Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

DETAILED ACTION
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 04/30/2020 and 09/02/2021 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:



Claims 1-21 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.

Claims 1-21 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being incomplete for omitting essential steps/elements, such omission amounting to a gap between the steps/elements.  See MPEP § 2172.01.  Regarding claims 1, 8 and 15 the claims are broadly directed to accelerating security investigations by training a machine learning model based on previous responses to threats, generating suggested security responses and adjusting display with relation to a security software product and threat object. However, the specification makes clear that traditionally there are shortcomings with investigating just purely off of a desktop, computer, laptop, etc. due to a lack of screen space for moving security threat objects between security products. The suggestion is to implement a virtual reality environment that expands the amount of visual information that is displayed to an analyst but the claims do not capture this feature. The specification and drawings describe that security products are rendered in a virtual reality environment based on a gaming engine and an analyst is capable of moving objects between the rendered products. Furthermore, it is described that the virtual reality environment is a planar environment and the gaming engine estimates collision locations on opposing sides in order to identify product features and interfaces corresponding to the location based on security investigation actions and visual frames are received and generated 

Furthermore, with regards to claims 1, 8 and 15 the recitation “in response to the security response action” renders the claim indefinite because all previous recitations of “security response action” is associated with “suggested security response action” thus making it unclear if this is the same suggested response or a different response. Therefore, “the security response action” is considered to lack an antecedent basis.

Claims 1-7 recites the element “a model trainer to train”, an action generator to generate” and a “software product controller to adjust.” These are limitation that invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for the claimed function: Paragraphs 0028, 0032 and 0033 appears to disclose the means for executing the steps above but fail to disclose the adequate structure for performing the recited function.

Applicant may:

(b)   Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the claimed function without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either:
(a)   Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or
(b)   Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.

Dependent claims are rejected for failure to overcome the rejection of the parent claims in which they inherit. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:



Claims 1-21 are rejected under 35 U.S.C. 103 as being unpatentable over US 20210311542 to Brown et al. (hereinafter “Brown.”) in view of US 20190340353 to Mitelman et al. (hereinafter “Mitelman”) retrieved form IDS dated 09/02/2021

Claim 8
Brown teaches a method comprising:
determining a source security software product and a destination security software product of a security threat object;[e.g. Brown; Para. 0037; Brown discloses determining a scene from the security analysis application (e.g. source security product) and a virtual scene (e.g. destination security software product) for a data set (e.g. security threat object)]
storing at least one of the previous security response action, the source security software product, the destination security software product, and the security threat object[e.g. Brown; Para. 0043; Brown discloses memory for storing the products and data.] and
adjusting a display of the destination security software product of the security threat object in response to the security response action. [e.g. Brown; Para. 0038, 0039, 0049, 050; Brown discloses adjusting display of the destination security product.] 

 Brown teaches the method of claim 8 and investigating security related events in a virtual reality environment Brown fails to explicitly teach utilizing machine learning to provide suggested responses. More specifically he fails to teach the claimed limitations of: 
“training a security investigation model, the security investigation model based at least on a previous security response action in response to a security threat” 
“generating at least one suggested security response action in response to a user security investigation action, wherein the suggested security response action is based on an execution of the security investigation model”
however, Mitelman teaches:
“training a security investigation model, the security investigation model based at least on a previous security response action in response to a security threat” [e.g. Mitelman; Para. 0021, 0023, 0029-0032; Mitelman training a model.]
“generating at least one suggested security response action in response to a user security investigation action, wherein the suggested security response action is based on an execution of the security investigation model” [e.g. Mitelman; Para. 0034; Mitelman discloses outputting a response from the model.]
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to include, the features above in the invention as disclosed by Brown improving efficiency and the time it takes to investigate events especially for novice security analyst as specified by Mitelman Para. 0020.

Claim 9:
Brown teaches the method of claim 8, wherein the user security investigation action is to include moving at least one security threat object from the source security software product to the destination security software product. [e.g. Brown; Para. 0051]

Claim 10:
Brown teaches the method of claim 9, wherein the source security software product and/or the destination security software product include at least one of an endpoint detection and response product, a security information and event management product, a centralized security manager, and a security innovation alliance product. [e.g. Brown; Para. 0029]

Claim 11:
Brown teaches the method of claim 8, wherein the source security software product and the destination security software product are to be displayed in a virtual reality (VR) environment for the user. [e.g. Brown; Para. 0006]

Claim 12:
Brown teaches the method of claim 8, further including tagging the security threat object selected by a user. [e.g. Brown; Para. 0051, 0052]

Claim 13:
Brown teaches the method of claim 8, further including detecting the security threat object in at least one of security software products selected by a user. [e.g. Brown; Para. 0051, 0052]

Claim 14:
Brown as modified by Mitelman teaches the method of claim 8, further including executing the security investigation model based on at least one of the security threat object, the source security software product of the security threat object, and the destination security software product of the security threat object. [e.g. Mitelman; Para. 0054]

Regarding claims 1-7 and 15-21 they are apparatus and manufacture claims essentially corresponding to the above recitations, and they are rejected, at least, for the same reasons.
Conclusion



The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Please check attached PTO-892 form for any additional references.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER C HARRIS whose telephone number is (571)270-7841.  The examiner can normally be reached on Monday through Friday between 8:00 AM to 4:00 PM CST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.





/CHRISTOPHER C HARRIS/Primary Examiner, Art Unit 2432