DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
This office action is in response to the amendment filed on 11/01/2021.
Claims 1-18 are pending for examination. Applicant amends claims 1-2, 6, 10-11, and 15. The amendments have been fully considered and entered.

Response to Arguments
For convenience, the newly introduced limitations, as made by amendments, are marked as underlined.
Applicant’s arguments, see Remarks, filed 11/01/2021, with respect to the rejection of claims 1, 5, 10, and 14 under 35 U.S.C. § 103 have been fully considered but are not persuasive. 
The following are applicant arguments recited in the Remarks followed by Examiner's response:
a.	Applicant argues that “Ginter’s workstation and GUI are generic computer elements, and not a ‘message-enabled device … responsible for security on the enterprise network.” Furthermore, applicant argues that “Ginter’s system just sends an email to the administrator’s generic workstation” which does not read on the message 
Examiner respectfully disagrees and submits that Ginter’s workstation and GUI reasonably reads on the claimed “message-enabled devices responsible for security on the enterprise network.” A broad reasonable interpretation of this claimed limitation is any device capable of receiving messages and responsible for the security of a network. Ginter’s workstation (see [0048], [0266], [0276], [0283], and [0286]) is a device that receives messages/notifications (e.g., email) and is used by the administrator for responsibly securing the network. Therefore, Ginter’s workstation and GUI reads on the claimed “message-enabled device … responsible for security on the enterprise network.” Furthermore, new reference Durie is used to teach the newly recited limitation as explained below. Specifically, Durie teaches retrieving event information in response to executing a script which teaches or suggests the amended limitation “the message being provided to at least one of the message-enabled devices in response to execution of an action script on the at least one message-enabled device.”
b.	Applicant argues that “Woolway and Ginter are providing email notifications and, in both cases, just to human beings … Ginter’s administrator workstation and GUI is not a ‘message-enabled device responsible for security’.” (Remarks, pg. 8)
Examiner respectfully disagrees and submits that Ginter’s administrator workstation and GUI reasonably reads on the claimed “message-enabled device responsible for security” as explained above.

Examiner respectfully disagrees and submits that both Woolway and Ginter notify the administrator on a device in different ways. Woolway does not explicitly include the object or artifact in the email, however, Ginter explicitly includes the object and artifact in the email message, which allows a security administrator to make a better decision regarding the security event based on the explicit information. Therefore, the necessary information provided by Ginter allows the security administrator to take the most appropriate action to mitigate the security event.
d.	Applicant argues that “the stated motivation to combine McGee and Woolway still appears to Applicant to be hindsight-driven… Woolway itself already provides the ‘level of protection’ the Examiner’s finds as the stated reason to combine McGee… The disclosure there is not related to computer security or any type of security event monitoring such as described in Woolway.” (Remarks, pgs. 8-9)
Examiner respectfully disagrees and in response to applicant's argument that the examiner's conclusion of obviousness is based upon improper hindsight reasoning, it must be recognized that any judgment on obviousness is in a sense necessarily a reconstruction based upon hindsight reasoning.  But so long as it takes into account only knowledge which was within the level of ordinary skill at the time the claimed invention was made, and does not include knowledge gleaned only from the applicant's disclosure, such a reconstruction is proper.  See In re McLaughlin, 443 F.2d 1392, 170 USPQ 209 (CCPA 1971). Examiner maintains that Woolway’s parent-node relationship 
e.	Regarding claims 5 and 14, applicant argues “the Examiner’s finding that ‘if a message was sent’ because the event manager and some other device “a virtual connection must have been established … is unsupported by evidence. Information can be sent and received between devices in many different ways including, e.g., via some other component or entity. The notion that the existence of some communication between devices necessarily describes “a virtual connection,” however, is unfounded; rather, it appears to be impermissible hindsight based on what the claims say and not based on what the references actually teach.” (Remarks, pg. 10)
Examiner respectfully disagrees and in response to applicant's argument that the examiner's conclusion of obviousness is based upon improper hindsight reasoning, it must be recognized that any judgment on obviousness is in a sense necessarily a reconstruction based upon hindsight reasoning.  But so long as it takes into account only knowledge which was within the level of ordinary skill at the time the claimed invention was made, and does not include knowledge gleaned only from the applicant's In re McLaughlin, 443 F.2d 1392, 170 USPQ 209 (CCPA 1971). Examiner maintains that the language “virtual connection” is broad. Renzi discloses sending event messages to subscribers of an event type from an event manager (Renzi, [00310]-[00311], and [00315]). Here, the subscribers (i.e., message enabled devices) have the ability to access event information based on what event type they are subscribed to from the event manager (i.e., message destination). Thus, Renzi reasonably teaches a “virtual connection” based on the subscribers ability to access event information from the event manager.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).

