DETAILED ACTION

Response to Arguments
Applicant's arguments (“REMARKS”) filed on November 17, 2021 have been fully considered, but they are only partially persuasive.
Claims 1-11, 13, 14, and 16-20 are currently pending. Claims 1-3, 6-8, 11, 13, and 14 were amended. Claims 12 and 15 were canceled.

Re: B. Claim Objections
The objections to claim 1 has been withdrawn in view of the amendments correcting the informalities.

Re: C. Claim Rejections – 35 USC § 112
Claims 3, 7, and 8 are no longer interpreted under 35 U.S.C. § 112(f) in view of the amendments and response provided on pp. 15-21 of the REMARKS.
The rejection of claims 1-10 under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention has been withdrawn in view of the amendments and response provided on pp. 28-29 of the REMARKS.

Re: C. Claim Rejections – 35 USC § 101
The rejection of claims 1, 2, 4-6, 9, and 10 under 35 U.S.C. § 101 as being directed to non-statutory subject matter has been withdrawn in view of the amendments and response provided on pg. 29 of the REMARKS.

Re: D. Claims allowed
The rejection of claims 11, 13, 14, and 16-20 under 35 U.S.C. § 103 has been withdrawn in view of the amendments. Specifically, independent claim 11 has been amended with allowable subject matter previously identified in dependent claims 12 and 15.

Re: E. Claim Rejections – 35 USC § 103
Applicant argues on pp. 30-31 that the teachings of [Paine, ¶¶50-54], as cited in the rejection to claim 1 on pg. 4 of the Non-final Office Action, do not teach the limitations recited in claim 1. 
Specifically, Applicant asserts that “conventional machine learning techniques to comparing patterns against a baseline metric does not disclose one or more machine learning models to analyze the pattern of life data for two or more end-point computing devices. Paine’s baseline metric is initially set based on generic devices AND the vague statement on conventional machine learning techniques could easy lead one skilled in the art to use AI classifiers, AI decision trees, AL clustering, an number other machine learning techniques rather than machine-learning models that model and analyze the pattern of life for a specific end point computing device.” However, the Examiner respectfully disagrees. According to [Paine, ¶35], 
Furthermore, the primary goal of Paine is to detect deviation from baseline behavior of each endpoint using learning models. See [Paine, Abstract]: “The system further comprises an analytics engine configured to receive the aggregated information, and to invoke learning models to output deviation information for each of the endpoints based on the aggregated information and expected fingerprints associated with the endpoints.” (Emphasis added). Herein, “fingerprint” refers to a behavioral profile unique to the activities/behavior of an endpoint [Paine, ¶33]. Therefore, Paine is not distinct from: “where the modules in the endpoint agent are configured to cooperate with the API and the machine learning models in cyber security appliance to analyze the pattern of life for that end-point computing-device to enable the detection of the cyber threat on that end-point device”, as recited in claim 1. Both Paine and the claimed invention are directed to detecting threats on the endpoints using machine learning models, not how the model is trained or structured (e.g. what features are used, algorithms, etc.). The inventive concept in the claimed invention does not rely on the details of machine learning model itself, but that it is used in non-distinctive manner from Paine detect threats in endpoints using pattern of life data.
The rejection of 8 under 35 U.S.C. § 103 has been withdrawn in view of the amendments. Specifically, the features recited in amended claim 8 are not taught by Paine, Li, or Chen.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
s 1, 2, 4, 9, and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Paine (hereinafter, “Paine”), US 2018/0255076 in view of Li et al. (hereinafter, “Li”), US 2016/0285858.
As per claim 1: Paine discloses: An endpoint agent configured to enable detection of a cyber threat on an end-point computing-device (systems and method are provided for identifying endpoint compromise [Paine, ¶33]), comprising: where the endpoint agent resident on the end-point computing-device has a communications module configured to communicate with an Application Programming Interface (API) hosted by a cyber security appliance (a data collector resides on each physical endpoint and captures user endpoint access behavioral activity, which is sent to an API of a cloud service [Paine, ¶¶33, 44]), where a collections module in the endpoint agent is configured to monitor and collect pattern of life data of multiple software processes executing on the end-point computing-device and one or more users of the end-point computing-device (the data collector engine captures user endpoint access behavioral activity data such as for example firewall, IP address, activity counter, process info, keyboard connections and activations, mouse telemetry, and user activity telemetry [Paine, ¶¶33, 56]), where the communications module and the collections module cooperate to send the pattern of life data, via the communications module, to the cyber security appliance installed on a network selected from a group consisting of i) an informational technology network, ii) an operational technology network, iii) a cloud infrastructure (aggregating all the collected data and securely sending said data to a cloud service comprising an analytics engine for identifying malware/attackers [Paine, ¶¶44-45]), to the end-point computing-device (the collector may be directly connect to the cloud service through an API or via an aggregator in a computing environment of multiple collectors [Paine, ¶¶44-45; Fig. 2]), where the cyber security appliance at least contains one or more machine-learning models to analyze the pattern of life data for two or more end-point computing devices connected to that API hosted by the cyber security appliance (the analytics engine uses learning systems to differentiate activities of users, including attackers/malware [Paine, ¶45]; the learning systems uses conventional machine learning techniques to identify breaches by comparing patterns against a baseline metric [Paine, ¶¶50-54]), where each of the two or more end-point computing devices has the collections module in the endpoint agent resident in that end-point computing-device configured to monitor and collect the pattern of life data as well as the communication module to send the pattern of life data (the data collector resides on each physical endpoint and captures user endpoint access behavioral activity, which is sent to an API of a cloud service [Paine, ¶¶33, 44]), where any instructions of the modules in the endpoint agent are configured to be stored in an executable format in one or more memories and to be executed by one or more processors of the end-point computing-device (a data processing system comprising of conventional computer components may be used to implement Paine’s invention [Paine, ¶¶122-125; Fig. 10]), where the modules in the endpoint agent are configured to cooperate with the API and the machine-learning models in cyber security appliance to analyze the pattern of life for that end-point computing-device to enable the detection of the cyber threat on that end-point computing-device, where the modules in the endpoint agent and the one or more memories and one or more processors in the end-point computing- device are part of the endpoint agent (an analytics engine . 
Paine does not disclose the cloud service as a “SaaS infrastructure”. However, SaaS applications were well-known cloud-based technologies. For example, in Li, it was common to allow enterprise systems to access cloud applications, such as SaaS applications [Li, ¶1], which in this case would have been the analytics engine of Paine.
Thus, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to implement the analytics engine in the cloud service of Paine as a SaaS application. SaaS applications would have been cost efficient to both the enterprise and cloud provider, where applications can be requested according to an on-demand basis and have scalability through cloud technologies.

