Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION

1.       This action is in response to application amendments filed on 10-7-2021.  
2.        Claims 1, 3 - 10, 12, 14 - 19, 21 - 27, 29, 30 are pending.  Claims 1, 3 - 10, 12, 14 - 19, 21 - 27, 29, 30 have been amended.   Claims 2, 11, 13, 20, 28 have been canceled.  Claims 1, 19, 27 are independent.    This application was filed on 10-30-2015.  

Response to Arguments

3.    Applicant's arguments have been fully considered, however upon further consideration of the prior art and the claimed limitation, they were not persuasive.

A.  Applicant argues on page 11 of Remarks:    ...   the cited portions of Andres do not disclose a link that, when activated, “causes the graphical user interface to generate a detailed view of the application,”   ...   . 

    The Examiner respectfully disagrees. Andres discloses that an application can be considered as a threat to a computer network (i.e. a flawed application). (see Andres col 4, lines 5-19: vulnerabilities include open ports, flowed applications programs that can provide unauthorized access to network node(s); individuals that gain access through such vulnerabilities view secret information, delete files, alter settings of computer 
    Andres discloses a graphical user interface display concerning indicated threats to a computer network and the capability to generate a more detailed view of the detected threats, generated risk scores associated with the assets (GUI is well-known in the art to disclose a pointed or clicked link is used to activate execution). (see Andres col 11, line 67 - col 12, line 4: generates and displays threat listing; graphical user interface display of output from threat correlation module; col 12, lines 4-8: threat listing (i.e. flawed applications) comprising a threat summary, threat risk level, enables quick scan of threats; col 12, lines 8-13: threat correlation module calculates threat risk level (i.e. risk score) based on characteristics of threat (i.e. threat criticality); col 14, lines 36-34: risk score based on asset criticality, threat criticality and vulnerability severity values associated with asset; col 12, lines 17-24: highlighting a specific threat (i.e. link), threat correlation module displays detailed information about the selected threat; col 12, lines 33-37: threat correlation module allows user to select a particular threat and request that the threat be correlated with other assets of computer network; col 21, lines 51-60: results of correlation are displayed; a list of assets susceptible to the threat are displayed; display includes information about each susceptible asset including its risk level (i.e. risk score); the list is sorted such that the assets with the highest risk scores are displayed at the top of the list)  

B.  Applicant argues on page 11 of Remarks:    ...   none of these sections teach or suggest a “detailed view of [an] application,”   ...   . 


    Andres discloses a graphical user interface display concerning indicated threats to a computer network and the capability to generate a more detailed view of the detected threats, generated risk scores associated with the assets. (see Andres col 11, line 67 - col 12, line 4: generates and displays threat listing; graphical user interface display of output from threat correlation module; col 12, lines 4-8: threat listing (i.e. flawed applications) comprising a threat summary, threat risk level, enables quick scan of threats; col 12, lines 8-13: threat correlation module calculates threat risk level (i.e. risk score) based on characteristics of threat (i.e. threat criticality); col 14, lines 36-34: risk score based on asset criticality, threat criticality and vulnerability severity values associated with asset; col 12, lines 17-24: highlighting a specific threat (i.e. link), threat correlation module displays detailed information about the selected threat; col 12, lines 33-37: threat correlation module allows user to select a particular threat and request that the threat be correlated with other assets of computer network; col 21, lines 51-60: results of correlation are displayed; a list of assets susceptible to the threat are displayed; display includes information about each susceptible asset including its risk level (i.e. risk score); the list is sorted such that the assets with the highest risk scores 

C.  Applicant argues on page 11 of Remarks: Eberhardt was not cited for disclosing features related to the “entities view” recited in claim 1, and thus does not rectify the deficiencies of Andres with respect to these limitations.

    The Examiner respectfully disagrees.  Eberhardt is not used to disclose the indicated claim limitation(s).  The Office Action indicates the claim limitation(s) Eberhardt is used to reject as set forth in 35 U.S.C. 103 rejection section. 

D.  Applicant argues on page 11 of Remarks: Independent claims 19 and 27 recite features similar to those recited in claim 1,   ...   . 

    Independent claims 19 and 27 have similar limitations as independent claim 1.  Responses to arguments against independent claim 1 also answer arguments against independent claims 19 and 27.     