The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-18 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 2, 4-9, 11-16, 18, 19, 21, and 23 of U.S. Patent No. 10,367,828 in view of Durie et al. (US 20080168560 A1; hereinafter “Durie”). 
Instant Application 16/525,690
US Patent No. 10,367,828
1. A method for responding to data security incidents in an enterprise network, comprising: 
storing information concerning the data security incidents, the information comprising at least one 







comparing the information to one or more action conditions of a set of action conditions to determine any action condition satisfied by the information; 

combining into a message contents of any incident object and incident artifact associated with a satisfied action condition; 

providing the message that includes the contents of any incident object and incident artifact associated with the satisfied action condition to one or more message-enabled devices responsible for security on the enterprise network, the message being provided to at least one of the message-enabled devices in response to execution of an action script on the at least one message-enabled device, thereby facilitating a response to a data security incident associated with the satisfied action condition.  

storing, in an incident manager, information concerning the data security incidents, the 

comparing the information to a set of action conditions to determine action conditions satisfied by at least some of the information; 


combining into a message contents of any incident object and incident artifact associated with a satisfied action condition; 

providing the message to one or more devices, wherein at least one device includes a message interface that receives the message over a virtual connection established between the incident manager and the message interface; and executing actions that reference the information on the one or more devices.
wherein the incident object and the incident artifacts are organized as an object-oriented inheritance hierarchy and wherein an incident artifact is a child object of one or more incident objects.  
2. The method of claim 1, wherein an incident artifact is a child object of one or more incident objects.
3. The method of claim 1, wherein the set of action conditions includes manual action conditions selectable from a Graphical User Interface (GUI) screen of an incident manager user application.  
4. The method of claim 1, wherein the set of action conditions includes manual action conditions, and wherein providing the information concerning the data security incidents associated with the satisfied action conditions comprises: one or more satisfied manual action conditions rendering a selectable action gesture within a Graphical User Interface (GUI) screen of an incident manager user application that manages the incident manager; in response to selection of the selectable action gesture of the one or more satisfied manual action conditions, including the information concerning the data security incidents associated with the satisfied manual action conditions in messages, and sending the messages to message destinations of the incident manager, at least one message destination being associated with the virtual connection; and polling the message destinations for the messages and downloading the messages.

5. The method of claim 1, wherein the set of action conditions includes automatic action conditions, and wherein providing the information concerning the data security incidents associated with the satisfied action conditions comprises: one or more satisfied automatic action conditions including the information concerning the data security incidents associated with the satisfied automatic action conditions in messages, and sending the messages to message destinations of the incident manager, at least one message destination being associated with the virtual connection; and polling the message destinations for the messages and downloading the messages.
5. The method of claim 1, further comprising configuring the one or more message-enabled devices in the enterprise network to access one or more message destinations associated with a message interface, at least one message destination being associated with a virtual connection.  
6. The method of claim 1, further comprising configuring the one or more devices in the enterprise network to access one or more message destinations of the incident manager, at least one message destination being associated with the virtual connection.
6. The method of claim 1, wherein the response includes further executing the action script on the at least one of the message-enabled devices.  
7. The method of claim 1, wherein executing the actions that reference the information concerning the data security incidents on the one or more devices comprises the one or more devices including action scripts which in turn include the actions, and executing the actions upon the one or more devices including the action scripts.
7. The method of claim 6, wherein the action script is provided by a configuration server.  
8. The method of claim 1, wherein executing the actions that reference the information concerning the data security incidents on the one or more devices comprises a configuration server including one or more action scripts which in turn include the actions, and executing the actions upon the devices using the configuration server.
8. The method of claim 1, further including updating the information.  
9. The method of claim 1, further comprising action scripts updating the information concerning the data security incidents stored on the incident manager via an Application Programming Interface (API) of the incident manager.
9. The method of claim 1, further including modifying the set of action conditions.  
11. The method of claim 1, further comprising creating, modifying, and displaying the set of action conditions via an incident manager user application that manages the incident manager.
10. A system for responding to data security incidents in an enterprise network, the system comprising: one or more devices responsible for security on the enterprise network; and an incident manager application, the incident manager application comprising computer program instructions executed in a hardware processor, the computer program instructions configured to perform a set of operations including: storing information concerning the data security incidents, the information comprising at least one incident object for at least one data the message being provided to at least one of the message-enabled devices in response to execution of an action script on the at least one message-enabled device, thereby facilitating a response to a data security incident associated with the satisfied action condition.  

