Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 11-8-2021 has been entered.

Response to Amendments
The amended claims 1, 3, 7, 8, 10, 14, 15 and 21 – 33 were considered under 35 USC 112, 101 and 103 for patentability over closest and analogous prior arts Paine, Jeff (US 20180255080), hereafter Pai and S et al (US 20060149990), hereafter S have been fully considered and are persuasive. Claim(s) 2, 4 – 6, 9, 11 – 13, 16 – 20 and 110 is/are cancelled.

Allowable Subject Matter
1.	Amended claims 1, 3, 7, 8, 10, 14, 15 and 21 – 33 are allowed in light of applicant’s arguments, approved examiner’s proposed amendments and in light of prior art(s) made of record. 

Examiner’s Amendment

1. (Amendment)	A system comprising:
	at least one processor circuit; and
	at least one memory that stores instructions to be executed by the at least one processor circuit, the instructions configured to perform operations that comprise: 
	providing a set of historical alerts and a set of historical security incidents to a machine learning algorithm to generate a security incident model, the security incident model generated based at least on mapping occurrences of alerts in the set of historical alerts to incidents in the set of historical incidents;
receiving an alert sequence generated by a network security provider; 
	applying the received alert sequence to the security incident model; 
	receiving an indication from the security incident model that the received alert sequence corresponds to a plurality of security incidents, each security incident of the plurality of security incidents defined by a predetermined sequence of alerts that includes at least one alert missing from the received alert sequence; 
	receiving similarity scores corresponding to the security incidents of the plurality of security incidents, each similarity score indicating an amount of similarity between the received alert sequence and a corresponding security incident of the plurality of security incidents;
	identifying a security incident of the plurality of security incidents that has a highest similarity score among the similarity scores; and 
	generating a notification to the network security provider that indicates at least one of the identified security incident or the at least one alert of the identified security incident that is missing from the received alert sequence.



3. (Previously Presented)	The system of claim 1, wherein the notification includes the similarity score associated with the identified security incident.

4. (Cancelled).

5. (Cancelled). 
	
6. (Cancelled).

7. (Previously Presented)	The system of claim 1, wherein the instructions are further configured to perform operations that comprise:
	identifying security incidents of the plurality of security incidents that have similarity scores greater than a predetermined threshold; and
	wherein said generating comprises generating the notification to indicate the identified security incidents.

8. (Amendment)	A method comprising:
providing a set of historical alerts and a set of historical security incidents to a machine learning algorithm to generate a security incident model, the security incident model generated based at least on mapping occurrences of alerts in the set of historical alerts to incidents in the set of historical incidents; 
	receiving an alert sequence generated by a network security provider; 
	applying the received alert sequence to the security incident model; 
	receiving an indication from the security incident model that the received alert sequence corresponds to a plurality of security incidents, each security incident of the plurality of security incidents defined by a predetermined sequence of alerts that includes at least one alert missing from the received alert sequence;

	identifying a security incident of the plurality of security incidents that has a highest similarity score among the similarity scores; and
	generating a notification to the network security provider that indicates at least one of the identified security incident or the at least one alert of the identified security incident that is missing from the received alert sequence.

9. (Cancelled).

10. (Previously Presented)	The method of claim 8, further comprising:
	for each security incident of the plurality of security incidents defined by the predetermined sequence of alerts, identifying the at least one alert missing from the received alert sequence using natural language processing.

11. (Cancelled).

12. (Cancelled). 
	
13. (Cancelled).

14. (Previously Presented)	The method of claim 8, further comprising:
	identifying security incidents of the plurality of security incidents that have similarity scores greater than a predetermined threshold; and
wherein said generating comprises: 
	generating the notification to indicate the identified security incidents.

