DETAILED ACTION
1.	This office action is in response to the communication filed on 01/03/2022.
2.	Claims 1-15 are pending.  

Notice of Pre-AIA  or AIA  Status
3.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

4.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 

Priority
5.	Acknowledgment is made of applicant’s claim for foreign priority under 35 U.S.C. 119(a)-(d).  The certified copy has been filed in parent Application No. CN201710188038.X, filed on 03/27/2017. 


Claim Objections
6.	Claim(s) 1, 8 and 15 is/are objected to because of the following informalities:

Appropriate correction(s) is/are required.

Response to Arguments
7.	Applicant’s arguments filed on 01/03/2022 have been fully considered, but are moot in view of the new grounds of rejections.  

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


8.	Claim(s) 1-15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Singh (US 20170223046 A1) in view of Merza (US 20170223030 A1).
Regarding claims 1, 8 and 15:
Singh discloses a method of preventing an Advanced Persistent Threat (APT) attack, comprising: 
obtaining communication data in a network (see paras. 105-107 where activity and/or even (i.e. communication data) in a network is monitored and captured); 
performing association analysis for the communication data (see para. 107); 
obtaining threat data from the communication data based on an association analysis result (see para. 107 where indicators/threat indicators (i.e. threat data) are produced based on analysis/examination); 
mapping each piece of the obtained threat data to a corresponding APT attack phase of a plurality of APT attack phases based on a kill chain model, [wherein the plurality of APT attack phases are a plurality of detectable phases obtained by dividing a process of the APT attack in advance based on the kill chain] (see paras. 108, 110 where the threat indicators are used to identify vulnerabilities in a network, defend and/or thwart an attack; see fig. 1 and paras. 11, 91, 102, 628 where a network threat detection and analysis system uses a multiphase threat analysis and correlation to receive incident data, detect a threat, determine vulnerabilities, and thwart an attack. In other words, the indicators are mapped to a phase (i.e. a corresponding APT attack phase) of a multiphase threat analysis and correlation (i.e. a plurality of APT attack phases) based on a network threat detection and analysis system (i.e. a kill chain model) to identify vulnerabilities in a network and/or defend/thwart an attack); and 
performing, for each piece of the threat data, prevention for a network entity associated with the piece of the threat data based on prevention strategies corresponding to the plurality of APT attack phases (see paras. 11, 91, 102, 628 where a multiphase threat analysis and correlation receives incident data, detects a threat, determines vulnerabilities, and thwarts an attack; see para. 76 where an attacker .
Singh does not, but Merza discloses:
wherein the plurality of APT attack phases are a plurality of detectable phases obtained by dividing a process of the APT attack in advance based on the kill chain (see Merza, paras. 237-239, where an attack chain security model (i.e., kill chain model) is used to define a plurality of transaction phases (i.e., APT attack phases) of a cyber-attack, e.g., computer security transaction, (i.e., APT attack), wherein the plurality of transaction phases indicative of a progressive cyber-attack, and wherein a transaction phase is correlated to at least one event of a plurality of events related to a data source for detecting the occurrence of a cyber-attack).
It would have been obvious to one having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify Singh's invention by enhancing it for the plurality of APT attack phases are a plurality of detectable phases obtained by dividing a process of the APT attack in advance based on the kill chain, as taught by Merza, in order to define a plurality of transaction phases of a cyber-attack based on an attack chain security model for detecting the occurrence of a cyber-attack (Merza, paras. 237-239).

