402 as shown in Fig. 4; paragraph [0044]).  
It would have been obvious for a person of ordinary skill in the art before the effective filing date of the claimed invention to use the scalable matrix factorization of Tang with the botnet detection of Teller and Wechsler for the purpose of personalized recommendations as suggested by Tang.
Claims 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Wechsler (US 2017/0103194 A1) in view of Teller et al. (US 2018/0349599 A1).
Per claim 17, Wechsler discloses a storage medium configured with code which upon execution by a processor performs a cybersecurity method (e.g., non-removable memory 630 as shown in Fig. 6; paragraph [0093]), the method comprising: 
submitting a pair to a machine learning model which has been trained using a collection of training-tuples(e.g., Step 105 as shown in Fig. 1; paragraph [0058]), and at least one rating based on how many times the training-tuple actor attempted to access the training-tuple resource(e.g., Steps 110 and 120 as shown in Fig. 1; paragraphs [0059-061]); 
 15the machine learning model computing a recommendation score of the pair using collaborative filtering(e.g., Step 125 as shown in Fig. 1; paragraph [0062], “At 125, scores or results for the collaborative filtering and/or covert challenges, prompts, and/or triggers may be received and analyzed or evaluated...
selecting at least one cybersecurity action for performance, based at least in part on the recommendation score (e.g., Step 110 as shown in Fig. 1; paragraph [0059]).  
Wechsler does not expressly disclose the pair including an actor-id 10and a resource-id, each training-tuple including: a training-tuple actor-id identifying a training-tuple actor, a training-tuple resource-id identifying a training-tuple resource.
Teller discloses the pair including an actor-id 10and a resource-id, each training-tuple including: a training-tuple actor-id identifying a training-tuple actor, a training-tuple resource-id identifying a training-tuple resource (e.g., Steps 502-504 as shown in Fig. 5; paragraphs [0061]; paragraph [0062],” Continuing, at 510, weights are assigned to the features based on the probability data to provide weighted features.  At 512, a supervised machine learning algorithm is trained using historical data and known labels associated with a plurality of different computers (i.e., computers that are different than the computer that is being examined as a potential Botnet computer).”)).
20 It would have been obvious for a person of ordinary skill in the art before the effective filing date of the claimed invention to use the botnet detection of Teller in the active authentication of Wechsler for the purpose of preventing unauthorized actions and improving security as suggested by Teller.
10Per claim 18
Per claim 19, Wechsler and Teller discloses the storage medium of claim 17, further comprising performing at least one selected cybersecurity action involving a user and a storage item, the user being identified by the pair actor-id, the storage item being identified by the 30pair resource-id, and wherein the selected and performed cybersecurity action includes at least one of the following:  55 
preventing access by the user to the storage item when the computed recommendation score is lower than a specified access-prevention threshold (Wechsler, Step 130 as shown in Fig. 1; paragraph [0062]; paragraph [0063]); 



Per claim 20, Wechsler and Teller discloses the storage medium of claim 17,  wherein: 
the pair actor-id includes at least one of the following identifiers: a source IP address, a source port number, a username, a user agent ID, a 20user group ID, a 
the pair resource-id identifies at least one of the following storage items: a storage resource, a database, a database table, one or more IP addresses, a device, an object, a network interface, a service, a 25blob, a block, a log, a queue, a container, or a file (Teller, e.g., Step 502 as shown in Fig. 5; paragraph [0061]; Teller identifies a router device.).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DARRIN HOPE whose telephone number is (571)270-5079. The examiner can normally be reached Mon-Thr - 7-4:30, Fri - 7-3:30, Alt. Fri Off.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kieu D Vu can be reached on (571)272-4057. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and 

DARRIN HOPE
Examiner
Art Unit 2173



/TADESSE HAILU/Primary Examiner, Art Unit 2173