15. (Amendment)	A computer program product comprising a computer-readable memory having program instructions recorded thereon that, when executed by at least one processing circuit, causes the at least one processing circuit to perform the steps of:
, the security incident model generated based at least on mapping occurrences of alerts in the set of historical alerts to incidents in the set of historical incidents; 
receiving an alert sequence generated by a network security provider; 
	applying the received alert sequence to the security incident model; 
	receiving an indication from the security incident model that the received alert sequence corresponds to a plurality of security incidents, each security incident of the plurality of security incidents defined by a predetermined sequence of alerts that includes at least one alert missing from the received alert sequence;
receiving similarity scores corresponding to the security incidents of the plurality of security incidents, each similarity score indicating an amount of similarity between the received alert sequence and a corresponding security incident of the plurality of security incidents; 
	identifying security incidents of the plurality of security incidents that have similarity scores greater than a predetermined threshold; and
	generating a notification to the network security provider that indicates at least one of the identified security incidents or the at least one alert of each of the identified security incidents that is missing from the received alert sequence.

16. (Cancelled).

17. (Cancelled).

18. (Cancelled).

19. (Canceled).

20. (Cancelled). 

21. (Previously Presented)	The system of claim 1, wherein the predetermined sequence of alerts comprises a pattern of alerts corresponding to steps in an attack campaign. 

22. (Previously Presented) 	The method of claim 8, wherein the predetermined sequence of alerts comprises a pattern of alerts corresponding to steps in an attack campaign.

23. (Previously Presented) 	The computer program product of claim 15, wherein the predetermined sequence of alerts comprises a pattern of alerts corresponding to steps in an attack campaign.

24. (Previously Presented)	The computer program product of claim 15, wherein: 
	the method further comprises:
		identifying a security incident of the identified security incidents that has a highest similarity score; and 
	said generating comprises: 
		generating the notification to indicate the identified security incident.

25. (Previously Presented)	The system of claim 1, wherein the instructions are further configured to perform operations that comprise:
	for each security incident of the plurality of security incidents defined by the predetermined sequence of alerts, identifying the at least one alert missing from the received alert sequence using natural language processing.

26. (Previously Presented) 	The system of claim 1, wherein the set of historical alerts comprises a history of alerts generated for a plurality of customers of a cloud security provider.

27. (Amendment) 	The system of claim 1, wherein the security incident model is generated based at least on: 
	identifying patterns in the set of historical alerts
	



29. (Amendment) 	The method of claim 8, wherein the set of historical alerts comprises a history of alerts generated for a plurality of customers of a cloud security provider.

30. (Amendment) 	The method of claim 8, wherein the security incident model is generated based at least on: 
	identifying patterns in the set of historical alerts
	

31. (Previously Presented) The computer program product of claim 15, wherein the method further comprises: 
	for each security incident of the plurality of security incidents defined by the predetermined sequence of alerts, identifying the at least one alert missing from the received alert sequence using natural language processing.

32. (Previously Presented) 	The computer program product of claim 15, wherein the notification includes the similarity scores associated with the identified security incidents.

33. (Amendment) 	The computer program product of claim 15, wherein the set of historical alerts comprises a history of alerts generated for a plurality of customers of a cloud security provider.

110. (Cancelled).

Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: 


Further, a second prior art of record S teaches [122, 127] derived segment (DS) is a part of an annotation consisting of the alarms that have occurred and the alarms, which are missing. For 

None of the other prior arts of record teach by themselves or in any combination, would have anticipated nor render obvious by combination the claimed invention of the present application at or before the time it was filed.  The prior arts of record fail to teach: applying the received alert sequence to a security incident model, where the model is generated based at least on mapping occurrences of alerts in the set of historical alerts to incidents in the set of historical incidents, receiving an indication from the security incident model that the received alert sequence corresponds to a security incident defined by a predetermined sequence of alerts that includes at least one alert missing from the received alert sequence. The security incidents are scored and identifying a security incident of the plurality of security incidents that has a highest similarity score among the similarity scores.

Therefore, independent claim 1 and their corresponding dependent claims are allowed in light of applicant’s arguments, approved examiner’s amendments and prior arts of record. The same amendments and reasoning are applicable to independent claim(s) 8 and 15 mutatis mutandis.  Claim(s) 2, 4 – 6, 9, 11 – 13, 16 – 20 and 110 is/are cancelled.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892 Notice of References Cited.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867.  The examiner can normally be reached on M-F: 7:45am-5pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T. Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to 


 /BADRINARAYANAN / Examiner, Art Unit 2496.