DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claims 1-20 are presented for examination.

Specification
The disclosure is objected to because of the following informalities: 
In [0062], line 1: “404” should read –406–.
Appropriate correction is required.

Drawings
The drawings are objected to as failing to comply with 37 CFR 1.84(p)(5) because they include the following reference character(s) not mentioned in the description: 304 (Figure 3).  
Corrected drawing sheets in compliance with 37 CFR 1.121(d), or amendment to the specification to add the reference character(s) in the description in compliance with 37 CFR 1.121(b) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Abu-Nimeh (US 2017/0026391 A1) in view of Ahmed et al. (US Patent 10,320,813 B1 and Ahmed hereinafter).
As to claim 1, Abu-Nimeh discloses a system and method for automated detection and prediction of online threats, the system and method having:
providing, by a cloud-based security service protecting a private network, a plurality of data feeds, wherein each data feed of the plurality of data feeds independently classify a given security event and produce a classification result (0107, lines 1-6; claim 3); 
responsive to an event associated with a process of an endpoint device that is part of the private network, performing, by an endpoint protection platform running on the endpoint device, an initial classification of the event (0109, lines 1-7); 
responsive to the initial classification, transmitting, by the endpoint protection platform to the cloud-based security service, the initial classification and contextual information regarding the process and event (0109, lines 1-7; 0111, lines 1-6); 
collecting, by the cloud-based security service, a plurality of classification results for the event by obtaining the classification result for the event from each of the plurality of data feeds (0111, lines 1-17); 
generating a final classification result by applying, by the cloud-based security service, a machine-learning classifier to the initial classification and the plurality of classification results (0111, lines 1-17).
Abu-Nimeh fails to specifically disclose:
based on the final classification, causing, by the cloud-based security service, the endpoint protection platform to perform an automated incident response, by providing an output of an automated response engine of the cloud-based security service to the endpoint protection platform.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Abu-Nimeh, as taught by Ahmed.
Ahmed discloses a system and method for threat detection and mitigation in a virtualized computing environment, the system and method having:
based on the final classification, causing, by the cloud-based security service, the endpoint protection platform to perform an automated incident response, by providing an output of an automated response engine of the cloud-based security service to the endpoint protection platform (col. 19, lines 13-43; col. 24, lines 15-20).
Given the teaching of Ahmed, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Abu-Nimeh with the teachings of Ahmed by performing an automated incident response. Ahmed recites motivation by disclosing that performing an automated incident response provides for security and mitigation without the need for human intervention (col. 19, lines 13-22). It is obvious that the teachings of Ahmed would have improved the teachings of Abu-Nimeh by performing an automated incident response in order to provide security and mitigation without the need for human intervention.

As to claim 11, Abu-Nimeh discloses:
receiving, from an endpoint protection platform running on an endpoint device associated with the private network, an initial classification of an event associated with a process of the endpoint device and contextual information regarding the process and the event (0109, lines 1-7; 0111, lines 1-6); 
collecting a plurality of classification results for the event by obtaining the classification result for the event from each of a plurality of data feeds implemented within the cloud-based security service, wherein each data feed of the plurality of data feeds is configured to independently classify a given security event and produce a classification result (0107, lines 1-6; 0111, lines 1-7; claim 3); 
generating a final classification result by applying a machine-learning classifier implemented within the cloud-based security service to the initial classification and the plurality of classification results (0111, lines 1-17).
Abu-Nimeh fails to specifically disclose:
based on the final classification, causing, by the cloud-based security service, the endpoint protection platform to perform an automated incident response, by providing an output of an automated response engine of the cloud-based security service to the endpoint protection platform.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Abu-Nimeh, as taught by Ahmed.
Ahmed discloses:
based on the final classification, causing, by the cloud-based security service, the endpoint protection platform to perform an automated incident response, by providing an output of an automated response engine of the cloud-based security service to the endpoint protection platform (col. 19, lines 13-43; col. 24, lines 15-20).
Given the teaching of Ahmed, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Abu-Nimeh with the teachings of Ahmed by performing an automated incident response. Please refer to the motivation recited above with respect to claim 1 as to why it is obvious to apply the teachings of Ahmed to the teachings of Abu-Nimeh.

As to claims 2 and 12, Abu-Nimeh fails to specifically disclose:
wherein the classification results obtained from the plurality of data feeds need not be normalized prior to being input to the machine-learning classifier.

Ahmed discloses:
wherein the classification results obtained from the plurality of data feeds need not be normalized prior to being input to the machine-learning classifier (col. 10, lines 55-65; col. 11, lines 29-40, 51-56).
Given the teaching of Ahmed, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Abu-Nimeh with the teachings of Ahmed by not normalizing classification results from multiple feeds prior to machine-learning classification. Ahmed recites motivation by disclosing that using classification results from multiple feeds without normalization provides classification with higher confidence (col. 11, lines 29-56). It is obvious that the teachings of Ahmed would have improved the teachings of Abu-Nimeh by obtaining classification results from multiple data feeds without normalizing in order to provide classification with higher confidence.