wherein the incident object and the incident artifacts are organized as an object-oriented inheritance hierarchy and wherein an incident artifact is a child object of one or more incident objects.  
23. The system of claim 12, wherein an incident artifact is a child object of one or more incident objects.
12. The system of claim 10, wherein the set of action conditions includes manual action conditions selectable from a Graphical User Interface (GUI) screen of an incident manager user application executed in association with the incident manager application.  
15. The system of claim 12, wherein the incident manager further comprises message destinations, and wherein the set of action conditions include manual action conditions, and wherein the incident manager provides the information concerning the data security incidents associated with the satisfied action conditions by: one or more satisfied manual action conditions rendering a selectable action gesture within a Graphical User Interface (GUI) screen of an incident manager user application that manages the incident manager; in response to selection of the selectable action gesture of the one or more satisfied manual action conditions, including the information concerning the data security incidents associated with the satisfied manual action conditions in messages, and sending the messages to the message destinations, at least one message destination being associated with the virtual connection; and polling the message destinations for the messages and downloading the messages.
13. The system of claim 10, wherein the set of action conditions includes automatic action conditions.  
16. The system of claim 12, wherein the incident manager further comprises message destinations, and wherein the set of action conditions include automatic action conditions, and wherein the incident manager provides the information concerning the data security incidents associated with the satisfied action conditions by: including the information concerning the data security 

13. The system of claim 12, wherein the incident manager application further comprises message destinations, at least one message destination being associated with the virtual connection, and wherein the incident manager provides the information concerning the data security incidents associated with the satisfied action conditions by including the information concerning the data security incidents in messages, sending the messages to the message destinations, and to the one or more devices or a configuration server polling the message destinations for the messages and downloading the messages.
15. The system of claim 10, further comprising computer program instructions executed by a processor in at least one message-enabled device, thereby executing an action script to provide the response.  
14. The system of claim 12, wherein action scripts which include the actions execute business logic which references the information concerning the data security incidents.
16. The system of claim 15, wherein the computer program instructions also include a configuration server configured to provide the action script.  
18. The system of claim 12, wherein one or more action scripts execute on a configuration server that executes the actions upon other devices.
17. The system of claim 10, further including computer program instructions configured to update the information.  
19. The system of claim 12, wherein the incident manager includes an Application Programming Interface (API) that allows the one or more devices on the enterprise network to update the information concerning the data security incidents stored on the incident manager.
18. The system of claim 10, further including computer program instructions configured to modifying the set of action conditions.
21. The system of claim 12, further comprising an incident manager user application that creates, modifies, and displays the set of action conditions.


Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of US Patent No. 10,367,828 include all the limitation of the instant application except for the message being provided to at least one of the message-enabled devices in response to execution of an action script on the at least one message-enabled device. However, this is taught in paragraph [0016] of Durie, where scripts are executed that have the capability of retrieving configuration and event information from hosts in the system. Therefore, it would have been obvious to KSR).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-4, 8-10, 12-13, 17, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Woolway (US 7873717 B1; hereinafter “Woolway”) in view of Ginter et al. (US 20090271504 A1; hereinafter “Ginter”) and further in view of Durie et al. (US 20080168560 A1; hereinafter “Durie”).
As per claims 1 and 10, Woolway discloses a method and system for responding to data security incidents in an enterprise network, the system comprising: 
one or more devices responsible for security on the enterprise network (Woolway, col. 21 lines 53-55, one or more host computers located on a network); and 
an incident manager application, the incident manager application comprising computer program instructions executed in a hardware processor, the computer program instructions configured to perform a set of operations including (Woolway, col. 6 line 1, “instructions for performing forensic analysis of events in an event listing”): 

comparing the information to one or more action conditions of a set of action conditions to determine any action condition satisfied by the information (Woolway, col. 20 lines 19-25, if correlation is successful, determine action to ping Source IP address (i.e., comparing information to one action condition) to determine whether it might be spoofed (i.e., satisfied action condition)).
While Woolway discloses providing an email message notifying various interested parties regarding information about the denial of service attack (Woolway, col. 20 lines 25-27), the modified Woolway does not explicitly disclose, however, Ginter teaches or suggests: combining into a message contents of any incident object and 
providing the message that includes the contents of any incident object and incident artifact associated with the satisfied action condition to the one or more message-enabled devices responsible for security on the enterprise network, thereby facilitating a response to a data security incident associated with the satisfied action condition (Ginter, [0266] notifying administrator by email, [0283] and [0286], notification includes NIDS and IPS reports comprising information such as type of attack, e.g., DoS attack (i.e., incident object), and source IP address and target IP address information (i.e., incident artifacts), [0276], wherein an administrator uses a GUI to gain additional information based on the notification to take corrective actions (i.e., facilitating a response), [0048], workstation 120 (i.e., message-enabled device) contains GUI for displaying information to administrator/user).  
It would have been obvious to a person having ordinary skill level in the network security art before the effective filing date of the claimed invention to combine the teachings of Woolway to include combining contents of any incident object and incident artifact into an e-mail message and notifying an administrator with the email as taught or suggested by Ginter for the benefit of informing a security administrator about a security event with the necessary information to take corrective actions to mitigate the security event (Ginter, [0276]).
the message being provided to at least one of the message-enabled devices in response to execution of an action script on the at least one message-enabled device. However, Durie teaches executing scripts having the capability of retrieving configuration and event information from hosts in the system (Durie, [0016]) which reads on the limitation: the message being provided to at least one of the message-enabled devices in response to execution of an action script on the at least one message-enabled device.
It would have been obvious to a person having ordinary skill in the network security art before the effective filing date of the claimed invention to combine the teachings of the modified Woolway to include executing a script to retrieve event information as taught or suggested by Durie because a person of ordinary skill in the art would know to combine prior art elements according to known methods to yield predictable results (KSR).

As per claims 3 and 12, claims 1 and 10 are incorporated, respectively, and the modified Woolway discloses: wherein the set of action conditions includes manual action conditions selectable from a Graphical User Interface (GUI) screen of an incident manager user application executed in association with the incident manager application (Woolway, col. 18 lines 10-11 and Fig. 13, event/action can be selected at field 292A of the user interface seen in Fig. 13).  

As per claims 4 and 13, claims 1 and 10 are incorporated, respectively, and the modified Woolway discloses: wherein the set of action conditions includes automatic action conditions (Woolway, col. 18 line 11, event/action is performed automatically).  

As per claims 8 and 17, claims 1 and 10 are incorporated, respectively, and the modified Woolway discloses: further including computer program instructions configured to update the information (Woolway, col. 21 lines 38-42, reliable forensic analysis of system events (i.e., information of security events) are done on a real-time basis. In other words, the system event information is constantly updated in real-time).  

As per claims 9 and 18, claims 1 and 10 are incorporated, respectively, and the modified Woolway discloses: further including computer program instructions configured to modifying the set of action conditions (Woolway, col. 18 lines 10-11 and Fig. 13, event/action can be selected at field 292A of the user interface seen in Fig. 13).  

