DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .  This Office Action is responsive to the communications filed on 27 August 2020. Claims 1-20 are pending.
Claim Objections
Claim 6 is objected to because of the following informalities:  Line 6 contains a grammatical error.  “Cause” should be amended to “causing”.  Appropriate correction is required.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1, 2, 5, 6, 8, 10, 11, 16, 19 and 20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated  by Sundaresan et al. (Hereinafter, Sundaresan, US 2016/0112240 A1).
Per claim 1, Sundaresan discloses a system (e.g., network architecture 100 as shown in Fig. 1; paragraph [0017], “Referring now to the figures, FIG. 1 is a block diagram depicting an example network architecture 100 including remotely accessible embedded systems and computing devices that interact with the embedded systems.  The network architecture 100 includes multiple devices 135A-C connected to a local area network (LAN) 165.  Thus, the devices 135A-C may be referred to as network-connected devices.”), comprising: 5
an event-source device (e.g., network connected devices 135A-C as shown in Fig. 1; paragraph [0029], “In one embodiment, WAN accessible services 130 include a rules engine 128 and a rules creator 126.  Rules engine 128 applies one or more rules to determine actions and generate messages and/or commands to implement the determined actions based on received events.  The rules engine 128 may at any time receive notifications of events from any of devices 135A-C, third party services 162 or other WAN accessible services 130 … The rules engine 128 includes multiple input feeds, where each input feed is associated with a source (e.g., third party services 162, embedded systems 150A-C, WAN accessible services 130, etc.) ...    ”); 
a state database (e.g., data source 210 as shown in Fig. 2A; paragraph [0039]) holding first state data (paragraph [0053], “ …The rules creator 250 may include a database or other data structure that identifies the possible states, thresholds, or other criteria that may be applied to each input event ...   “; paragraph [0058], “ Once a rule has been generated, rules creator 250 stores the rule in data store 210.  The rule is stored in a security context of a particular user account that requested creation of the rule ... “ ); 
a controllable computing device (e.g., second network-connected device; paragraph [0007], “FIG. 4 is a flow chart for an example method of triggering an action on a second network-connected device responsive to an event on a first network-connected device “ ; paragraph [0062], “ FIG. 4 is a flow chart for an example method 400 of triggering an action on a second network-connected device responsive to an event on a first network-connected device ... “ ; paragraph [0067]; [0076]; paragraph [0080]); and 
a monitoring device  (e.g., computing device(s) 105 as shown in Fig. 1; paragraph [0036]) communicatively connectable with the state database (e.g., data source 210 as shown in Fig. 2A via rules engine) and, via at least one network(e.g., WAN 170 as shown in Fig. 1), with the event-source device (e.g., network connected devices 135A-C as shown in Fig. 1) and the controllable device(e.g., second network-connected device);
wherein the monitoring device is configured to: 
receive an event record from the event-source device (e.g., block 405 as shown in Fig. 4; paragraph [0062], “ …At block 405 of method 400, processing logic receives notification of an event that has occurred on a first network-connected device ... “ ); 
determine, based at least in part on the first state data and the event record (paragraph [0063], “At block 410, processing logic identifies a rule for which the event is an input.  The rule may be set up such that the first network-connected device is an input feed for the rule.  When events are reported by the first network-connected device, processing logic compares those events to a criterion (or multiple criteria) of the rule.  At block 415, processing logic determines whether the event on the first network-connected device satisfies a criterion of the rule.  If the criterion is satisfied by the event, the method continues to block 420…”), a command (e.g.,  , “…At block 435, processing logic generates a command to cause the second network-connected device to perform the determined action…”); and 
transmit, via the at least one network, the command to the controllable computing device 15to cause the controllable computing device to perform an action associated with the command (e.g., block 440 as shown in Fig. 4; paragraph [0067], “  … At block 440, processing logic transmits the command to the second network connected device.  The second network-connected device may then execute the command to perform the action.  The second network-connected device may perform the action even though a user may not have an active session to the user account that generated the rule. “ ).  
