6Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .



Response to Arguments
Applicant's arguments filed 9/28/21 have been fully considered but they are not persuasive. 
Applicant argues that Ismael US 10,826,933 in view of Kapoor US 8,402,540 does not teach a “pivot”.   Applicant argues in part, that the prior art does not teach this because a pivot “migrate from one resource…to another…when the first resource cannot be compromised…”
Examiner asserts that the claim must be read with a broad but reasonable interpretation, and details of the specification must not be read into the claim limitations.
Examiner has interpreted the term “pivot” to mean further infection including lateral movement along a network.  Ismael is focused on detecting a malicious entity that is spread from a first internal resource to a second internal resource, and from endpoints to possible external systems.   Examiner further points to Ismael Column 16 lines 20-40 that teach this intermediate detection of lateral movement.   Examiner asserts that if the intrusion was localized then it could not be interpreted as pivoting to other network entities according to the claim language.  However since the prior art teaches a spread from one resource to another, then the prior art teaches pivoting.  Further clarification of the claim limitations and defining the term pivot could overcome the prior art in further amendments.




Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ismael US 10,826,933 in view of Kapoor US 8,402,540
As per claims 1, 8 15 Ismael teaches A computer-implemented method comprising: receiving an indication of intrusion activity in first network activity directed to a first internal resource of a first system, the intrusion activity including an indication of success of an intrusion of the first internal resource; determining an occurrence of a pivot of the intrusion, wherein the determination of the occurrence of the pivot of the intrusion is based on an indication of a transmission from the first internal resource to a second internal resource within the first system; (Column 4 lines 12-16; Column 10 line 60 to Column 11 line 6, Column 11 lines 17-25; Column 16 lines 40-55) (teaches a first firewall for external protection/detection but fails to teach extrusion detection,  teaches an intermediate appliance that detects anomalous behavior between internal endpoints)

Kapoor teaches configuring an extrusion detection policy for the second internal resource in response to determining the occurrence of the pivot of the intrusion from the first internal resource to the second internal resource; receiving an indication of extrusion activity in second network activity directed from the second internal resource to a second system, the second system external to the first system; and performing a security process in response to receiving the indication of the extrusion activity. (Column 15 lines 14-34; Column 17 lines 4-67) (teaches the firewall does extrusion/data loss prevention activity)
It would have been obvious to one of ordinary skill in the art to use the extrusion of Kapoor with the system of Ismael because it increases security.

As per claims 2, 9, 16 Kapoor teaches The computer-implemented method of claim 1, wherein performing the security process in response to receiving the indication of the extrusion activity includes blocking the second network activity directed from the second internal resource to the second system. (Column 17 lines 4-67)As per claims 3, 10, 17  Kapoor teaches The computer-implemented method of claim 1, wherein configuring the extrusion detection policy for the second internal resource includes increasing a risk level on network traffic directed from the second internal resource to the second system. (Column 18 lines 4-28) (teaches security events including explicit teaching of risk)As per claims 4, 11, 18 Kapoor teaches The computer-implemented method of claim 1, wherein configuring the extrusion detection policy for the second internal resource includes directing an extrusion detector to analyze all network traffic directed from the second internal resource to the second system. (Firewall processing data flow) (Column 15 lines 55-65, Column 20 lines 1-10)As per claims 5, 12, 19 Kapoor teaches The computer-implemented method of claim 1, wherein configuring the extrusion detection policy for the second internal resource includes pushing the extrusion detection policy to an extrusion detector. (Column 15 lines 55-65, Column 20 lines 1-10; Column 117 lines 10-25) (extrusion filter updated in real time)As per claims 6, 13 Ismael teaches The computer-implemented method of claim 1, wherein 
Kapoor teaches selecting different patterns for data leakage (Column 117 lines 10-25)



Conclusion

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER BROWN whose telephone number is (571)272-3833.  The examiner can normally be reached on M-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439                                                                                                                                                                                                        94