Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendments
The amended claims 1-25 were considered under 35 USC 112, 101 and 103 for patentability over closest and analogous prior arts Krisher et al (US 8984643), hereafter Kris and Zafer et al (US 10666494) hereafter Zafer have been fully considered and are persuasive.

Allowable Subject Matter
1.	Amended claims 1-25 are allowed in light of applicant’s arguments, approved examiner’s proposed amendments and in light of prior art(s) made of record. 

Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.  Authorization for this examiner’s amendment was given in an interview with David Judson (attorney) for filed amended claims on 11-15-2021:
Amendments to Specification:
These operations were described above, and they are carried out by functions 610, 612 and 614 as depicted. Step 614 is an example of a query language and implementation layer…
Should be amended to (as indicated by Fig. 16):
1610, 1612 and 1614 as depicted. Step 1614 is an example of a query language and implementation layer… 

Please amend claims 1, 4, 9, 12, 17, 20 and 25 as set forth below.
	A complete claim listing begins on the following page.  
	 1.	(currently amended) A method for real-time processing of security alerts received from one or more alerting sources, comprising:
	scheduling execution of a set of tasks in a set of computing resources, wherein a task in the set is associated to process a particular alert, and wherein a priority of execution of a particular task relative to one or more other tasks is based at least in part on a severity of the particular alert;
	as the particular task and the one or more other tasks execute concurrently in the set of computing resources, performing priority-based causality tracking that tracks one or more causal dependencies backwards from the particular alert, wherein priority-based causality tracking includes, for at least one task: (i) setting one or more waypoints; (ii) upon interrupting execution of the at least one task, saving the waypoints set; and (iii) upon resumption of the at least one task, reusing the saved waypoints set to avoid recomputation of connections that reach the waypoints;       
based at least in part on results of the priority-based causality tracking, re-assessing the severity of the particular alert; and
adjusting a priority of execution of the particular task relative to the one or more other tasks based at least in part on re-assessment of the severity of the particular alert


2.	(original) The method as described in claim 1 further including taking a given action with respect to the execution of the particular task.

3.	(original) The method as described in claim 2 wherein the given action is one of: interrupting the particular task, and resuming the particular task.  

4.	(currently amended) The method as described in claim 1 

wherein the waypoints set for the at least one task are saved as partial causality tracking results


5.	(original) The method as described in claim 1 wherein performing priority-based causality tracking around the particular alert identifies, for each entity of one or more entities in a causal graph, one or more causal paths from the particular alert to the entity, and for each such causal path, a priority. 

6.	(original) The method as described in claim 5 further including selecting an entity bearing a highest priority and performing additional causality tracking with respect to the selected entity.   

7.	(original) The method as described in claim 1 wherein a priority of execution increases as a result of the priority-based causality tracking indicating suspicious behavior. 

8.	(previously presented) The method as described in claim 1 wherein the particular alert is associated with an Advanced Persistent Threat (APT).  

a processor; 
computer memory holding computer program instructions executed by the processor to provide real-time processing of security alerts received from one or more alerting sources, the computer program instructions, when executed by the processor, are configured to:
		schedule execution of a set of tasks in a set of computing resources, wherein a task in the set is associated to process a particular alert, and wherein a priority of execution of a particular task relative to one or more other tasks is based at least in part on a severity of the particular alert;
		as the particular task and the one or more other tasks execute concurrently in the set of computing resources, perform priority-based causality tracking that tracks one or more causal dependencies backwards from the particular alert, wherein priority-based causality tracking includes, for at least one task: (i) setting one or more waypoints; (ii) upon interrupting execution of the at least one task, saving the waypoints set; and (iii) upon resumption of the at least one task, reusing the saved waypoints set to avoid recomputation of connections that reach the waypoints;  
based at least in part on results of the priority-based causality tracking, re-assess the severity of the particular alert; and
adjust a priority of execution of the particular task relative to the one or more other tasks based at least in part on re-assessment of the severity of the particular alert


10.	(original) The apparatus as described in claim 9 wherein the program instructions are further configured to take a given action with respect to the execution of the particular task.

11.	(original) The apparatus as described in claim 10 wherein the given action is one of: interrupting the particular task, and resuming the particular task.  

12.	(currently amended) The apparatus as described in claim 9 wherein the 

at least one task are saved as partial causality tracking results


13. 	(original) The apparatus as described in claim 9 wherein the program code configured to perform priority-based causality tracking around the particular alert comprises program code further configured to identify, for each entity of one or more entities in a causal graph, one or more causal paths from the particular alert to the entity, and for each such causal path, a priority. 

14.	(original) The apparatus as described in claim 13 wherein the program code is further configured to select an entity bearing a highest priority and to perform additional causality tracking with respect to the selected entity.   

15.	(original) The apparatus as described in claim 9 wherein a priority of execution increases as a result of the priority-based causality tracking indicating suspicious behavior. 