Per claim 2, Sundaresan discloses system according to claim 1, wherein: 
the system further comprises a user interface (e.g., remote control application 115 as shown in Fig. 1; paragraph [0034]; paragraph [0036], “ ….The remote control application 105 may include a graphical user interface (GUI) that enables users to interact with and control devices 135A-C in an intuitive and user-friendly manner.  A user may interact with the GUI to cause the remote control application to generate notifications, commands, property updates and other messages for the devices represented in the GUI. “); 
the monitoring device (e.g., computing device(s) 105 as shown in Fig. 1) is communicatively connectable, via the at least one network, with the user Computing devices 105 may connect to the WAN 170 and/or to the LAN 165 ... “); and 
the monitoring device is configured to, in response to the receiving the event record, cause the user interface to present a representation at least a portion of the event record (e.g.. output feeds 391 as shown in Fig. 3; paragraph [0036], “…A user may interact with the GUI to cause the remote control application to generate notifications, commands, property updates and other messages for the devices represented in the GUI. “; paragraph [0045]; paragraph [0046]; paragraph [0072]).  
Per claim 5, Sundaresan discloses the system according to claim 1, wherein the command comprises at least one of: creation of a user account; deletion of a user account; modification of the access privileges of a user account; 30modification of firewall rules; modification of routing rules; enabling of a device (paragraph [0064], “At block 420, processing logic determines an action to be performed by the rule.  The action may be an action that is to be performed by a second network-connected device.  Any type of action may be performed, such as turning on or off the second network-connected device, changing a setting of the second network-connected device, and so on.  Additionally, the action may be an immediate action or may be a scheduled future action.  “); disabling of a device (paragraph [0064]); enabling of a device driver; disabling of a device driver; enabling of a port; disabling of a port; installation of an update; presentation by a user interface of a toast, request to login, or another notification; presentation by a user interface of a prompt for yes/no or agree/disagree input, or other 55WO 2019/183371PCT/US2019/023394 selection from a fixed list of choices; presentation by a user interface of a Examiner’s Note: Sundaresan discloses at least enabling of disabling of a device).
Per claim 6, Sundaresan discloses at least one tangible, non-transitory computer-readable medium (e.g., computer-readable storage medium 928 as shown in Fig. 9) comprising instructions  (e.g., instructions  922 as shown in Fig. 9) executable by at least one processor  (e.g., processing device 902 as shown in Fig. 9) to cause the at least one processor to perform operations (paragraph [0099]) comprising: 
receiving an event record from an event-source device via a network (e.g., block 405 as shown in Fig. 4; paragraph [0062], “ …At block 405 of method 400, processing logic receives notification of an event that has occurred on a first network-connected device ... “ ); 
retrieving first state data from a state database (e.g., block 410 as shown Fig. 4; paragraph [0063], “At block 410, processing logic identifies a rule for which the event is an input.  The rule may be set up such that the first network-connected device is an input feed for the rule.  When events are reported by the first network-connected device, processing logic compares those events to a criterion (or multiple criteria) of the rule ...”  ); 
determining, based at least in part on the first state data and the event record, a command (e.g., block 415 as shown Fig. 4; paragraph [0063], “ … At block 415, processing logic determines whether the event on the first network-connected device satisfies a criterion of the rule.  If the criterion is satisfied by the event, the method continues to block 420.  Otherwise the method ends. 
cause a controllable computing device to carry out the command (e.g., block 420 as shown Fig. 4; paragraph [0064],  “ At block 420, processing logic determines an action to be performed by the rule.  The action may be an action that is to be performed by a second network-connected device ….   “).  
