DETAILED ACTION
In replay to applicant communications filed on May 17, 2020 and telephonic interview made on January 28, 2022, claims 35-36, 38-52, and 54 have been amended. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claims 1-34, 37 and 53 have been cancelled.
Claims 35-6, 38-52 and 54 are pending. 

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with applicant representative, Jarmo Kemppainen (Reg. No. 77,569). 

Please replace the claim set filed on May 17, 2020 with the following claims:

1-34.  (Previously canceled) 
35.   (Currently amended) An apparatus comprising
at least one processor; and
at least one memory including computer program code for one or more programs, the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus to perform at least the following:

generate a second interface for allowing the one or more of tenants to configure the event correlation as a Service (CORRaaS), and
                correlate and process one or more security events from the virtualized security functions in the one or more of tenants’ slices to form processed security event data, and to detect or predict attacks or anomalies or incompliance with security requirements; 
determine a third interface to transfer the processed security event data and/or log data and/or raw data to the one or more of the tenants’ security management systems and/or to a  one or more of cloud service providers’ security management systems;
determine a fourth interface towards a cloud manager of the cloud service provider to cause the cloud manager to mitigate the detected or predicted attacks or anomalies or incompliance with the security requirements; 
wherein the cloud manager is a 5G cloud manager;
wherein the fourth interface is further configured to receive incident and log data in the one or more of tenant’s slices and/or clouds, and/or in a one or more of providers’ clouds from the 5G cloud manager; and
wherein the memory and computer program code are further configured to, with the processor, cause the apparatus to correlate and process the one or more security events from the virtualized security functions, and the incident and log data from the 5G cloud manager to form the processed security event data, and to detect or predict attacks or anomalies or incompliance with the security requirements.
36.   (Previously presented) The apparatus of claim 35, wherein the memory and computer program code are further configured to, with the processor, cause the apparatus to provide the even correlation as a Service (CORRaaS) to the one or more of the tenants as a managed service.
37.   (Canceled) 

wherein the memory and computer program code are further configured to, with the processor, cause the apparatus to correlate and process the one or more security events from the virtualized security functions, and the processed or raw event data or log data from the tenants’ security management systems and/or from the one or more of cloud service providers’ security management systems to form the processed security event data, and to detect or predict attacks or anomalies or incompliance with the security requirements.
39.   (Previously presented) The apparatus of claim 35 wherein the second interface is further configured to allow the one or more of tenants to configure the event correlation as a service by defining correlation rules and mitigation strategies for the one or more of tenants’ slices, and/or to re-configure the event correlation as a service by updating correlation rules and mitigation strategies for the one or more of tenants’ slices during run-time.
40.   (Previously presented) The apparatus of claim 35, wherein the memory and computer program code are further configured to, with the processor, cause the apparatus to, at least one of correlate and combine related one or more security events, reduce false positives and duplicated security events, and filter out privacy or sensitive information of the one or more tenants and/or the one or more cloud service providers to form the processed security event data.
41.   (Previously presented) The apparatus of claim 35, wherein the fourth interface is further configured to cause the cloud manager to adjust resources in the one or more of tenants’ slices during run-time of a service in order to mitigate the detected attacks or anomalies or incompliance with the security requirements.
42.   (Previously presented) The apparatus of claim 35, further comprising:
determine a first interface to configure the virtualized security functions in the one or more of tenants’ slices, and for reconfiguring the virtualized security functions in the one or more of tenants’ slices during 
43.   (Previously presented) The apparatus of claim 42, wherein the configuring of the virtualized security functions is further caused to configure correlation rules and/or mitigation strategies, and
wherein the reconfiguring of the security functions is further caused to reconfigure the correlation rules and/or mitigation strategies.
44.   (Previously presented) The apparatus of claim 42, wherein the memory and computer program code are further configured to, with the processor, cause the apparatus: 
predict impact from deployment and/or configuration and/or reconfiguration of the virtualized security functions on performance requirements from the one or more of the tenants, and
guarantee the performance requirements from the one or more of tenants by configuring or reconfiguring the virtualized security functions through the first interface and/or configuring or reconfiguring the correlation as a Service (CORRaaS) through the second interface to avoid incompliance with the performance requirements.
45.   (Previously presented) The apparatus of claim 42, further comprising a fifth interface towards a SLA manager configured to receive security related Service Level Agreements (SLAs);
wherein the memory and computer program code are further configured to, with the processor, cause the apparatus to:
   monitor enforcements of the security related Service Level Agreements for services provided to the one or more of tenants,  
detect or predict a possible security related Service Level Agreement violation for a service provided to a tenant of the plurality of tenants, and
mitigate the possible security related Service Level Agreement violation by initiating configuration or reconfiguration of the virtualized security functions through the first interface and/or configuration or reconfiguration of the correlation as a Service (CORRaaS) through the second interface, and/or by sending 
46.   (Previously presented) The apparatus of claim 45, wherein the first interface is further configured to configure or re-configure the virtualized security functions based on the security related Service Level Agreements; and/or
wherein the memory and computer program code are further configured to, with the processor, cause the apparatus to provide the correlation as a Service (CORRaaS) to the one or  more of tenants based on the security related Service Level Agreements; and/or
wherein the third interface is further configured to cause to transferthe processed security event data and/or log data and/or raw data to the one or more of tenants’ security management systems and/or to the one or more of cloud service providers’ security management systems based on the security related Service Level Agreements.
47.  (Previously presented) The apparatus of claim 45, wherein the fifth interface is further caused to receive performance related Service Level Agreements from the SLA manager, and 
wherein the memory and computer program code are further configured to, with the processor, cause the apparatus to:
predict impact from the deployment and/or re-deployment and/or configuration and/or reconfiguration of the virtualized security functions on performance requirements from the one or more of tenants, and 
guarantee the performance requirements from the one or more of tenants based on the performance related Service Level Agreements by initiating configuration or reconfiguration of the virtualized security functions through the first interface and/or configuration or reconfiguration of the correlation as a Service (CORRaaS) through the second interface to avoid possible Service Level Agreement violations, and/or by sending information about possible Service Level Agreement violations to the SLA manager through the fifth interface.
48.   (Previously presented) The apparatus of claim 47, 

