Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
	Claims 1-6 are pending.

Drawings
	New corrected drawings in compliance with 37 CFR 1.121(d) are required in this application because the color of the text in the drawings 1-5 is faded and unclear. Applicant is advised to employ the services of a competent patent draftsperson outside the Office, as the U.S. Patent and Trademark Office no longer prepares new drawings. The corrected drawings are required in reply to the Office action to avoid abandonment of the application. The requirement for corrected drawings will not be held in abeyance.


EXAMINER’S AMENDMENT
	The application has been amended as follows: 
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with applicant Arun Warikoo, on 01-26-2022.

Page 9 of the specification has been amended as follows:
The analysis engine 120 sends the EKID to the intelligence engine 130 for further analysis. While the intelligence engine 130 may optionally perform many of the functions of the analysis engine 120, these functions are preferably performed by the analysis engine 120 for the purpose of scalability and  EAGD and determining a match probability. 
If the unique techniques value (T𝑢) is greater than the predetermined threshold, the intelligence engine 130  alerts the user that the intrusion set is attributed to an activity group with High Confidence. If the unique techniques value (T𝑢) is not greater than the predetermined threshold, the intelligence user 130  alerts the user with the confidence level and identified knowledge gaps knowledge gaps that need to be filled for further analysis. 
System Operation
FIG. 2 is a flowchart illustrating steps in the operation of the high confidence cyber threat attribution system 100, in accordance with one preferred embodiment of the present invention. The process starts at step 200, the given intrusion set data and activity group indicator data is collected. Then, at step 210, where intrusion set data and activity group data is analyzed to extract EKID and EAGD. This step is preferably performed by the analysis engine 120. Then, at step 220, EKID is compared to EAGD. This step is preferably performed at 130. Then, at step 230, the system determines the attribution for a given intrusion set to an activity group with the associated confidence level.

	Page 12 of the specification has been amended as follows:
The principles of operation of the high confidence attribution system 100 will now be further illustrated in the context of a hypothetical scenario. In the hypothetical scenario, the database 110 contains EAGD that includes a profile of a sophisticated activity group (“Wizard Spider”). The key indicators stored in the database 110, such as the sample shown in FIG. 5, details several unique tools and techniques utilized by WizardSpider. In addition, database 110 contains EAGD regarding the sectors in which WizardSpider has operated . In this hypothetical scenario,  100 preferably executes the following process:
1.	Activity group data is collected by the analysis engine 120 from the threat intelligence feeds 160 on a periodic basis. EAGD is extracted and stored in the database 110.
2.	New intrusion set is collected by the analysis engine 120 from the sensors 150. 
3.	The analysis engine 120 extracts key indicator data (EKID) from the intrusion set and transmits to the intelligence engine 130.
4.	The intelligence engine 130 receives the EKID from the analysis engine 120 and the  EAGD from the database 110, and performs a multi-stage comparison between the EKID and the  EAGD. The intelligence engine determines that T𝑢  is greater than the threshold that system has high confidence that the intrusion set can be attributed to WizardSpider. This is based on the unique tools and techniques specially leveraged by WizardSpider and that the same are identified in the intrusion set. 
5.	This triggers an alert which is communicated to the user via the user interface 170 that the system has high confidence in attributing the intrusion set to WizardSpider.

	Claims are amended as follows:

1. 	(Currently amended) A method for determining a  confidence level for cyber threat attribution of an ongoing campaign, comprising:
	collecting intrusion set data from  sensors,  wherein the intrusion set data comprises of  associated indicators of compromise ;
	collecting activity group data from Threat Intelligence feeds or Vendor Threat Intelligence reports;
(EKID) from the intrusion set data using at least a second processor, wherein the EKID comprises tools, tactics, techniques and procedures associated with the intrusion set; 
	extracting an activity group indicator data (EAGD) using at least a second processor, wherein the EAGD comprises tools, tactics, techniques and procedures associated with the  activity group;
	comparing the EKID with the EAGD using at least the second processor, wherein the comparison step comprises of identifying common tools and techniques between EKID and EAGD ;
	
	determining whether the EKID is attributed to a known activity group with an associated confidence level by:
	determining correlation levels between the tools within the EKID and the tools within the EAGD;
	determining correlation levels between the tactics, techniques and procedures within the EKID and the tactics, techniques and procedures within the EAGD of those activity groups that use at least one tool identified within EKID; 
	determining attribution to an activity group with high confidence if unique techniques (Tµ) value exceeds a predetermined threshold; 
	determining attribution to an activity group with moderate confidence if unique techniques (Tµ) value does not exceed a predetermined threshold; 
	determining the attribution to an activity group with low confidence if the unique techniques (Tµ) value is equal to zero; 
	determining information gap in the event attribution to an activity group is determined with moderate or low confidence, wherein the information gap comprises of an assessment on a quality of the intrusion set; and 
	providing analysis  to user based  on the determined information gap with regards to the tactics and techniques needed to be applied to detect malicious activities with an associated activity group within the user environment, wherein activity group is an entity who had conducted a cyber-attack.
2.	(Canceled)
3.	(Canceled)
4.	(Canceled)
5.	(Canceled)
6.	(Canceled)

Allowable Subject Matter
	Claim 1 is allowed.
The following is an examiner’s statement of reasons for allowance:
	The prior art Andres et al. (US Patent No. 8,201,257) of record discloses, a security risk management system comprises a vulnerability database, an asset database, a local threat intelligence database and a threat correlation module. The vulnerability database comprises data about security vulnerabilities of assets on a network gathered using active or passive vulnerability assessment techniques. The asset database comprises data concerning attributes of each asset. The threat correlation
module receives threat intelligence alerts that identify attributes and vulnerabilities associated with security threats that affect classes of assets. The threat correlation module compares asset attributes and 
to prioritize preventive action and respond first to threats that affect higher risk assets. The security risk management system provides tools for performing preventive action and for tracking the success of preventive action
	The prior art Balasundaram et al. (US Patent No. 10,834,103) of record discloses, A security platform may determine mapped attribute information associated with a plurality of host identifiers. The
mapped attribute information may include information that identifies a set of related attributes. The security platform may determine, based on the mapped attribute information, that a host device is associated with at least two host identifiers of the plurality of host identifiers. The security
platform may aggregate, based on the at two least host identifiers, threat information as aggregated threat information associated with the host device. The security platform may classify the host device as an infected device or a suspicious device based on the aggregated threat information.
	The prior art Singla et al. (US Publication No. 2016/0378978) of record discloses, Example embodiments disclosed herein relate to determining threat scores for threat observables. Information about multiple threat observables are received from providing entities. The information about the threat observables include at least one attribute about a respective threat associated with the threat observable. Threat scores are determined for the respective threat observables for multiple entities. In one example, a first score of a first one of the threat observables is determined and is different than a second score of the first threat observable for a second entity based on a treatment of the attribute(s).
However, prior arts taken singly or in combination, fail to anticipate or render the following limitation:
	determining whether the EKID is attributed to a known activity group with an associated confidence level by: determining correlation levels between the tools within the EKID and the tools within the EAGD; determining correlation levels between the tactics, techniques and 
	Claim is allowed in view of the above claim limitation when in combination with the remaining claim limitations.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
	    Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ali Abyaneh whose telephone number is (571) 272-7961. The examiner can normally be reached on Monday-Friday from (8:00-5:00). If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on (571) 272-4063. The fax phone numbers for the organization where this application or proceeding is assigned as (571) 273-8300. 

/ALI S ABYANEH/Primary Examiner, Art Unit 2437