Per claim 8, Sundaresan discloses the at least one tangible, non-transitory computer-readable medium according to claim 6, the operations further comprising:
determining a computational model based at least in part on stored training event records and respective training response records (paragraph [0059], “In one embodiment, rules creator 250 includes an automated rule generator 285.  Automated rule generator 285 may apply a machine learning algorithm (e.g., Kohonen maps, support vector machines (SVM), k-nearest neighbor classifiers, etc.) to logs of events and actions across devices and services.  Automated rule generator may learn patterns of events and corresponding actions on disparate devices … “); and 
determining the command by operating the computational model (Abstract, “ … The processing device determines that the first event satisfies a first criterion of the first rule and generates a first command for a second network-connected device also associated with the first user account ... “; paragraph [0029]).  
Per claim 10, Sundaresan discloses a method (e.g., method 700 as shown in Fig. 7A; paragraph [0077]), comprising: 
storing first state data in a state database, the first state data associated with a first data source(e.g., data source 210 as shown in Fig. 2A; paragraph [0039]) The rules creator 250 may include a database or other data structure that identifies the possible states, thresholds, or other criteria that may be applied to each input event ...   “; paragraph [0058], “ Once a rule has been generated, rules creator 250 stores the rule in data store 210.  The rule is stored in a security context of a particular user account that requested creation of the rule ... “ ;  Fig. 7A and paragraphs [0077-0080] describe storing information on the network connected devices connected to a user’s account and events associated with the devices ); 
storing second state data in the state database, the second state data associated with a second, 30different data source (e.g., Block 755 as shown in Fig. 7B; paragraph [0026], “ …Via a session with an embedded system 150A-C, WAN accessible service 130 may issue commands to the embedded system and/or receive status updates from the embedded system.   “;  paragraph  [0027], “Status updates received from the embedded systems 150A-C may identify values or states of some or all detectable parameters of devices 135A-C that the embedded systems are included in. Status updates may also include fault information, statistical device usage information, trace data and/or other information.  Such values, states and/or other information may change based on direct user interaction with the devices.  Such values, states and/or other information may also change responsive to commands sent to the embedded systems 150A-C by the WAN accessible service 130 and/or by computing devices 105A-C. Moreover, values, states and other information of the embedded systems 150A-C may change based on environmental conditions of the embedded systems.  By maintaining or periodically establishing sessions with the embedded systems 150A-C, the WAN accessible services 130 may maintain up-to-date information on the devices 135A-C. “; paragraph [0084], “At block 760, processing logic apples a machine learning algorithm to the log of events and actions.  “; Examiner’s Note: Sundaresan discloses receiving status updates on the devices 135A-C.   ); 
determining a computational model based at least in part on the first state data (e.g., Block 770 as shown in Fig. 7B; paragraph [0059]; paragraph [0084], “… At block 770, processing logic automatically generates a rule based on the learned patterns.  The rule may cause a particular action to be performed responsive to detection of a particular event or type of event, for example.  “; Examiner’s Note: Sundaresan discloses applying a machine learning algorithm (e.g., Kohonen maps, support vector machines (SVM), k-nearest neighbor classifiers, etc.) to logs of events and actions across devices and services in order to generate a rule or computational model based on the first state data collected on a device.); 
receiving an event record associated with the second data source (e.g., Block 505 as shown in Fig. 5; paragraph [0068], “ …At block 505 of method 500, processing logic receives notification of positive and/or negative events that have occurred on a network-connected device and/or on a service.  “ ); 56WO 2019/183371PCT/US2019/023394 
operating the computational model based at least in part on the event record to provide a command (Fig. 5 and paragraphs [0068-0072] describe operating the computational model based at least in part on the event record to provide a command.); and
presenting, via a user interface, a representation of the command(e.g., output feeds 391 as shown in Fig. 3; paragraph [0036], “ …. The remote control application 105 may include a graphical user interface (GUI) that enables users to interact with and control devices 135A-C in an intuitive and user-friendly manner.  A user may interact with the GUI to cause the remote control application to generate notifications, commands, property updates and other messages for the devices represented in the GUI.  “;  paragraph [0046]);
Per claim 11, Sundaresan discloses the method according to claim 10, further comprising transmitting the command to a controllable 5computing device to change operation of the controllable computing device (e.g., block 535  as shown in Fig. 5; paragraph [0070], “… At block 535, processing logic transmits the commands to the additional network-connected devices and/or to the services.  These devices and/or services may then execute the commands to perform the determined actions.   “ ).  