As to claims 3 and 13, Abu-Nimeh fails to specifically disclose:
wherein the output of the automated response engine comprises a set of automated incident responses based on a set of automated incident response playbooks and the final classification.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Abu-Nimeh, as taught by Ahmed.
Ahmed discloses:
wherein the output of the automated response engine comprises a set of automated incident responses based on a set of automated incident response playbooks and the final classification (col. 10, lines 62-65; col. 11, lines 51-67).
Given the teaching of Ahmed, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Abu-Nimeh with the teachings of Ahmed by outputting automated responses based on response playbooks and final classification. Please refer to the motivation recited above with respect to claim 1 as to why it is obvious to apply the teachings of Ahmed to the teachings of Abu-Nimeh.

As to claims 4 and 14, Abu-Nimeh fails to specifically disclose:
wherein the set of automated incident responses include one or more notifying an end user of the endpoint device, opening a ticket relating to the event, isolating the endpoint device, quarantining a file associated with the event, and remediating the endpoint device.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Abu-Nimeh, as taught by Ahmed.
Ahmed discloses:
wherein the set of automated incident responses include one or more notifying an end user of the endpoint device, opening a ticket relating to the event, isolating the endpoint device, quarantining a file associated with the event, and remediating the endpoint device (col. 19, lines 13-31).
Given the teaching of Ahmed, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Abu-Nimeh with the teachings of Ahmed by automatically responding by remediating the 

As to claims 5 and 15, Abu-Nimeh fails to specifically disclose:
wherein each of the plurality of classification results classify the event as a malicious event, a suspicious event, a potentially unwanted program (PUP) event, an inconclusive event, a likely safe event or a safe event.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Abu-Nimeh, as taught by Ahmed.
Ahmed discloses:
wherein each of the plurality of classification results classify the event as a malicious event, a suspicious event, a potentially unwanted program (PUP) event, an inconclusive event, a likely safe event or a safe event (col. 19, lines 13-18).
Given the teaching of Ahmed, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Abu-Nimeh with the teachings of Ahmed by classifying an event as malicious. Please refer to the motivation recited above with respect to claim 1 as to why it is obvious to apply the teachings of Ahmed to the teachings of Abu-Nimeh.

As to claims 6 and 16, Abu-Nimeh discloses:
wherein the endpoint device is any or a combination of a communication device and a computing device (700a-c, Figure 7; 0110, lines 1-4).

As to claims 7 and 17, Abu-Nimeh discloses:
wherein the plurality of data feeds include one or more of a file threat-feed, an Internet Protocol (IP)/uniform resource locator (URL) threat feed, an Indicators of Compromise (IoC) threat feed, a file reputation service, an IP/URL reputation service, a vulnerability discovery service, a Tactics Techniques and Procedures (TTPs) feed, a classification of a security event by a third-party network or another endpoint device and Endpoint Detection and Response (EDR) data (0026, lines 1-10; 0027, lines 1-4).

As to claims 8 and 18, Abu-Nimeh fails to specifically disclose:
wherein the contextual information includes command line information associated with execution of the process, an execution chain associated with the process, and a memory dump associated with the process.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Abu-Nimeh, as taught by Ahmed.
Ahmed discloses:
wherein the contextual information includes command line information associated with execution of the process, an execution chain associated with the process, and a memory dump associated with the process (col. 10, line 55-col. 11, line 12).
Given the teaching of Ahmed, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Abu-Nimeh with the teachings of Ahmed by using command line information and an execution chain. Please refer to the motivation recited above with respect to claim 1 as to why it is obvious to apply the teachings of Ahmed to the teachings of Abu-Nimeh.

As to claims 9 and 19, Abu-Nimeh discloses:
assigning a criticality score based on the initial classification of the event (0109, lines 5-7).

As to claims 10 and 20, Abu-Nimeh fails to specifically disclose:
wherein the final classification result classifies the event as a malicious event, a suspicious event, a potentially unwanted program (PUP) event, an inconclusive event, a likely safe event or a safe event.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Abu-Nimeh, as taught by Ahmed.
Ahmed discloses:
wherein the final classification result classifies the event as a malicious event, a suspicious event, a potentially unwanted program (PUP) event, an inconclusive event, a likely safe event or a safe event (col. 19, lines 13-18).
Given the teaching of Ahmed, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Abu-Nimeh with the teachings of Ahmed by using classifying the event as malicious. Please refer to the motivation recited above with respect to claim 1 as to why it is obvious to apply the teachings of Ahmed to the teachings of Abu-Nimeh.

Prior Art Made of Record
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Bulut et al. (US 2019/0129705 A1) discloses a system and method for group patching recommendation and/or remediation with risk assessment.
Furukawa et al. (US 2020/0293944 A1) discloses a system and method for generating and applying a secure statistical classifier.
Gunn et al. (US 2019/0188390 A1) discloses a system and method for security vulnerability analytics engine.
Shemet et al. (US Patent 10,747,606 vB1) discloses a system and method for risk based analysis of adverse event impact on system availability.
Yavo et al. (US 2021/0176264 A1) discloses a system and method for leveraging user-behavior analytics for improved security event classification.
Yavo et al. (US 2021/0200859 A1) discloses a system and method for malware detection by a sandbox service by utilizing contextual information.
Yavo et al. (US 2021/0200870 A1) discloses a system and method for performing threat detection by synergistically combining results of static file analysis and behavior analysis.
Yavo et al. (US 2021/0279184 A1) discloses a system and method for providing a secure communication channel between kernel and user mode components.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SARAH SU whose telephone number is (571)270-3835. The examiner can normally be reached 7:30 AM - 4:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SARAH SU/Primary Examiner, Art Unit 2431