E.  Applicant argues on page 11 of Remarks:    ...   each of the remaining claims depends from one of claims 1, 19, and 27; thus, these claims are patentable over the cited references for at least the same reasons as claim 1. 

    Responses to arguments against the independent claims also answer arguments against the associated dependent claims.    

Claim Rejections - 35 USC § 103


A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

5.        Claims 1, 3 - 5, 7 - 9, 16 - 19, 21 - 23, 25 - 27, 29, 30 are rejected under 35 U.S.C. 103 as being unpatentable over Andres et al. (US Patent No. 8,201,257) in view of Eberhardt, III et al. (US PGPUB No. 20130198119, referred to as “Eberhardt”).     	

Regarding Claims 1, 19, 27, Andres discloses a computerized method, a non-transitory, computer-readable storage medium storing instructions, an execution of which in a computer system causes the computer system to perform operation, and a computer system comprising:
a)  receiving event data from a plurality of sources, wherein the event data is associated with network activities by entities that interact with a computer network (see Andres col 3, lines 5-19: threat correlation module periodically receives threat intelligence alerts (i.e. network event data); correlating a network security threat with assets affected by network security threat; col 4, lines 34-40: assets encompasses all devices or nodes connected to a network, such as computers, routers, and all applications and services that run on devices; col 1, lines 20-26: scanners scan the assets and nodes of a network to discover active devices (build an asset inventory) and detect vulnerabilities that exist on a network; (receive event data form multiple sources associated with an asset such as a computing device within a network environment)), wherein the entities 

Furthermore, Andres discloses for b): identify anomalies from the event data, wherein anomalies are associated with at least one entity of the entities.  (see Andres col 1, lines 53-58: threat correlation module finds actual assets that have attributes susceptible to one or more threats (i.e. compromised asset, device); threat correlation module displays a list of those susceptible assets (i.e. device(s) potentially compromised))  

Andres does not specifically disclose for b): using machine learning models to identify anomalies. 
However, Eberhardt discloses for b): using machine learning models to identify anomalies from the event data. (see Eberhardt paragraph [0105], lines 1-12: a model to identify novel and anomalous events using machine learning algorithms on relevant data about a set of events; data includes data relevant to the events, relevant to outcomes, and relevant to the specific subject domain; probabilities are used in a scoring algorithm to adjudicate whether an event is harmful or not harmful)    
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Andres for b): using machine 

Furthermore, Andres discloses the following:
c)  automatically determining a score for each anomaly of the anomalies, wherein a respective score represents a quantification of a degree to which the event data is associated with anomalous activity on the network; (see Andres col 15, lines 37-40: calculating a risk score parameter focusing on security risks associated with each asset individually but incorporating all threats and all vulnerabilities that affect a particular asset (i.e. device, entity)) and
d)  automatically determining threats based on the anomalies, wherein determination of the threats is based on the respective score determined for each of the anomalies; (see Andres col 1, lines 20-26: automated scanners scan the assets and nodes of a network to discover active devices (build an asset inventory) and detect vulnerabilities that exist on a network; col 10, lines 7-16: scanner scans all assets and builds an assets’ technical profile and detects any vulnerabilities in any asset; col 13, lines 39-41: constitute the correlation of threats to detect vulnerabilities) and 
e)  causing display, in a graphical user interface, of an entities view (see Andres col 11, line 67 - col 12, line 4: generates and displays threat listing; graphical user of the anomalies or a threat of the threats; (see Andres col 12, lines 4-8: threat listing (i.e. flawed applications) comprises a threat summary, threat risk level, enables quick scan of threats) and the respective score determined for the anomaly associated with each application in the listing of applications; (see Andres col 12, lines 8-13: threat correlation module calculates threat risk level (i.e. risk score) based on characteristics of threat (i.e. threat criticality); col 14, lines 36-34: risk score based on asset criticality, threat criticality and vulnerability severity values associated with asset) and a link associated with each application in the listing of applications, wherein activation of the link by a user causes the graphical user interface to generate a detailed view of the application, the detailed view illustrating a relationship between the application and the anomaly or the threat associated with the application. (see Andres col 12, lines 17-24: highlighting a specific threat (i.e. link), threat correlation module displays detailed information about the selected threat; col 12, lines 33-37: threat correlation module allows user to select a particular threat and request that the threat be correlated with other assets of computer network; col 21, lines 51-60: results of correlation are displayed; a list of assets susceptible to the threat are displayed; display includes information about each susceptible asset including its risk level (i.e. risk score); the list is sorted such that the assets with the highest risk scores are displayed at the top of the list)   