Per claim 16, Sundaresan discloses the method according to claim 10, further comprising transmitting, via the network, the command to a controllable computing device to cause the controllable computing device to perform an action associated with the command (e.g., block 440 as shown in Fig. 4; paragraph [0067], “  … At block 440, processing logic transmits the command to the second network connected device.  The second network-connected device may then execute the command to perform the action.  The second network-connected device may perform the action even though a user may not have an active session to the user account that generated the rule. “ ).   
Per claim 19, Sundaresan discloses the method according to claim 10, wherein the command comprises at least one of: creation of a user account; deletion of a user “At block 420, processing logic determines an action to be performed by the rule.  The action may be an action that is to be performed by a second network-connected device.  Any type of action may be performed, such as turning on or off the second network-connected device, changing a setting of the second network-connected device, and so on.  Additionally, the action may be an immediate action or may be a scheduled future action.  “); disabling of a device (paragraph [0064]); enabling of a device driver; disabling of a device driver; enabling of a port; disabling of a port; installation of an update; presentation by a user interface of a toast, request to login, or another notification; presentation by a user interface of a prompt for yes/no or agree/disagree input, or other 55WO 2019/183371PCT/US2019/023394 selection from a fixed list of choices; presentation by a user interface of a prompt for textual input; downloading of document file or other file; or requesting authorization for a change to the state database.  Examiner’s Note: Sundaresan discloses at least enabling of disabling of a device).
Per claim 20, Sundaresan discloses the method according to claim 10,  further comprising:
operating the computational model based at least in part on the event record to provide a second event record(e.g., Block 510 as shown in Fig. 5; paragraph [0069], “At block 510, processing logic identifies a rule for which the one or more events are an input ...”); 25
determining, based at least in part on the first state data and the second event record, a second command(e.g., blocks 520-530 as shown in Fig. 5; paragraph At block 520, processing logic determines one or more actions to be performed by the rule.  At block 525, processing logic determines a security context of the rule and determines that the security context includes privileges to perform the one or more determined actions.  At block 530, processing logic generates commands to cause an additional network-connected device and/or a service to perform an action ...”); and
 transmitting, via a network, the second command to a controllable computing device to cause the controllable computing device to perform an action associated with the second command(e.g., block 535 as shown in Fig. 5; paragraph [0070], “  …  At block 535, processing logic transmits the commands to the additional network-connected devices and/or to the services.  These devices and/or services may then execute the commands to perform the determined actions.  “ ).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.

4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 3, 4, 7, 17 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Sundaresan et al. (Hereinafter, Sundaresan, US 2016/0112240 A1) in view of Seago et al. (Hereinafter, Seago, US 2014/0129698 A1).
Per claim 3, Sundaresan discloses the system according to claim 1, but does not expressly disclose wherein the monitoring device is further configured to: 
determine second state data based at least in part on the event record; and 25
add the second state data to the state database.  
Seago discloses wherein the monitoring device is further configured to: 
determine second state data based at least in part on the event record (e.g., block 301 as shown in Fig. 3; paragraph [0031], “ …The detection module 201 may detect an event based on event data received from agent 191 or cloud provider system 104.  “); and 25
add the second state data to the state database (e.g., block 303 as shown in Fig. 3; paragraph [0032], “At block 303, the detection module may record the event data using a predefined format ....   “; paragraph [0034], “The detection module 201 may add the event data in the event log 251 in the data store 250 ....  “).  
