Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Response to Arguments

Applicant argues that the prior art does not teach the limitations as claimed.  Examiner notes that the claims state “receiving a sequence of security events comprising n security events from a subset of n different log sources; parsing only the n security events from the subset of different log sources.

Examiner asserts that the Applicant does not have support in the specification for said amendment.  The only portion of the specification that refers to a subset is [0052] which talks about “n’ different sources” and comprises a subset m’.   Mentions of logs in the specification are few and far between and do not specify “n different log sources” and certainly do not specify what a “subset” of logs would be.  Paragraph [0045] is one of the paragraphs that specifically mentions log sources.  Examiner questions what the subset is of.  For example, in context the claim might read that the subset of relevant security logs is a subset out of a total number of security logs.  

Furthermore, even if the specification did support a subset of log sources, the number of log sources surely would not be the exact same number of logs as the number of security events.  

Applicant argues that Puri does not teach preparing a security information and event monitoring (SIEM) solution anticipating future partial cyber-attacks.  
Examiner asserts that Ettema anticipates this claim limitation. 


Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-23 are rejected under 35 U.S.C. 112(a) or pre-AIA  35 U.S.C. 112, first paragraph, as based on a disclosure which is not enabling.  The disclosure does not enable one of ordinary skill in the art to practice the invention without “a subset of n different log sources” and “parsing only the n security events from the subset of different log sources”, which is/are critical or essential to the practice of the invention but not included in the claim(s). See In re Mayhew, 527 F.2d 1229, 188 USPQ 356 (CCPA 1976). 



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-8, 12-19, 23 is/are rejected under 35 U.S.C. 103 as being unpatentable over Puri US 2018/0322283 in view of Ettema US 10,530,810 in view of Lem US 2019/0132344.
As per claims 1, 12, 23 Puri teaches A computer-implemented method, comprising: receiving a sequence of security events; determining, in the received sequence of security events, a first cyber-attack pattern using a correlation engine by applying a set of predefined rules for a detection of an indicator of compromise of a first partial cyber-attack of a cyber-attack chain, thereby identifying a specific cyber-attack chain; determining a type and an attribute in a pattern of the first partial cyber-attack of the identified specific cyber-attack chain; [0018][0019][0020][0024]-[0028] [0034] [0044][0046][0062]   (teaches learning behavior and performing analytics and using computer models to find attributes and to correlate attack events 

Ettema teaches configuring at least one rule for a downstream partial cyber-attack in the specific cyber-attack chain based on the type and the attribute in an attack pattern of the first partial cyber-attack; and adding the at least one configured rule to the set of predefined rules to be used by the correlation engine for dynamically identifying security threats to information technology systems. Ettema teaches preparing a security information and event monitoring solution anticipating future partial cyber-attacks(Column 4 line 30 to Column 5 line 48) (Column 10 line 37 to Column 10 line 67) (teaches a plurality of attributes used to configure detection, and other identification techniques which are send downstream to other clients in order to detect and prevent further attacks in a kill chain; configure new rules on firewalls)

It would have been obvious to one of ordinary skill in the art to use the rules of Ettema with the system of Puri because it would prevent further attacks and the spread of malware.

It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the phases and attributes of Lem with the prior art because it improves APT detection.As per claims 2, 13,  Ettema teaches The method according to claim 1, further comprising: determining, in the received sequence of security events, a second cyber-attack pattern using the correlation engine by applying the configured at least one rule for a detection of a second indicator of compromise in the second cyber-attack of the cyber-attack chain. (Column 4 line 30 to Column 5 line 48) (detecting other cyber attacks based on update rules)As per claims 3, 14. Ettema teaches The method according to claim 1, wherein the set of rules uses information about malware attribute enumeration and characterization and structured threat information expressions. (Column 4 line 30 to Column 5 line 48) (detecting other cyber attacks based on update rules including attributes)As per claims 4, 15. Ettema teaches The method according to claim 3, further comprising: updating the predefined rule set continuously by adding new indicators of compromise. (Column 4 line 30 to Column 5 line 48) (automatically generating new protections, detection methods and  

Puri teaches The method according to claim 1, wherein the adding the at least one configured rule to the set of rules is performed by performing an action selected from the group consisting of: selectively configuring and/or activating correlation rules; grouping of rules; and prioritizing the configured and added at least one rule against generic rules. [0021][0024][0080][0081] [0097][0098]  (teaches grouping of rules to combine to determine anomalies and kill chains)Puri teaches triggering an alarm signal after a predefined number of subsequent partial security attacks corresponding to one cyber-attack chain has been determined. [0021] (teaches alerts to anomalies which are partial attacks)
As per claim 19 Puri teaches triggering an alarm signal after a predefined number of subsequent partial security attacks corresponding to one cyber-attack chain has been determined. [0021] (teaches alerts to anomalies which are partial attacks)
Claims 9, 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Puri US 2018/0322283 in view of Ettema US 10,530,810 in view of Lem US 2019/0132344  in view of Thioux US 2017/0289191.


As per claims 9, 20. Thioux teaches The method according to claim 1, further comprising: removing the at least one configured rule for a downstream partial cyber-attack in the specific cyber-attack chain in the set of rules if it is determined that a risk value for the specific cyber-attack chain is reduced to below a predetermined risk threshold value. [0278] (teaches removing rules when the list is determined low because a black list item has been determined to be of low or no risk)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the rule modification of Thioux with the previous prior art combination because it is more efficient.

Claims 10, 11, 21, 22 is/are rejected under 35 U.S.C. 103 as being unpatentable over Puri US 2018/0322283 in view of Ettema US 10,530,810 in view of Lem US 2019/0132344 in view of Thioux US 2017/0289191 in view of Reinecke US 2018/0004958.
As per claims 10, 21. Reinecke teaches The method according to claim 9, further comprising: removing the at least one configured rule for a downstream partial cyber-attack in the specific cyber-attack chain if correlation engine using the at least one configured rule did not determine a downstream cyber-attack pattern for a predefined time. [0025] (teaches removing rules/model if performing poorly and does not detect attacks)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the rule modification of Reinecke with the previous prior art combination because it is more efficient.
As per claims 11. Reinecke teaches The method according to claim 9, further comprising: removing a rule relating to at least one configured rule for a downstream partial cyber-attack in the specific cyber-attack chain in the set of rules from the repository of malware attribute enumeration and characterization and structure threat information expressions. [0025] (teaches removing rules/model if performing poorly and does not detect attacks)
As per claim 22, Reinecke teaches The system according to claim 20, wherein the instructions 

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER BROWN whose telephone number is (571)272-3833.  The examiner can normally be reached on M-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439