Claims 2 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Woolway in view of Ginter, Durie, and further in view of McGee et al. (US 6125408 A; hereinafter “McGee”).
As per claims 2 and 11, claims 1 and 10 are incorporated, respectively, and the modified Woolway discloses: wherein an incident artifact is a child object of one or more incident objects (Woolway, col. 11 line 8, child object 1.1.1.1 of parent node/object 1.1.1).  
wherein the incident object and the incident artifacts are organized as an object-oriented inheritance hierarchy (McGee, col. 19 lines 21-41, “inheritance hierarchy is used in the preferred object-oriented programming paradigm”)
It would have been obvious to a person having ordinary skill level in the network security art before the effective filing date of the claimed invention to combine the teachings of the modified Woolway to include organizing the incident object and the incident artifacts as an object-oriented inheritance hierarchy as taught by McGee for the benefit of providing a significant level of protection against some other, unrelated part of the program from accidentally modifying or destroying the private parts of the object (McGee, col. 19 lines 38-41). 

Claims 5 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Woolway in view of Ginter, Durie, and further in view of Renzi et al. (WO 2004/104793 A2; hereinafter “Renzi”) cited in the IDS filed on 12/01/2015 of the parent application.
As per claims 5 and 14, claims 1 and 10 are incorporated, respectively, and the modified Woolway does not disclose, however, Renzi teaches or suggests: configuring the one or more message-enabled devices in the enterprise network to access one or 
It would have been obvious to a person having ordinary skill level in the network security art before the effective filing date of the claimed invention to combine the teachings of the modified Woolway to include sending a message to a message destination and then having devices poll the event manager to retrieve the message as taught by Renzi for the benefit of an improved way that security events are collected, analyzed, and responded to (Renzi, [0013]). 
 
Claims 6, 7, 15, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Woolway in view of Ginter, Durie, and further in view of Njemanze et al. (US 7376969 B1; hereinafter “Njemanze”).
As per claims 6 and 15, claims 1 and 10 are incorporated, respectively, and the modified Woolway does not disclose, however, Njemanze teaches or suggests: further comprising computer program instructions executed by a processor in at least one message-enabled device, thereby executing an action script to provide the response (Njemanze, col. 10 lines 12-26 and col. 11 line 39, actions triggered by the rules may 
It would have been obvious to a person having ordinary skill level in the network security art before the effective filing date of the claimed invention to combine the teachings of the modified Woolway to include executing scripts as remediation actions as taught by Njemanze to reconfigure one or more of the network devices, and or to modify or update access lists in response to a threat (Njemanze, Abstract). 

  As per claims 7 and 16, claims 6 and 15 are incorporated, respectively, and the modified Woolway does not disclose, however, Njemanze teaches or suggests: wherein the computer program instructions also include a configuration server configured to provide the action script (Njemanze, col. 10 lines 12-26 and col. 4 line 55, notifier 24 of manager 14 (i.e., configuration server) provides the instructions/action scripts to the network devices).
It would have been obvious to a person having ordinary skill level in the network security art before the effective filing date of the claimed invention to combine the teachings of the modified Woolway to include executing scripts as remediation actions as taught by Njemanze to reconfigure one or more of the network devices, and or to modify or update access lists in response to a threat (Njemanze, Abstract). 

Conclusion
Refer to PTO-892, Notice of References Cited for a listing of analogous art.
Harris et al. (US 20100242106 A1) discloses a server executing a script to poll client information ([0260]).
Swiler et al. (US 20100242106 A1) teaches a Perl script used for polling machines and gather data such as IP address, machine type, operating system (col. 5 lines 55-61).

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALEXANDER R LAPIAN whose telephone number is (571)272-7552.  The examiner can normally be reached on M-F 9:30-6:00 PM.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on 571-272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


ALEXANDER R. LAPIAN
Examiner
Art Unit 2437



/ALEXANDER R LAPIAN/Examiner, Art Unit 2437  

/KRISTINE L KINCAID/Supervisory Patent Examiner, Art Unit 2437