It would have been obvious for a person of ordinary skill in the art before the effective filing date of the claimed invention to use the event notification of Seago in the flexible rules engine device of Sundaresan for the purpose of providing fresher and 
Per claim 4, Sundaresan and Seago disclose the system according to claim 3, wherein the monitoring device is further configured to record an indication of the adding of the second state data in a changelog data store (Seago, Block 307 as shown in Fig. 3; paragraph [0036], “At block 307, processing logic provides event data about the detected event to the identified applications ...”   ).  5
Per claim 7, Sundaresan discloses the at least one tangible, non-transitory computer-readable medium according to claim 6, but does not expressly disclose the operations further comprising: 
determine second state data based at least in part on the event record; and 25
add the second state data to the state database.  
Seago discloses wherein the monitoring device is further configured to: 
determining second state data based at least in part on the event record (e.g., block 301 as shown in Fig. 3; paragraph [0031], “ …The detection module 201 may detect an event based on event data received from agent 191 or cloud provider system 104.  “); and 25
adding the second state data to the state database (e.g., block 303 as shown in Fig. 3; paragraph [0032], “At block 303, the detection module may record the event data using a predefined format ....   “; paragraph [0034], “The detection module 201 may add the event data in the event log 251 in the data store 250 ....
It would have been obvious for a person of ordinary skill in the art before the effective filing date of the claimed invention to use the event notification of Seago in the flexible rules engine device of Sundaresan for the purpose of providing fresher and more interesting filters for reducing the amount of time and work dedicated to tracking, logging, and parsing events as suggested by Seago (See paragraph [0002]). 17. The method according to claim 10, further comprising: determining second state data based at least in part on the event record; and 10adding the second state data to the state database.  
Per claim 17, Sundaresan discloses the method according to claim 10, but does not expressly disclose  the method as further comprising: 
determining second state data based at least in part on the event record; and 25
adding the second state data to the state database.  
Seago discloses wherein the monitoring device is further configured to: 
determining second state data based at least in part on the event record (e.g., block 301 as shown in Fig. 3; paragraph [0031], “ …The detection module 201 may detect an event based on event data received from agent 191 or cloud provider system 104.  “); and 25
adding the second state data to the state database (e.g., block 303 as shown in Fig. 3; paragraph [0032], “At block 303, the detection module may record the event data using a predefined format ....   “; paragraph [0034], “The detection module 201 may add the event data in the event log 251 in the data store 250 ....
It would have been obvious for a person of ordinary skill in the art before the effective filing date of the claimed invention to use the event notification of Seago in the flexible rules engine device of Sundaresan for the purpose of providing fresher and more interesting filters for reducing the amount of time and work dedicated to tracking, logging, and parsing events as suggested by Seago (See paragraph [0002]). 
Per claim 18, Sundaresan and Seago disclose the method according to claim 17, further comprising recording an indication of the adding of the second state data in a changelog data store (Seago, Block 307 as shown in Fig. 3; paragraph [0036], “At block 307, processing logic provides event data about the detected event to the identified applications ...”   ).  
Claims 9 is rejected under 35 U.S.C. 103 as being unpatentable over Sundaresan et al. (Hereinafter, Sundaresan, US 2016/0112240 A1) in view of Wang et al. (Hereinafter, Wang, US 2015/0373043 A1).
Per claim 9, Sundaresan discloses the at least one tangible, non-transitory computer-readable medium according to claim 6, the operations further comprising: 
presenting a representation of at least a portion of the command via a user interface (paragraph [0036], “ …. The remote control application 105 may include a graphical user interface (GUI) that enables users to interact with and control devices 135A-C in an intuitive and user-friendly manner.  A user may interact with the GUI to cause the remote control application to generate notifications, commands, property updates and other messages for the devices represented in the GUI. 
receiving, via the user interface, a response record associated with the command and a score record associated with the command ; and 25
determining a second computational model based at least in part on the command, the response record, and the score record.  
