Detailed Action

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This is in response to Application with case number 16359,696, filed on 3/20/2019 in which claims 1-20 are presented for examination.
Status of Claims
	Claims 1-20 are pending, of which claims 1, 12, and 16 are in independent form.
Specification
The examiner notes that the Specification does not include any URL links and Trademark terms requiring capitalization.
The examiner notes that the abstract is in narrative form and is limited to a single paragraph on a separate sheet within the range of 50 to 150 words in length. The examiner also notes that Abstract includes no legal phraseology.
The examiner notes no claims invokes 35 USC § 112 6th paragraph.
IDS
All references cited in the IDS filed on 3/20/2019 have been considered by the examiner.
Priority
	Applicant’s claim for benefit of priority based on foreign application IN201841024415 filed on 6/29/2018 is acknowledged by the examiner.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1-6, 8-9, 12- 16 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Givental et al. (US 2018/0367561 A1) hereinafter Givental.


As to claim 1, Givental teaches a method comprising:
receiving, by a processor, a security alert generated in response to an event occurring in a computer system (see para. [0007] and para. [0058], and Fig. 7, e.g. step 702 receiving of alerts);
applying, by the processor, machine learning to the security alert to predict a first probability that the security alert will be escalated to a first incident (see para.[0056],  [0062] for TDS calculation and confidence level calculation in generating enriched alert and para. [0067] for predicting probability related to the confidence level. “The approach herein in effect predicts that given certain types of attacks and the related knowledge available to the system, that a particular alert represents a high (or low) probability of being a real threat. Because it is machine learning-based, the approach is primarily fully automated (with the exception of attribute configuration, which may be manually-supported), thus obviating manual investigation of the alert details for many type(s) of alert. Essentially, the approach enables the analyst to streamline his or her analysis and even in some cases to avoid having to do any intermediate analysis, instead providing an appropriate and timely response.”); and
displaying an output on a display to guide processing of the security alert based on the first probability (see Fig. 10, and para. [0064]-[0066], e.g. alert screen provided to an analysist for displaying the enriched alert and TDS and its confidence level).
As to claim 2, in view of claim 1, Givental teaches wherein:
displaying the output comprises concurrently displaying an identifier for the security alert and the first probability (see Fig. 10 for alert ID and various additional information such as confidence and TDS – see para.[0007]).
As to claim 3, in view of claim 1, Grivental teaches wherein:

see Fig. 10, and para. [0064]-[0066], e.g. alert screen provided to an analysist for displaying the enriched alert and TDS and its confidence level).
As to claim 4, in view of claim 3, Givental teaches wherein displaying the output comprises concurrently displaying both the first probability that the security alert will be escalated to the first incident and the second probability that the security alert will be escalated to the second incident (see Fig. 10, and para. [0064]-[0066], e.g. alert screen provided to an analysist for displaying the enriched alert and TDS and its confidence level; The examiner notes that the security event can be looked at from various type of security incident classification and each different type of classification with different TDS/confidence level values can be generated.).
As to claim 5, in view of claim 3, Givental teaches:
determining that the first probability is greater than the second probability (see para. [0064-0066]);
wherein displaying the output comprises concurrently displaying an identifier for the security alert and the first probability in response to the determination that the first probability is greater than the second probability (see Fig 7 steps 710 and 714; Fi.g 10, alertRecogmmendedActionConfidence value).