wherein the memory and computer program code are further configured to, with the processor, cause the apparatus to provide the correlation as a Service (CORRaaS) to the one or more of tenants based on the performance related Service Level Agreements.
49.   (Previously presented) The apparatus of claim 35, further comprising a sixth interface caused to allowe an administrator to deploy and configure the virtualized security functions, and/or to specify rules and settings for the collection, correlation, detection and/or mitigation, and/or security requirements.
50.   (New) The apparatus of claim 35, wherein the tenants’ security management systems are instances of the apparatus installed on the tenants as cloud service providers.
51.   (Previously presented) The apparatus of claim 35, wherein the first layer cloud service provider is an IaaS/PaaS cloud service provider, and the second layer cloud service provider is an SaaS cloud service provider, or wherein the first layer cloud service provider is a SaaS cloud service provider as a tenant of an IaaS/PaaS cloud service provider and offering network slices, and the second layer cloud service provider is a vertical business provider operating a network slice.
52.   (Currently amended) A method for security management based on event correlation in a distributed multi-layered cloud environment, the method comprising:
providing correlation as a Service (CORRaaS) to one or more of tenants as virtualized security appliances or virtualized security functions for the one or more of tenants’ slices, and allowing the one or more of tenants to configure the correlation as a Service (CORRaaS);  
correlating and processing security events from the virtualized security functions in the one or more of tenants’ slices to form processed security event data, and to detect or predict attacks or anomalies or incompliance with security requirements; 
transferring the processed security event data and/or log data and/or raw data to the tenants’ security management systems and/or to cloud service providers’ security management systems respectively; 
; 
wherein the cloud manager is a 5G cloud manager, the method further comprising:
receiving incident and log data in the plurality of tenant’s slices and/or clouds, and/or in a plurality of providers’ clouds from the 5G cloud manager; and
wherein the correlating and processing comprises: 
correlating and processing the security events from the security functions, and the incident and log data from the 5G cloud manager to form the processed security event data, and to detect or predict attacks or anomalies or incompliance with security requirements.
53.   (Canceled) 
54.   (Currently amended) A non-transitory computer readable medium having stored thereon a set of computer readable instructions that, when executed by at least one processor, cause an apparatus to: provide correlation as a Service (CORRaaS) to one or more of tenants as virtualized security appliances or virtualized security functions for the one or more of tenants’ slices, 
generate a second interface for allowing the one or more of tenants to configure the correlation as a Service (CORRaaS), and
                correlate and process security events from the virtualized security functions in the one or more of tenants’ slices to form processed security event data, and to detect or predict attacks or anomalies or incompliance with security requirements; 
generate a third interface for transferring the processed security event data and/or log data and/or raw data to the plurality of tenants’ security management systems and/or to a plurality of cloud service providers’ security management systems; 
generate a fourth interface towards a cloud manager of the cloud service provider for causing the cloud manager to mitigate the detected or predicted attacks or anomalies or incompliance with security requirements; 
wherein the cloud manager is a 5G cloud manager;
wherein the fourth interface is further configured to receive incident and log data in the one or more of tenant’s slices and/or clouds, and/or in a one or more of providers’ clouds from the 5G cloud manager; and
wherein the memory and computer program code are further configured to, with the processor, cause the apparatus to correlate and process the one or more security events from the virtualized security functions, and the incident and log data from the 5G cloud manager to form the processed security event data, and to detect or predict attacks or anomalies or incompliance with the security requirements.

Allowable Subject Matter
Claims 35-36, 38-52, and 54 are allowed. The following is an examiner’s statement of reasons for allowance: 
	The primary reason for allowance of claims 35, 52, and 54 is the combined limitations of providing correlation as a Service (CORRaaS) to one or more of tenants as virtualized security appliances or virtualized security functions for the one or more of tenants’ slices, and allowing the one or more of tenants to configure the correlation as a Service (CORRaaS); correlating and processing security events from the virtualized security functions in the one or more of tenants’ slices to form processed security event data, and to detect or predict attacks or anomalies or incompliance with security requirements; transferring the processed security event data and/or log data and/or raw data to the tenants’ security management systems and/or to cloud service providers’ security management systems respectively; causing a cloud manager of the cloud service provider to mitigate the detected or predicted attacks or anomalies or incompliance with security requirements; wherein the cloud manager is a 5G cloud manager, the method further comprising: receiving incident and log data in the plurality of tenant’s slices and/or clouds, and/or in a plurality of providers’ clouds from the 5G cloud manager; and wherein the correlating and processing comprises: correlating and processing the security events from the security functions, and the incident and log data from the 5G cloud manager to form the processed security event data, and to detect or predict attacks or anomalies or incompliance with security requirements.




Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TESHOME HAILU whose telephone number is (571)270-3159. The examiner can normally be reached M-F 8 a.m. - 5 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571) 272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance 



/TESHOME HAILU/Primary Examiner, Art Unit 2434