Wang discloses1520 the operations further comprising: 
receiving, via the user interface, a response record associated with the command and a score record (e.g., risk modeling score) associated with the command (e.g., Step 440 as shown in Fig. 4; paragraph [0059]; paragraph [0082], “The data analysis engine 220 receives the network sensor data (the metadata and/or the other items of interest) from the network sensor engine 200 at operation 440.  It should be understood that the data analysis engine 220 may receive network sensor data from multiple network sensor engines and the data may be repeatedly and periodically received.”; paragraph [0083], “ … The results of training the local model(s) may be displayed in a user interface such as a dashboard for the customer ….   “;  Examiner’s Note: Wang  teaches items of interest  such  a response record associated with the command and a score record (e.g., risk modeling score) associated with the command train local models during operation 445 as shown in Fig. 4); and 25
determining a second computational model based at least in part on the command, the response record, and the score record (e.g., Operation 480 as shown in Fig. 4; paragraph [0091], “Flow moves from operation 475 to operation 480 where the centralized controller 240 trains one or more global models using at least the data received from the data analysis engines of multiple customers.  An example of a global model includes a combination of features that are included in multiple local models ….  “; Examiner’s Note: Wang uses the data received from the data analysis engines of multiple customers to determine a second computational model.).  
It would have been obvious for a person of ordinary skill in the art before the effective filing date of the claimed invention to use the collaborative and adaptive threat intelligence of Wang with the flexible rules engine device of Sundaresan for the purpose of providing better detection of computer security threats as suggested by Wang (See paragraph [0005]).
Claims 13 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Sundaresan et al. (Hereinafter, Sundaresan, US 2016/0112240 A1) in view of Wang et al. (Hereinafter, Wang, US 2015/0373043 A1), and further in view of Ayyagari et al. (Hereinafter, Ayyagari, US 2014/0380485 A1 ).
Per claim 13, Sundaresan  discloses the method according to claim 10, further comprising 
determining the computational model at least partly by: determining, based at least in part on the first state data, one or more training event records and respective training response records (paragraph [0063], “ … At block 415, processing logic determines whether the event on the first network-connected device satisfies a criterion of the rule.  If the criterion is satisfied by the event, the method continues to block 420.  Otherwise the method ends.  “), wherein at least one of the training response records indicates an action of a plurality of actions  [0064], “At block 420, processing logic determines an action to be performed by the rule.  The action may be an action that is to be performed by a second network-connected device.  Any type of action may be performed, such as turning on or off the second network-connected device, changing a setting of the second network-connected device, and so on.  Additionally, the action may be an immediate action or may be a scheduled future action.”); 15wherein: 20
the computational model is configured to receive as input at least a portion of the event record (paragraph [0063], “At block 410, processing logic identifies a rule for which the event is an input.  The rule may be set up such that the first network-connected device is an input feed for the rule.  When events are reported by the first network-connected device, processing logic compares those events to a criterion (or multiple criteria) of the rule…”; Examiner’s Note: Examiner is broadly and reasonably interpreting the rules described by Sundaresan to be computational models.); and 
the computational model is configured to provide as output the command indicating an action of the plurality of actions(e.g., Block 435 as shown in Fig. 4; paragraph [0067]).   