As to claim 6, in view of claim 5, Givental teaches wherein displaying the output comprises concurrently displaying, in response to an input representing inquiry into the security alert, the first and the second probabilities and the first and second identifiers respectively representing the first and the second incidents (see Fig. 10, and para. [0064]-[0066], e.g. alert screen provided to an analysist for displaying the enriched alert and TDS and its confidence level; The examiner notes that the security event can be looked at from various type of security incident classification and each different type of classification with different TDS/confidence level values can be generated.).
As to claim 8, in view of claim 1, Givental teaches wherein applying machine learning comprises applying supervised machine learning (see para. [0053]). 
As to claim 9, in view of claim 1, Givental teaches applying machine learning to associate the first incident to a particular security analyst of a plurality of security analysts; and providing a recommendation that the particular security analyst process the first incident (see para. [0048] and [0056]).
As to claim 12, claim 12 includes similar limitations as claim 1 and thus claim 12 is rejected under the same rationale as claim 12.
As to claim 13, in view of claim 12, Givental teaches wherein the given incident comprises an existing incident associated with at least one other security alert (see abstract and para. [0006]).
14. The storage medium of claim 12, wherein the output indicates an associated confidence level of the security alert being a false positive (see para. [0066]).
AS to claim 15, in view of claim 9, wherein the instructions to apply machine learning comprise instructions that, when executed by the machine, cause the machine to: apply machine learning to a plurality of features of the automated security alert, wherein the plurality of features represent at least one of: whether a user associated with the automated security alert is a source user, whether a user associated with the automated security alert is a target user, an Internet Protocol address of a source asset associated with the security alert, an Internet Protocol address of a target asset associated with the security alert, a reputation score associated with the security alert, a types of asset associated with the security alert, an accessed service associated with the security alert, an accessed resource associated with the security alert, a category of action associated with the security alert, or a result of an action associated with the security alert (see Fig. 10).
As to claim 16, Givental teaches an apparatus comprising: at least one processor; and a memory to store instructions that, when executed by the at least one processor, cause the at least one processor to:
	receive data representing an automated security alert associated with a Security Information and Event Management System (SIEM), wherein the automated security alert has an associated plurality of features  (see para. [0007] and para. [0058], and Fig. 7, e.g. step 702 receiving of alerts);
	apply machine learning to the plurality of features associated with the automated security alert to classify the automated security alert, wherein the classification associates the automated security alert with a given incident of a plurality of incidents (see para. [0053]-[0054]); and
display the classification and a confidence level associated with the classification on a graphical user interface (GUI) (see Fig. 10, and para. [0064]-[0066], e.g. alert screen provided to an analysist for displaying the enriched alert and TDS and its confidence level).
As to claim 17, in view of claim 16, Givental teaches wherein the instructions, when executed by the at least one processor, cause the at least one processor to determine probabilities that the security alert is associated with at least two incidents of the plurality of incidents (see Fig. 10, and para. [0064]-[0066], e.g. alert screen provided to an analysist for displaying the enriched alert and TDS and its confidence level; The examiner notes that the security event can be looked at from various type of security incident classification and each different type of classification with different TDS/confidence level values can be generated.).
As to claim 18, in view of claim 16, Givental teaches wherein the machine learning comprises supervised machine learning (see para. [0053]).
As to claim 19, in view of claim 16, Givental teaches wherein the plurality of features comprise entries of a feature vector, and the instructions, when executed by the at least one processor, cause the at least one processor to:
extract features of a feature set associated with the automated security alert:
normalize the extracted features; and
convert the normalized extracted features into the entries of the feature vector (see para. [0054]).

As to claim 20, in view of claim 19, Givental teaches wherein the instructions, when executed by the at least one processor, cause the at least one processor to apply one hot encoding to convert the normalized extracted features into the entries of the feature vector (see para. [0054]).
Claim Objection
Claim 15 is objected to because of the following informalities:  claim 15 is depending on incorrect parent claim 9. It is supposed to be dependent on claim 12.  Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claim(s) 7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Givental, in view of Poole (US Patent 9,548,987 B1) hereinafter Poole.
As to claim 7, in view of claim 6, Givental teaches wherein concurrently displaying the first and the second probabilities and the identifiers comprises: displaying a first entry including the first probability and the first identifier, and a second entry including the second probability and the second identifier (see Fig. 10, and para. [0064]-[0066], e.g. alert screen provided to an analysist for displaying the enriched alert and TDS and its confidence level).
Givental does not explicitly teach but Poole teaches “ordering the first and the second entries in a descending order according to the first and the second probabilities included in the first and the second entries” (see Fig. 3 for listing events in the descending order of risk score, col. 4, lines 1-10, col. 10, ln 3-14 for list of events in the order of risk scores).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Givental and Poole before him or her, to modify the scheme of Givental by including Poole. .

Claim(s) 10-11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Givental, in view of Herman Saffar et al. (US Patent 10,936,717 B1) hereinafter Herman.
As to claim 10, in view of claim 1, Givental does not explicitly teach but Herman teaches wherein the security alert comprises an automated alert generated in response to the event representing anomalous behavior associated with the computer system (see col. 6, line 46 through col. 8, ln 17 and Fig. 2; It is noted that system anomalous behavior based on security alert is generated.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Givental and Herman before him or her, to modify the scheme of Givental by including Herman. The suggestion/motivation for doing so would have been to permit real-time detection and remediation of container cyber-attacks based on ML-based container behavior monitoring.
As to claim 12, in view of claim 1, Givental does not explicitly teach but Herman teaches wherein the event is a login attempt by an unauthorized user; a misuse of access; a host exhibiting malicious activity; an unauthorized reconnaissance activity; a see col. 6, line 46 through col. 8, ln 17 and Fig. 2; It is noted that system anomalous behavior based on security alert is generated.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Givental and Herman before him or her, to modify the scheme of Givental by including Herman. The suggestion/motivation for doing so would have been to permit real-time detection and remediation of container cyber-attacks based on ML-based container behavior monitoring.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HEE K SONG whose telephone number is (571)270-3260. The examiner can normally be reached on M-F 9:00 am – 5:00 pm. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571)272-3867 .  The fax phone number for the organization where this application or proceeding is assigned is 571-273-7291.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/HEE K SONG/PRIMARY Examiner, Art Unit 2497