Furthermore for Claim 27, Andres discloses a non-transitory computer readable 

Regarding Claims 3, 21, 29, Andres-Eberhardt discloses the method, computer readable storage medium, and computer system of claims 1, 19, 28, wherein the entities view lists, for each entity, the number of threats associated with the entity. (see Andres col 15, lines 37-40: calculated risk score focuses on security risk associated with each asset (i.e. entity) incorporating all threats and all vulnerabilities (anomalies) that affect the asset (i.e. entity); (all threats associated with an entity); col 1, lines 53-58: threat correlation module finds actual assets that have attributes susceptible to one or more threats (i.e. compromised asset, device); threat correlation module displays a list of those susceptible assets (i.e. device(s) potentially compromised); col 21, lines 51-60: results of correlation are displayed; a list of assets susceptible to the threat are displayed; display includes information about each susceptible asset including its risk level (i.e. risk score))    

Regarding Claims 4, 22, 30, Andres-Eberhardt discloses the method, computer readable storage medium, and computer system of claims 1, 19, 27, wherein the 

Regarding Claims 5, 23, Andres-Eberhardt discloses the method and computer readable storage medium of claims 1, 19, wherein the entities view lists, for each entity, a number of threats and anomalies associated with the entity. (see Andres col 1, lines 53-58: threat correlation module finds actual assets that have attributes susceptible to one or more threats (i.e. compromised asset, device); threat correlation module displays a list of those susceptible assets (i.e. device(s) potentially compromised); col 15, lines 37-40: calculated risk score focuses on security risk associated with each asset (i.e. entity) incorporating all threats and all vulnerabilities (number of threats or anomalies) that affect the asset (i.e. entity); (all threats and vulnerabilities (anomalies) associated with an entity))    

Regarding Claims 7, 25, Andres-Eberhardt discloses the method and computer readable storage medium of claims 1, 19, wherein the entities view further comprises a listing of users in a computer network of an organization including a department in 

Regarding Claim 8, 26, Andres-Eberhardt discloses the method and computer readable storage medium of claims 1, 19,
a)  wherein the entities view further comprises a listing of network users in a computer network of an organization, (see Andres col 4, lines 34-40: assets encompassed all devices or nodes (computer systems) connected to a computer network; computers, applications and services such as an email client program (i.e. a particular device or computer system associated with a particular user within a network environment); col 17, lines 58-65: allows a user to specify a subset of the network such as assets of a certain department (i.e. users via email client programs for a department of a company)) and 
b)  further includes, for each network user, a date of a most recent automated determination regarding the network user’s involvement in an anomaly. (see Andres col 8, line 49 - col 9, line 5: threat intelligence database maintains information concerning date and time each record was entered; threat intelligence module transmits alert information to a particular user; separate timestamp information maintained for each user of threat correlation module; 

Regarding Claim 9, Andres-Eberhardt discloses the method of claim 1, 
a)  wherein the entities view comprises a listing of devices communicating on the network and associated with an anomaly, (see Andres col 1, lines 53-58: threat correlation module finds actual assets that have attributes susceptible to one or more threats (i.e. compromised asset, device); threat correlation module displays a list of those susceptible assets (i.e. device(s) potentially compromised); col 12, lines 33-37: threat correlation module allows user to select a particular threat and request that the threat be correlated with other assets of computer network) and 
b)  further wherein the listing includes, for each device, the date of the most recent automated determination regarding the device’s involvement in an anomaly. (see Andres col 8, line 49 - col 9, line 5: threat intelligence database maintains information concerning date and time each record was entered; when threat intelligence module transmitted alert information to a particular user; separate timestamp information maintained for each user of threat correlation module; (date information associated with most recent threat information (i.e. compromise, anomaly) associated with a particular user’s device))   