Sundaresan does not expressly disclose:
receiving one or more training score records associated with respective training event records of the one or more training event records; and
 mathematically optimizing at least one parameter with respect to a cost function based at least in part on the training event records, the training response records, and the training score records to determine the computational model,
Wang discloses:
receiving one or more training score records associated with respective training event records of the one or more training event records (e.g., Step 440 as shown in Fig. 4; paragraph [0059]; paragraph [0082], “The data analysis engine 220 receives the network sensor data (the metadata and/or the other items of interest) from the network sensor engine 200 at operation 440.  It should be understood that the data analysis engine 220 may receive network sensor data from multiple network sensor engines and the data may be repeatedly and periodically received.”; paragraph [0083], “ … The results of training the local model(s) may be displayed in a user interface such as a dashboard for the customer ….   “;  Examiner’s Note: Wang  teaches items of interest  such  a response record associated with the command and a score record (e.g., risk modeling score) associated with the command train local models during operation 445 as shown in Fig. 4); and
the training score records to determine the computational model(e.g., Operation 480 as shown in Fig. 4; paragraph [0091], “Flow moves from operation 475 to operation 480 where the centralized controller 240 trains one or more global models using at least the data received from the data analysis engines of multiple customers.  An example of a global model includes a combination of features that are included in multiple local models ….  “; Examiner’s Note: Wang 
It would have been obvious for a person of ordinary skill in the art before the effective filing date of the claimed invention to use the collaborative and adaptive threat intelligence of Wang with the flexible rules engine device of Sundaresan for the purpose of providing better detection of computer security threats as suggested by Wang (See paragraph [0005]).
Ayyagari discloses mathematically optimizing at least one parameter with respect to a cost function based at least in part on the training event records (Abstract, “…The method also includes defining a cost function for a cyber-security threat to traverse each link and defining a requirements function for a cyber-security threat to exploit each node ….  “;  paragraph [0005]; paragraph [0044]; paragraph [0047]; Examiner’s Note: Ayyagari has a method for analyzing cyber security threats (abstract) and discloses parameters with respect to a cost function.)
It would have been obvious for a person of ordinary skill in the art before the effective filing date of the claimed invention to use the methods and systems of Ayyagari with the flexible rules engine device of Sundaresan for the purpose of limiting the traversal of threats as suggested by Ayyagari (See paragraph [0044]).
Per claim 14, Sundaresan, Wang, and Ayyagari disclose the method according to claim 13, further comprising: 25
operating the computational model based at least in part on at least some of the second state data to provide an event prediction (Wang, paragraph Predictive analytics comprises statistical modeling, machine learning and/or data mining for analyzing current and/or historical events in order to formulate determinations as to certain network devices, users, and/or services within an enterprise network are compromised. For instance, data analysis engine 220 may analyze how certain events along with subsequent detected events may increase or decrease the likelihood of one or more of the endpoint devices being compromised and infected with malware.”) ; and 
presenting, via the user interface, a representation of the event prediction (Wang, paragraph [0048], “The ad hoc analytics includes generation of a search display that enables network security personnel to conduct a keyword search to determine if a particular indicator of compromise (IOC) has already been received and processed by an endpoint device.”; paragraph [0083], “…The results of training the local model(s) may be displayed in a user interface such as a dashboard for the customer …”).  
Claims 12 is rejected under 35 U.S.C. 103 as being unpatentable over Sundaresan et al. (Hereinafter, Sundaresan, US 2016/0112240 A1) in view of Fulker et al. (Hereinafter, Fulker, US 2010/0245107 A1).
Per claim 12, Sundaresan discloses the method according to claim 10, but does not expressly disclose the method as further comprising: 
transmitting, via a network to the user interface, a prompt; and 
receiving the event record from the user interface after transmitting the prompt, the user interface associated with the second data source.  
 Fulker is in the field of integrated security systems (Abstract) and discloses:
transmitting, via a network to the user interface (paragraph [0354-0358] , “…the first time the customer uses the web portal to Arm/Disarm system the web interface prompts the customer for the user code, which is then stored securely on the server”), a prompt (paragraphs [0353-0358] for Installer returns to web interface and is prompted to automatically setup cameras. After waiting for completion cameras are now provisioned and operational); and 
receiving the event record from the user interface after transmitting the prompt (paragraph [0356], “Installer instructs customer how to change Simon XT user code from the keypad. Customer changes user code and stores in SimonXT.”), the user interface associated with the second data source(paragraph [0357], “The first time the customer uses the web portal to Arm/Disarm system the web interface prompts the customer for the user code, which is then stored securely on the server. In the event the user code is changed on the panel the web interface once again prompts the customer.”).  Examiner’s Note: First time use generates an event record that prompts the user for a user code at the interface. 