As per claim 2: Paine in view of Li disclose claim 1. Furthermore, Paine in view of Li disclose: further comprising: where the collections module is configured to collect pattern of life data that includes metadata, events, and alerts regarding at least i) the users, ii) the multiple software processes, iii) relationships between the software processes, iv) device operation, v) operating system configuration changes, and vi) combinations of these (the collector captures behavioral activity, including firewall, IP address, activity counter, process information, etc. [Paine, ¶33]; furthermore, the collector also receives hardware-related statistics, such as CPU, memory, GPU, etc. and snapshots of a “user space”, such as mouse/keyboard activity [Paine, ¶56]; See also Table 1 for additional metrics), and then is sent by the communications module to the cyber security appliance installed in the network (the data is sent to the analytics engine operating within the cloud service, wherein the analytics engine include learning systems implementing machine learning techniques to differentiate multiple users based on the received data and baseline behaviors [Paine, ¶¶45, 50-54; Fig. 2]), where the cyber security appliance is configured to use the one or more machine-learning models trained on that end-point computing-device from the two or more end-point computing devices to analyze the collected pattern of life data from the endpoint agent resident in that end-point computing device passed through the API hosted by the cyber security appliance against a normal pattern of life for that end-point computing-device, where the cyber security appliance also is configured to use a cyber threat module that references one or more machine-learning models trained on potential cyber threats to analyze for potential cyber threats on the end-point computing-device in light of the collected pattern of life data that deviates from the normal pattern of life for that end-point computing-device (a baseline profile is generated and updated over time to adjust for changes to normal behavior [Paine, ¶35]; machine learning models are invoked to determine deviations for each of the endpoints from the collected information and expected fingerprints, or the baseline profile [Paine, ¶36] ).

As per claim 4: Paine in view of Li disclose all limitations of claim 2. Furthermore, Paine in view of Li disclose: where the communications module is further configured to send collected pattern of life data to the cyber security appliance (sending the data gathered by the collector to the cloud service hosting the analytics engine [Paine, ¶¶44-45]), and then the cyber security appliance is configured to initially match a type of computing-device and operating system that this particular end-point computing-device falls into in order to apply and route the collected pattern of life data to a corresponding set of the one or more machine-learning models trained on that end-point computing-device (rules and behavioral profiles (or fingerprint) are user-specific, e.g. if metrics on an endpoint is normal for “this” user [Paine, ¶¶33-36, 47]).

As per claim 9: Paine in view of Li disclose all limitations of claim 1. Furthermore, Paine in view of Li disclose: where the collections module is configured to cooperate with at least one or more probes that include i) a first probe specifically configured to collect data about an operating system of the end-point computing-device (metrics identifiable via operation system on an endpoint [Paine, ¶106]) as well as ii) a second probe specifically configured to collect data about an individual process executing on the end-point computing-device (process information [Paine, ¶28; Table 1]), and iii) a third probe specifically configured to monitor and record events occurring on the end-point computing-device and collaborate with system event logging tools (collecting events directly from the operating system [Paine, ¶56; Table 1]), where the collected data regarding the operating system and individual processes along with the recorded events are sent in the collected pattern of life data by the collections module to the cyber security appliance (all the collected data and metrics are provided to the analytics engine in the cloud server [Paine, ¶¶45, 58]).

