Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Response to Arguments
Applicant's arguments filed 1/28/22 have been fully considered but they are not persuasive.
Applicant argues that the clustering as disclosed in Maida does not group incidents.  Applicant argues that as stated in the claim, incidents are made of security alerts determined as being associated with the same security event.  Examiner respectfully disagrees.
Maida teaches “an incident may be associated with one or more alerts” as cited by the Examiner in the previous office action.  Maida also states that alerts may be raised to the level of incidents.  Maida further teaches that incidents have observables which relate to an attack/same security event, as shown by “characteristics of the technical artifacts of an attack…. Such as an attribute.  Maida teaches clustering said incidents in order to help analyze attacks.   That Maida clusters “incidents” to help analyze attacks, does not negate that the attributes and alerts as taught by Maida already related to the same “security event”.

Rivlin is primarily relied upon to teach classification of attack categories, such as industry based, or spray and pray attacks.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Maida US 10,958,667 in view of Rivlin US 10,121,100.
As per claims 1, 9, 15. Maida teaches A method by one or more electronic devices for identifying and classifying community attacks, the method comprising: determining, for each of a plurality of enterprise networks, one or more incidents occurring in that enterprise network based on analyzing security alerts generated by a web application layer attack detector used to protect a web application hosted in that enterprise network, wherein each incident represents a group of security alerts that have been determined as being associated with the same security event; grouping incidents occurring across the plurality of enterprise networks into groups of incidents, wherein incidents that are determined as having similar features are grouped into the same group of incidents;  (Column 3 lines 40-62)(Column 8 line 51 to Column 9 line 10) (Column 11 line 25 to Column 12 line 16) (teaches for a plurality of enterprise networks, generating and analyzing security alerts at an application layer, where grouping events of a plurality of enterprises, and third part information sources results in determination of attacks based on similar features and clustering algorithms)

Rivlin teaches  classifying each of one or more of the groups of incidents as being an industry-based attack or a spray-and-pray attack based on industry classifications of incidents within that group of incidents, wherein an industry-based attack is an attack that targets a single industry, and wherein a spray-and-pray attack is an attack that targets multiple industries. (Column 1 lines 34-60; Column 2 lines 34-60; Column 4 lines 18-63)  (Determining if an attack is a commodity spray and pray attack or a targeted industry premium attack)

As per claims 2, 10, 16. Maida teaches The method of claim 1, further comprising: causing a result of the classifying to be displayed by a management console. (Column 9 line 65 to Column 10 line 12)  (displaying graph) As per claims 3, 11, 17 Maida teaches The method of claim 1, wherein the grouping is performed using a clustering-based grouping algorithm. (Column 9 lines 1-5) (clustering algorithm)As per claims 4, 12, 18 Maida teaches The method of claim 3, wherein the clustering-based grouping algorithm uses a distance function to measure similarity of one or more features between incidents. (Column 9 lines 1-5) (distance)As per claims 5, 13, 19 Maida teaches The method of claim 4, wherein the one or more features include one or more of: an origin of an incident, a tool used to cause an incident, a type of attack associated with an incident, a target of an incident, and timing of an incident. (Column 12 line 50 to Column 14 line 45; Table 1) (timing, targets, origin)As per claims 6. Rivlin teaches The method of claim 3, further comprising: classifying a particular group of incidents from the groups of incidents as being a targeted attack in response to a determination that the particular group of incidents is not classified as being an industry-based attack or spray-and-pray attack. (Column 7 lines 20-39) (teaches determining a targeted 
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439