16.	(previously presented) The apparatus as described in claim 9 wherein the particular alert is associated with an Advanced Persistent Threat (APT). 
17.	(currently amended) A computer program product in a non-transitory computer readable medium for use in a data processing system to provide real-time processing of security alerts received from one or more alerting sources, the computer program product holding computer program instructions that, when executed by the data processing system, are configured to:
	schedule execution of a set of tasks in a set of computing resources, wherein a task in the set is associated to process a particular alert, and wherein a priority of execution of a particular task relative to one or more other tasks is based at least in part on a severity of the particular alert;
	as the particular task and the one or more other tasks execute concurrently in the set of computing resources, perform priority-based causality tracking that tracks one or more causal dependencies backwards from the particular alert, wherein priority-based causality tracking includes, for at least one task: (i) setting one or more waypoints; (ii) upon interrupting execution of the at least one task, saving the waypoints set; and (iii) upon resumption of the at least one task, reusing the saved waypoints set to avoid recomputation of connections that reach the waypoints;  
based at least in part on results of the priority-based causality tracking, re-assess the severity of the particular alert; and
adjust a priority of execution of the particular task relative to the one or more other tasks based at least in part on re-assessment of the severity of the particular alert


18.	(original) The computer program product as described in claim 17 wherein the program instructions are further configured to take a given action with respect to the execution of the particular task.

19.	(original) The computer program product as described in claim 18 wherein the given action is one of: interrupting the particular task, and resuming the particular task.  
20.	(currently amended) The computer program product as described in claim 17 wherein the 

at least one task are saved as partial causality tracking results


21. 	(original) The computer program product as described in claim 17 wherein the program code configured to perform priority-based causality tracking around the particular alert comprises program code further configured to identify, for each entity of one or more entities in a causal graph, one or more causal paths from the particular alert to the entity, and for each such causal path, a priority. 

22.	(original) The computer program product as described in claim 21 wherein the program code is further configured to select an entity bearing a highest priority and to perform additional causality tracking with respect to the selected entity.   

23.	(original) The computer program product as described in claim 17 wherein a priority of execution increases as a result of the priority-based causality tracking indicating suspicious behavior. 

24.	(previously presented) The computer program product as described in claim 17 wherein the particular alert is associated with an Advanced Persistent Threat (APT).  	
25.	(currently amended) A computing system for security alert processing, comprising:
a task scheduler comprising a priority queue and a hash-based data structure; and 
a set of workers that share, concurrently, a set of computing resources in the computing system; 
the task scheduler configured to allocate the set of computing resources in the computing system preferentially to execute, by the workers, a set of alert reasoning tasks
while the set of workers execute concurrently, the task scheduler further configured to adjust a priority of execution of one or more alert reasoning tasks upon a determination that another alert should be assigned the highest severity; 
wherein the determination is based at least in part on priority-based causality tracking that tracks one or more causal dependencies backwards from an alert;
wherein partial causality tracking results generated during processing of one or more alert reasoning tasks are saved in the hash-based data structure for reuse to avoid recomputation;  
wherein the task scheduler and the set of workers are implemented as software executing in hardware.  

Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: 
As to the independent claim 1, the prior art of reference Kris teaches col. 2 lines 63-66: a set of remediations associated with a risk score and a set of vulnerabilities are identified (col. 12 lines 51-57) for timed application to resolve a vulnerability of a computing asset; col. 3 lines 64-67: the vulnerability threat management platform provides a ranked or ordered list of vulnerabilities which represent the order in which the vulnerabilities should be addressed, such that the vulnerability that poses the most significant threat is addressed first and the one that poses the least significant threat is addressed last; col. 11 lines 13-16: user changes priority value of a particular asset, causing risk score to be adjusted based on the newly given importance to the particular asset… (col. 13 lines 17-25) for each remediation in the set of remediations, an amount that the risk score would be reduced if said each remediation is applied to a corresponding vulnerability in the set of vulnerabilities is determined. The set of remediations is ordered based on the amount the risk score is reduced by each remediation in the set of remediations and based on the updated risk score; col. 11 lines 49-51: list of remediations to resolve the vulnerabilities of the computing asset.

Further, a second prior art of record Zafer teaches col. 23 lines 54-59: first applies a possible control and checks if a high-level objective is achieved. If so, the system backs off the remediation and/or applies a different but lighter remediation and checks again if the high-level objective is still achieved... (col. 27 lines 45-48) the root cause is then established by measuring a vector of "symptoms" that manifested at the same time instances as when the incident was occurring; col. 23 lines 59-63: If the root-cause is not remedied, the system attempts to apply a heavier control and/or re-diagnose the higher-layer objective to low-layer control primitives binding and apply a different control.

None of the other prior arts of record teach by themselves or in any combination, would have anticipated nor render obvious by combination the claimed invention of the present application at or before the time it was filed.  The prior arts of record fail to teach: determine the priorities of the tasks for corresponding alerts. Based on causality tracking updating severity of alerts by using waypoints and saving those waypoints, and resuming the tasks from the saved waypoints and the updated severity of the alerts. Adjusting a priority of execution of the particular task relative to the one or more other tasks based at least in part on re-assessment of the severity of the particular alert.

Therefore, independent claim 1 and their corresponding dependent claims are allowed in light of applicant’s arguments, approved examiner’s amendments and prior arts of record. The same amendments and reasoning are applicable to independent claim(s) 9, 17 and 25 mutatis mutandis. 

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892 Notice of References Cited.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867.  The examiner can normally be reached on M-F: 8:30am-5pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T. Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/BADRINARAYANAN /Examiner, Art Unit 2496.