Regarding claims 2 and 9:
Singh discloses wherein the plurality of APT attack phases (see para. 11 for a multiphase threat analysis and correlation. Note: in addition, see Merza, paras. 237-239) comprise: 
an environment sensing phase, in which a loophole used by an attacker in the network is detected (see para. 76 where an attacker interacts or engages with a system in the network to steal information or do harm to the network; see para. 110 where a vulnerability (i.e. loophole used by an attacker) in a network is found to be associated with an attack); 
a survey and sniffing phase, in which the attacker detects the loophole on an attacked object (see para. 76 where an attacker interacts or engages with a system in the network to steal information or do harm to the network; see para. 108 where a computing system, which is vulnerable, has been exposed to an attack. In other words, an attacker detects a vulnerability (i.e. loophole) on a computing system (i.e. an attacked object)); 
a directional attacking phase, in which the attacker launches an attack onto the attacked object (see para. 76 where an attacker interacts or engages with a system in the network to steal information or do harm to the network; see para. 108 where a computer/computing system, which is vulnerable, has been exposed to an attack. In other words, an attacker launches an attack onto a computer/computing system (i.e. attacked object)); 
a tool installing phase, in which the attacker implants an attack tool into the attacked object through the loophole on the attacked object (see para. 86 where an attack tool is delivered to a computer (i.e. attacked object) to be used by a malicious actor/attacker; see para. 108 where a computer/computing system, which is vulnerable, has been exposed to an attack); and 
a suspicious activity phase, in which the attacker controls the attacked object to obtain data in the network or perform sabotage activities (see para. 76 where an attacker interacts or engages with systems in the network to steal information or do harm to the network; see para. 108 where a computer/computing system has been exposed to an attack).

Regarding claims 3 and 10:
Singh discloses:
wherein the communication data comprises at least one of: an event, a flow, threat intelligence and loophole data (see para. 107 for network activity and/or even; see para. 380 where network activity include network traffic); 
the event comprises at least one of: a security event, an operating system event, a database event, an application event and an authentication event (see para. 107 for a malicious event (i.e. a security event) during an attack); and 
the flow comprises at least one of: an original flow associated with the attack, and a flow log for recording a communication activity for network access (see paras. 78 and/or 277 for network traffic (i.e. an original flow) related to an attack).

Regarding claims 4 and 11:
Singh discloses wherein the prevention strategies (see paras. 11, 91, 102, 628 where a multiphase threat analysis and correlation receives incident data, detects a threat, determines vulnerabilities, and thwarts an attack) comprise: 
when a first piece of the threat data is mapped to the environment sensing phase, a network entity with the loophole is determined based on the first piece of the threat data, and at least one of a patching operation, an operation for removing unsafe configuration and an operation for killing virus is performed for the determined network entity (see para. 76 where an attacker interacts or engages with a system in the network to steal information or do harm to the network (i.e., an attacker’s entity/device as a network entity connecting to a network); see paras. 107-108 where network activity and/or events are analyzed for identifying an attack, wherein computing systems, that are exposed or vulnerable (i.e. loophole) to the attack, are repaired (i.e. patching operation)); 
when a second piece of the threat data is mapped to the survey and sniffing phase, a set Access Control List (ACL) or a set security strategy is distributed to a Fire Wall (FW) and an Invasion Prevention System (IPS), and an Internet Protocol (IP) address of the attacker associated with the second piece of the threat data is added into respective blacklists of a control node associated with the second piece of the threat data (see para. 624 where security tools are updated to identify malware that is not known malicious IP addresses or websites that should be blocked (i.e. a set security strategy is updated and malicious IP addresses ; 
when a third piece of the thread data is mapped to the directional attacking phase, the set ACL or the set security strategy is distributed to the FW and the IPS, an AAA server and a server associated with the third piece of the thread data are reinforced, and an IP address of the attacker associated with the third piece of the threat data is added into respective blacklists of a control node associated with the third piece of the threat data (see para. 624 where security tools are updated to identify malware that is not known malicious IP addresses or websites that should be blocked (i.e. a set security strategy is updated and malicious IP addresses that is not known are added) by the security tool(s) (i.e. control node); see paras. 75, 77 where security devices/tools include a firewall and an intrusion detection/protection system; see para. 405 where black lists include IP addresses associated with malicious website; see para. 142 where a server (i.e., AAA server) provides authentication; see para. 185 where the authenticity of network devices is improved (i.e. reinforced); see para. 89 where a system (i.e. a server) for classifying and/or filtering emails is improved); 
when a fourth piece of the threat data is mapped to the tool installing phase, the set ACL or the set security strategy is distributed to the FW and the IPS, an AAA server and a server associated with the fourth piece of the thread data are reinforced, a Web Application Firewall (WAF) strategy is distributed to a WAF device, and an IP address of the attacker associated with the fourth piece of the threat data is added into respective blacklists of a control node associated with the fourth piece of the threat data (see para. 624 where security tools are updated to identify malware that is not known malicious IP addresses or websites that should be blocked (i.e. a set security strategy and a WAF strategy are updated, distributed, and malicious IP addresses that is not known are added) by the security tool(s) (i.e. control node); see paras. 75, 77 where security devices/tools include a firewall (i.e. a firewall device) and an intrusion detection/protection system; see para. 405 where black lists include IP addresses associated with malicious website; see para. 142 where a server (i.e., AAA server) provides authentication; see para. 185 where the authenticity of network devices is improved (i.e. reinforced); see para. 89 where a system (i.e. a server) for classifying and/or filtering emails is improved); and 
when a fifth piece of the threat data is mapped to the suspicious activity phase, the set ACL or the set security strategy is distributed to the FW and the IPS, an AAA server and a server associated with the fifth piece of the threat data are reinforced, and an IP address of the attacker associated with the fifth piece of the threat data is added into respective blacklists of a control node associated with the fifth piece of the threat data (see para. 624 where security tools are updated to identify malware that is not known malicious IP addresses or websites that should be blocked (i.e. a set security strategy is updated and malicious IP addresses that is not known are added) by the security tool(s) (i.e. control node); see paras. 75, 77 where security devices/tools include a firewall and an intrusion detection/protection system; see para. 405 where black lists include IP addresses associated with malicious website; see para. 142 where a server (i.e., AAA server) provides authentication; see para. 185 .