As per claim 10: Paine in view of Li disclose all limitations of claim 1. Furthermore, Paine in view of Li disclose: where the cyber security appliance is configured to receive collected pattern of life data from two or more endpoint agents, including the endpoint agent, each of the two or more endpoint agents is resident on their own end-point computing-device in the network (a plurality of endpoints within a computing environment, where each endpoint has a collector engine installed [Paine, ¶36]), where the cyber security appliance has a graphical user interface to display the endpoint agents and their end-point computing-device connecting to that cyber security appliance, where the graphical user interface is scripted to visually highlight end-point computing-devices with anomalies occurring compared to a normal pattern of life for that end-point computing-device (a UI dashboard for displaying graphs and statistics of endpoint(s) [Paine, ¶¶111-113; Fig. 8]; for example, 810 displays the abnormal spikes from a specific components/attributes of an endpoint).

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Paine  in view of Li and in further view of Ford (hereinafter, “Ford”), US 2018/0332054 (supported by provisional application no. 62/537102 – filed on July 26, 2017).
As per claim 6: Paine in view of Li disclose all limitations of claim 1. Furthermore, Paine in view of Li disclose: further comprising: where the communications module is further configured to send collected pattern of life data to the cyber security appliance at periodic intervals when connected to the network where the cyber security appliance is installed (capturing data periodically [Paine, ¶56]), .
Paine in view of Li do not disclose the strikethrough features of claim 6. However, these features are directed to asynchronous communication, a common technique used by devices in computer networks. For example, Ford discloses analogous art of using different endpoint devices for collecting information for a security analytics system [Ford, ¶62]. Ford discloses: where the communications module is further configured to send collected pattern of life data to one or more memories of the end-point computing-device i) when not connected to the network where the cyber security appliance is installed as well as ii) when the cyber security appliance is unavailable; and then in either situation, deliver the collected pattern of life data when possible (an endpoint device communicates in real-time or near real-time, such as asynchronous communications; for example, an email message may be stored when the endpoint device is not connected to the network and communicates the message once connected to the network [Ford, ¶31-33] – these features were supported in Ford’s provisional application 62/537,102 in ¶¶36-38).
Thus, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to implement asynchronous communication features for the endpoint devices of Paine, such as described in Ford. Asynchronous communications have the advantage of handling data transmissions during network outages, such that data can be temporarily stored and sent when the network is online.

8 is rejected under 35 U.S.C. 103 as being unpatentable over Paine  in view of Li and in further view of Chen et al. (hereinafter, “Chen”), US 2018/0183680.
As per claim 8: Paine in view of Li disclose all limitations of claim 1. Paine further discloses reporting and alerting an organization of detected threats [Paine, ¶¶83-85]. Paine and Li do not disclose the features of an automated response based on a threat risk score as recited in claim 3. However, Chen is directed to analogous art of implementing surveillance agents to monitor each system in a network [Chen, ¶14]. Each agent is installed in each machine of an enterprise network to collect operational data for analysis [Chen, ¶16]. Therefore, Chen discloses:  further comprising: where the cyber security appliance is further configured with an autonomous response module, rather than a human taking an action, to cause one or more actions to be taken by the endpoint agent using the API to contain the cyber threat when a potential cyber threat is detected (a security module 514 performs manual or automated security actions according to predetermined rules and policies, wherein the automated actions are triggered when an anomaly score for a host exceeds a threshold [Chen, ¶52]), where the autonomous response module has a user programmable interface with any of i) fields, ii) menus, and iii) icons to allow a user to preauthorize the autonomous response module to take actions to contain the cyber threat (an user interface dashboard is available to administrators to visually manage and monitor the security of the network [Paine, ¶¶111-113; Fig. 8]; an administrative UI in Paine could have been incorporated with Chen to manage the policies [Chen, ¶52]; thereby enabling user-friendly management of policies related to the network), and where the autonomous response module is configured to cooperate with the communications module in the endpoint agent, via the API, to cause the one or more actions to be taken to contain the detected cyber threat when a cyber-threat risk score is indicative of the likelihood of the cyber-threat is equal to or above an actionable threshold (automated actions are triggered when an anomaly score for a host exceeds a threshold [Chen, ¶52]).
Thus, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to implement a scoring technique, such as disclosed in Chen, to more accurately detect deviations in Paine. This would have enabled a more granular means of judging an endpoint by assigning numerical values to combined endpoint attributes to indicate how much they deviated from the baseline. Furthermore, an automated response, as disclosed in Chen, would have reduce the amount of manual labor in handling detected anomalies.

Allowable Subject Matter
Claims 11, 13, 14, and 16-20 are allowable.
Claims 3, 5, and 7 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ROBERT B LEUNG whose telephone number is (571)270-1453.  The examiner can normally be reached on Mon - Thurs: 10am-7pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG KIM can be reached on 571-272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access 




/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        1-18-2022