Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendments
The amended claims 1, 3, 5-7, 9-12 were considered under 35 USC 112, 101 and 103 for patentability over closest and analogous prior arts Muddu et al (US 20170063905), hereafter Mud and Mitelman et al (US 20180068119), hereafter Mit have been fully considered and are persuasive. Claim(s) 2, 4 and 8 is/are cancelled.

Allowable Subject Matter
1.	Amended claims 1, 3, 5-7, 9-12 are allowed in light of applicant’s arguments, approved examiner’s proposed amendments and in light of prior art(s) made of record. 

Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.  Authorization for this examiner’s amendment was given in an interview with Joseph Drish (attorney) for filed amended claims on 11-01-2021:
1. (Currently amended) A method of threat control in a computer network security system, the method comprising:
monitoring, by a server in the computer network security system, events collected from a plurality of network nodes, wherein the events are collected data blocks;

monitoring, by the server, the behavior of the first suspicious event and any related events, wherein the monitoring comprises monitoring a behavior of a computer process and any child processes thereof;
in case the monitored first suspicious event and/or a related event is detected, by the server, to perform an activity triggering an IOC (indicator of compromise), generating a new IOC, wherein the activity comprises creating a registry launch point, the new IOC derived at least in part from said registry launch point, creating a file in an unusual location, creating a file with an unusual name, communication to an unknown Internet Protocol (IP) address, communication to an unknown IP domain, and the generating of the new IOC comprises synthesizing, by the server, the new IOC on the basis of the behavior of the computer process and any child processes of the detected first suspicious event and the 
monitoring, by the server, new events when the activity ends;
comparing, by the server, the behavior of the new events with the behavior of the generated IOC;
in case a matching behavior is found, merging, by the server, the new event with the first suspicious event and/or related events related to the generated IOC; and
generating, by the server, a security related decision on the basis of the IOC.

2. (Canceled)

3. (Original) The method according to claim 1, wherein the detection mechanisms used to detect the suspicious event comprises using at least one of: a machine learning models, a scanning engine, a heuristic rule, a statistical anomaly detection, fuzzy logic based models, predetermined rules.

4. (Canceled) 

5. (Original) The method according to claim 1, wherein the monitoring of new events takes place after reboot of a computer system related to the network node that is being monitored or after other event inducing breaking of a process group identifier chain related to the first suspicious event that is being monitored.

6. (Original) The method according to claim 1, wherein in case the generated security related decision determines that signs of a security breach have been detected, taking further action to secure the computer network and/or any related network node, wherein the further action comprises one or more of the list of:
preventing one or more of the network nodes from being switched off;
switching on a firewall at one or more of the network nodes;
warning a user of one or more of the network nodes that signs of a security breach
have been detected; and/or
sending a software update to one or more of the network nodes.

7. (Currently amended) A server comprising a non-transitory memory storing computer program code, and one or more processors for executing the code for performing:
monitoring, by the server, events collected from a plurality of network nodes, wherein the events are collected data blocks;
detecting, by the server, a first suspicious event among the monitored events by a detection mechanism;
monitoring, by the server, the behavior of the first suspicious event and any related events wherein the monitoring comprises monitoring a behavior of a computer process and any child process thereof;

monitoring, by the server, new events when the activity ends;
comparing, by the server, the behavior of the new events with the behavior of the generated IOC, wherein the activity comprises creating a registry launch point, the new IOC derived at least in part from said registry launch point, creating a file in an unusual location, creating a file with an unusual name, communication to an unknown Internet Protocol (IP) address, communication to an unknown IP domain, and the generating of the new IOC comprises synthesizing, by the server, the new IOC on the basis of the behavior of the computer process and any child processes of the detected first suspicious event and the 
in case a matching behavior is found, merge, by the server, the new event with the first suspicious event and/or related events related to the generated IOC; and
generate, by the server, a security related decision on the basis of the IOC.

8. (Canceled)

9. (Original) The server according to claim 7, wherein the detection mechanisms used to detect the suspicious event comprises using at least one of: a machine learning models, a scanning engine, a heuristic rule, a statistical anomaly detection, fuzzy logic based models, predetermined rules.