Regarding claims 5 and 12:
Singh discloses for each piece of the threat data mapped to the survey and sniffing phase, the directional attacking phase, the tool installing phase or the suspicious activity phase, 
determining a suspicious IP address associated with the piece of the threat data (see para. 78 for a known IP address associated with a denial of service (DoS) attack. In other words, an IP address (i.e. a suspicious IP address) associated with a DoS attack is determined); 
searching for events and flow logs associated with the suspicious IP address in the communication data (see para. 78 where network traffic (i.e. flow logs) corresponds to a denial of service (DoS) attack from a known Internet Protocol (IP) address is identified; see para. 279 for evens associated with an IP addresses of malicious sites); and 
presenting the events and the flow logs searched out in time sequence (see fig. 38 and paras. 608-609 for displaying report(s) (e.g. current, next and/or previous reports) that includes time stamp(s); see paras. 11, 428 where a report provides information about a sequence of events and malicious activity/traffic related to an attack).

Regarding claims 6 and 13:

performing at least one of analyses as follows to evaluate network risk and generate a security warning, an event relationship analysis, to associate a plurality of events having different event types and respectively associated with attacked objects with a same IP address, and search for events associated with a same IP address, a same domain name or a same Uniform Resource Locator (URL) based on IP addresses, domain names and URLs recorded in the threat intelligence; data digging and analysis for APT attack phase, to perform respective analysis for pieces of the threat data mapped to a same APT attack phase; host dimension analysis, to perform statistical analysis and trend analysis for operating system events in the communication data; application dimension analysis, to perform statistical analysis and trend analysis for application events in the communication data; and database dimension analysis, to perform statistical analysis and trend analysis for database events in the communication data (see paras. 80-81  for static analysis of suspect network traffic (e.g., opening files) in a high-interaction network; see para. 390 where an analysis engine produces indicators describing the source of network packets associated with malicious activities, e.g. download malicious content and/or upload files that should not have left the customer network; see para. 403 where the packets have the same source; see para. 584 where packets in a high-interaction network are analyzed to detect a DNS attack or packets making repeated login attemps).

Regarding claims 7 and 14:

wherein the control node comprises at least one of a FireWall (FW), an AAA server, a Windows server and a Linux server (see paras. 75, 77 where a security device/tool include a firewall).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HUAN V. DOAN whose telephone number is 571-272-3809. The examiner can normally be reached on Monday – Thursday, 9:00am – 5:00pm EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KRISTINE KINCAID, can be reached on 571-272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/HUAN V DOAN/Primary Examiner, Art Unit 2437