Regarding Claim 16, Andres-Eberhardt discloses the method of claim 1, wherein the entities view further comprises a listing of network users in a computer network of an organization and upon selection by a user of a network user in the listing, a detailed 

Regarding Claim 17, Andres-Eberhardt discloses the method of claim 1, further comprising: upon receiving a selection by a user, via the graphical user interface, of a link in the detailed view, generating an instances view listing instances of anomalies that are associated with the application. (see Andres col 17, lines 8-17: vulnerabilities are exploited by threat types of assets, external hyperlinks that point to addition information concerning the threats; (hyperlinks providing access via clicking on link in order to display additional threat related information))    

Regarding Claim 18, Andres-Eberhardt discloses the method of claim 1, further comprising: 
a)  upon receiving a selection by a user, via the graphical user interface, of a link in the detailed view, generating an instances view listing instances of anomalies that are associated with the application, (see Andres col 12, lines 17-24: 
b)  wherein each listed instance includes a link to a detailed view of that instance. (see Andres col 17, lines 8-17: vulnerabilities are exploited by threat types of assets, external hyperlinks that point to addition information concerning the threats; (hyperlinks providing access via clicking on link to display additional threat related information))    

6.        Claims 6, 10, 24 are rejected under 35 U.S.C. 103(a) as being unpatentable over Andres in view of Eberhardt and further in view of Osborn et al. (US PGPUB No. 20070239495).     	

Regarding Claims 6, 24, Andres-Eberhardt discloses the method and computer readable storage medium of claims 2, 1 including a graphical user interface. 
Andres-Eberhardt does not specifically disclose for a): graphical user interface provides a prompt for filtering entities, and for b): filtering entities view to include only entities associated with scores corresponding to user’s selection. 

a)  wherein the graphical user interface provides a prompt for filtering the displayed plurality of anomalies according to score, (see Osborn paragraph [0011], lines 5-9: display information associated with risk scores for applications (assets) and permit filtering to study only a portion of said information; paragraph [0045], lines 10-13: user selects a risk level) and
b)  upon selection by a user of a score via the graphical user interface, filtering the displayed plurality of anomalies to include only the anomalies associated with scores corresponding to the user’s selection. (see Osborn paragraph [0011], lines 5-9: display information associated with risk scores for applications (assets) and permit filtering to study only a portion of said information; paragraph [0045], lines 10-13: user selects a risk level)   
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Andres-Eberhardt for a): graphical user interface provides a prompt for filtering entities, and for b): filtering entities view to include only entities associated with scores corresponding to user’s selection as taught by Osborn.  One of ordinary skill in the art would have been motivated to employ the teachings of Osborn for the benefits achieved from the flexibility of a system that enables the evaluating both risks and controls implemented to mitigate risks associated with multiple objects. (see Osborn paragraph [0009], lines 1-3)   

Regarding Claim 10, Andres-Eberhardt discloses the method of claim 1, 


Furthermore, Andres discloses for b): view according to date, and for c): selection by a user of a temporal range, view to include only the entities associated with a date of most recent update falling within the selected temporal range. (see Andres col 2, lines 43-50: compliance tracking module receives user input specifying compliance goals; periodically (over a specified time range) determine compliance goal and display a time-based compliance measure indicative of actual compliance with goal; compliance processing associated with a particular set of assets over a particular time range; col 3, lines 10-15: threat correlation module requests threat information according to a schedule set by a user; (user sets a schedule (or a time range) for processing threat information))

Andres-Eberhardt does not specifically disclose for b): provides a prompt for filtering entities, and for c): filtering entities view to include only applications associated with filtering.
However, Osborn discloses:
b)  wherein the graphical user interface provides a prompt for filtering the entities view, (see Osborn paragraph [0011], lines 5-9: display information associated with risk scores for applications (assets) and permit filtering to study only a portion of said information; paragraph [0045], lines 10-13: user selects a risk 
c)  upon selection by a user of a filter via the graphical user interface, filtering the entities view to include only the applications associated with filtering. (see Osborn paragraph [0011], lines 5-9: display information associated with risk scores for applications (assets) and permit filtering to study only a portion of said information; paragraph [0045], lines 10-13: user selects a risk level)    
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Andres-Eberhardt for b): provides a prompt for filtering application, and for c): filtering entities view to include only applications associated with filtering as taught by Osborn. One of ordinary skill in the art would have been motivated to employ the teachings of Osborn for the benefits achieved from the flexibility of a system that enables the evaluating both risks and controls implemented to mitigate risks associated with multiple objects. (see Osborn paragraph [0009], lines 1-3)  

7.        Claims 12, 14 are rejected under 35 U.S.C. 103(a) as being unpatentable over Andres in view of Eberhardt and further in view of Eggert et al. (US PGPUB No. 20130041796).     	