10. (Original) The server according to claim 7, wherein the monitoring of new events takes place after reboot of a computer system related to the network node that is being monitored or after other event inducing breaking of a process group identifier chain related to the first suspicious event that is being monitored.


preventing one or more of the network nodes from being switched off;
switching on a firewall at one or more of the network nodes;
warning a user of one or more of the network nodes that signs of a security breach
have been detected; and/or
sending a software update to one or more of the network nodes.

12. (Currently amended) A non-transitory computer storage medium having stored thereon computer program code for threat control in a computer network security system, the program code being configured to cause:
monitoring, by a server in the computer network security system, events collected from a plurality of network nodes, wherein the events are collected data blocks;
detecting, by the server, a first suspicious event among the monitored events by a detection mechanism;
monitoring, by the server, the behavior of the first suspicious event and any related events, wherein the monitoring comprises monitoring a behavior of a computer process and any child processes thereof;
in case the monitored first suspicious event and/or a related event is detected, by the server, to perform an activity triggering an IOC (indicator of compromise), generating a new IOC, wherein the activity comprises creating a registry launch point, the new IOC derived at least in part from said registry launch point, creating a file in an unusual location, creating a file with an unusual name, communication to an unknown Internet Protocol (IP) address, communication to an unknown IP domain, and the generating of the new IOC comprises behavior of the computer process and any child processes of the detected first suspicious event and the 
monitoring, by the server, new events when the activity ends;
comparing, by the server, the behavior of the new events with the behavior of the generated IOC;
in case a matching behavior is found, merging, by the server, the new event with the first suspicious event and/or related events related to the generated IOC; and 
generating, by the server, a security related decision on the basis of the IOC.

Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: 
As to the independent claim 1, the prior art of reference Mud teaches [0141] receive/monitor events that occur on the cloud-based servers and the security platform monitors a hybrid of both intranet and cloud-based network traffic; [0147] real-time processing path is configured to continuously monitor and analyze the incoming event data to uncover anomalies and threats; [0182] security platform detects anomalies ([0149] detected variation from an expected pattern of behavior on the part of an entity) and threats by determining baselines and comparing activities of those entities to their behavior baselines…; [0344, 414] the shared model state enables the batch event processing engine to use new knowledge gained by the real-time event processing engine from processing the unbounded stream of event data to inspect the event data to discover a security-related issue after new knowledge is added... and [404, 414] by comparing the subset of the threat indicator data against pre-configured patterns or pre-set rules associated with each candidate security threat; [0221, 345, 427] after the batch event processing engine performs an analysis on the historic event data to detect a security-related issue, the analysis 

Further, a second prior art of record Mit teaches [0017] responsive to determining that the correlated first set of items of threat information indicate a malicious action type, creating a new security indicator comprising information from the correlated first set of items of threat information and associating the new security indicator with the malicious action type.

None of the other prior arts of record teach by themselves or in any combination, would have anticipated nor render obvious by combination the claimed invention of the present application at or before the time it was filed.  The prior arts of record fail to teach: monitoring events collected from a plurality of network nodes, detecting a first suspicious event among the monitored events by a detection mechanism and monitoring the behaviour of the first suspicious event and any related events. In case the monitored first suspicious event and/or a related event is detected to perform an activity triggering an incident of compromise (IOC), generating a new IOC, where the activity comprises creating a registry launch point, creating a file in an unusual location, creating a file with an unusual name, communication to an unknown Internet Protocol (IP) address, communication to an unknown IP domain, and the generating of the new IOC comprises 

Therefore, independent claim 1 and their corresponding dependent claims are allowed in light of applicant’s arguments, approved examiner’s amendments and prior arts of record. The same amendments and reasoning are applicable to independent claim(s) 7 and 12 mutatis mutandis.  Claim(s) 2, 4 and 8 is/are cancelled.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892 Notice of References Cited.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867.  The examiner can normally be reached on M-F: 8:30am-5pm (EST).

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T. Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/BADRINARAYANAN /Examiner, Art Unit 2496.