10 It would have been obvious for a person of ordinary skill in the art before the effective filing date of the claimed invention to use the cross-client sensor user interface of Fulker with the flexible rules engine device of Sundaresan for the purpose of easily interfacing to and controlling existing proprietary security technologies utilizing a variety of wireless technologies as suggested by Fulker (paragraph [0015]).
Claims 15 is rejected under 35 U.S.C. 103 as being unpatentable over Sundaresan et al. (Hereinafter, Sundaresan, US 2016/0112240 A1) in view of Anderson et al. (Hereinafter, Anderson, US 2006/0041936 A1).

Per claim 15, Sundaresan discloses the model as disclosed above and the method according to claim 10, but does not expressly disclose the method as further comprising, after presenting the representation of the command: 30
receiving, via the user interface, a response record associated with the command and a score record associated with the command; 
determining a second computational model based at least in part on less than all of the first state data, the command, the response record, and the score record; 57WO 2019/183371PCT/US2019/023394
receiving, via a network, a second event record associated with the second data source; 
operating the second computational model based at least in part on the second event record to provide a second command; and 
presenting, via the user interface, a representation of the second command.  
Anderson has a graphical representation of a firewall (Abstract) and discloses after presenting the representation of the command: 
receiving, via the user interface (paragraph [0041], “… queries the user to input the missing network information (step 408).  If the configuration file 304 contains all of this network information or after the user enters the missing network information…”), a response record associated with the command and a score record associated with the command (paragraph [0041], “… determines if the configuration file 304 indicates a numerical security level of each zone…”; Examiner’s Note:
determining a second computational model based at least in part on less than all of the first state data, the command, the response record, and the score record (paragraph [0041], “… determines if the configuration file 304 indicates a numerical security level of each zone (decision 410.”). If not, then program function 112 queries the user to input the numerical Security level of each Zone, preferably the numerical value on a Scale of one to one hundred ..”;  Examiner’s Note: Computation based on the value of the security level);
 receiving, via a network, a second event record associated with the second data source (paragraph [0041-0042], program function 112 "collates” the Zone information, i.e. associates with each firewall interface the Security levels of each Zone or remote network and selects one of the firewall interfaces to begin a data flow rule checking to correlate to each interface, the rules that apply to the interface using a zone table [second data source]); 
operating the second computational model based at least in part on the second event record to provide a second command (paragraph [0041], “…gathers Zone/network information needed to determine data flows, vulnerabilities and misconfigurations within firewall … and using stored information and configuration file and prompting the user for missing information and “; paragraph [0042], “… reads data flow rules from the configuration file 304. Then, program function 120 selects one of the firewall interfaces to begin a data flow rule checking to correlate to each interface, the rules that apply to the interface … Assuming there is still an interface yet to be analyzed for Firewall …”;  Figure 4 illustrates operating the second computational model based at least in part on the 
presenting, via the user interface, a representation of the second command (paragraph [0041], “… program function 112 queries the user to input the network information and then the numerical Security level of each zone ...”). 5
It would have been obvious for a person of ordinary skill in the art before the effective filing date of the claimed invention to use the graphical presentation of Anderson with the flexible rules engine device of Sundaresan for the purpose of e correlating the firewall interface with the rules for the firewall as suggested by Anderson, paragraph [0042]).
 Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DARRIN HOPE whose telephone number is (571)270-5079. The examiner can normally be reached Mon-Thr - 7-4:30, Fri - 7-3:30, Alt. Fri Off.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.


Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

DARRIN HOPE
Examiner
Art Unit 2173



/TADESSE HAILU/Primary Examiner, Art Unit 2173