Regarding Claim 12, Andres-Eberhardt discloses the method of claim 1, wherein the detailed view further includes illustrating changes associated with the application over a period of time. (see Andres col 9, lines 61-67: threat correlation module refers to information stored in database to compile a list of threats to display to users; allow users to select a threat for more detailed information and for correlation about threat data with 
   
Andres-Eberhardt does not specifically disclose a trends graph illustrating changes in threat (or risk) information associated with an entity. 
However, Eggert discloses wherein a trends graph illustrating any changes associated with the entity. (see Eggert paragraph [0048], lines 1-7: displaying a trending report assessment data; tracks changes to data over a specified period of time; trending report depicted in a graphical format)  
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Andres-Eberhardt for a trends graph illustrating changes in threat (or risk) information associated with an entity as taught by Eggert.  One of ordinary skill in the art would have been motivated to employ the teachings of Eggert for the benefits achieved from the flexibility of a system that enables a reduction or elimination of problems related to managing risk associated with applications within an enterprise   (see Eggert paragraph [0003], lines 1-4)  

Regarding Claim 14, Andres-Eberhardt discloses the method of claim 1, wherein the detailed view further includes information of how recent network activities associated with the entity have varied from a baseline of activity. (see Andres col 9, lines 61-67: threat correlation module refers to information stored in database to compile a list of 
 
Andres-Eberhardt does not specifically disclose an illustration that provides a view of variation from a baseline.
However, Eggert discloses a line graph that provides an illustration of activities have varied from a baseline of activity.  (see Eggert paragraph [0048], lines 1-7: displaying a trending report assessment data; tracks changes to data over a specified of time; trending report depicted in a graphical format; (graphical denotes an illustration format for network compromise information)) 
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Andres-Eberhardt for an illustration that provides a view of variation from a baseline as taught by Eggert.  One of ordinary skill in the art would have been motivated to employ the teachings of Eggert for the benefits achieved from the flexibility of a system that enables a reduction or elimination of problems related to managing risk associated with applications within an enterprise   (see Eggert paragraph [0003], lines 1-4)

8.        Claim 15 is rejected under 35 U.S.C. 103(a) as being unpatentable over Andres Eberhardt in further in view of Linn et al. (US Patent No. 8,181,264).

Regarding Claim 15, Andres-Eberhardt discloses the method of claim 2, 
b)  upon receiving a selection by a user of a tag, associating the tag with the selected application such that the tag is included in the additional data provided in response to subsequent requests to generate the detailed view of the selected application. (see Andres col 9, lines 61-67: threat correlation module refers to information stored in database to compile a list of threats to display to users; allow users to select a threat for more detailed information and for correlation about threat data with data about actual vulnerabilities stored in vulnerabilities database; (display detailed information associated with a particular threat); (select a threat utilizing a user interface interaction (i.e. a click) for detailed analysis such as an evaluation at a future time))    

Furthermore, Andres discloses for a): the detailed view provides a prompt for a user to tag the selected application. (see Andres col 12, lines 33-37: select a particular threat and request that it be correlated with a set of assets to determine which assets are affected by the selected threat)

Andres-Eberhardt does not specifically disclose for a): tagging a selected application for future tracking.
However, Linn discloses for a): tag the selected application for future tracking. (see Linn col 4, lines 32-35: content is tagged with a security indicator that indicates content is subject to security evaluation at a later time) 
        It would have been obvious to one of ordinary skill in the art, before the  




Conclusion
               
          THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CARLTON JOHNSON whose telephone number is (571)270-1032. The examiner can normally be reached Work: 12-9PM (most days).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 571-272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CJ/
January 3, 2022
  
/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436