The Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
EXAMINER'S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Authorization for this examiner’s amendment was given in an interview with Attorney Eugen Rosenthal on 12/22/2021.

The application has been amended as follows: 

4. (Currently Amended) A method for detecting security threats associated with at least one client network, the method for use in a system, said system comprising:
at least one network entity associated with said at least one client network and configured to enable outbound communication via a communication network;
at least one asset configured to communicate with one of a plurality of hosts via said communication network;
and at least one log-analytic detection platform configured to analyze a plurality of log files associated with a plurality of channels, each said plurality of channels connecting an asset with a host, and further configured to determine a risk factor at least based on said outbound communications log for at least one entity, each of said plurality of channels being characterized by a channel identification pair comprising said asset and said host, said method for operating said at least one log-analytics detection platform comprising:

extracting a channel feature set for each of said plurality of channels from said plurality of log files, said channel feature set comprises data pertaining to at least one associated entity, at least one channel feature being behavior of communication over a channel;
aggregating said channel associated features for each of said plurality of channels into at least one data repository; 
generating said risk factor for said least one entity associated with entities of said plurality of channels, said risk factor characterized by an entity score; and
blocking of communication for said at least one entity when said risk factor is indicative of said at least one entity being a security threat;
wherein the step of aggregating, comprises:
retrieving, from said at least one data repository, a stored channel and an associated stored channel feature set identified by said channel identification pair;
joining the channel feature set with the stored channel feature set matched by said entity identification pair;
computing features for at least one entity associated with the stored channel; and
storing the joined channel feature set into said at least one data repository; and
wherein the step of computing further comprises:
grouping a set of channels matched by the associated host; and
computing the features of the associated host by joining the feature associated with each channel which is associated with the host.
	7. (Canceled)

16. (Currently Amended) A method for detecting security threats associated with at least one client network, the method for use in a system, said system comprising: 
at least one network entity associated with said at least one client network and configured to enable outbound communication via a communication network; 
at least one asset associated with said at least one client network and configured to communicate with at least one of a plurality of hosts via said communication network; and 
at least one log-analytic detection platform configured to analyze a plurality of log files, said plurality of log files including at least one outbound communications log, and further determine a risk factor that is based at least on said outbound communications log and is associated with at least one super-channel, said at least one super-channel is characterized by a super-channel feature set, at least one super-channel feature being behavior of communication over a super-channel, said at least one super-channel comprises: 
a set of channels, each said channel connecting an asset with a host, wherein said at least one host associated with a host-group, and wherein each said channel being characterized by a characteristics vector and a channel identification pair, said method for operating said at least one log-analytics detection platform comprising: 
obtaining said plurality of log files from said at least one client network, each of said plurality of log files comprising a plurality of communication records; 
identifying said at least one super-channel, wherein the set of channels associated with said at least one super-channel are determined by a shared similarity; 
extracting the super-channel feature set for said at least one super-channel; 
aggregating the super-channel feature set for said at least one super-channel into at least one data repository; 
generating said risk factor for said at least one entity associated with entities of said at least one super-channel, said risk factor characterized by an entity score; and 

wherein the step of aggregating, comprises: 
retrieving, from said at least one data repository, a stored super-channel and an associated stored super-channel feature set matching at least one of said set of channels associated with said at least one super-channel, wherein said matching comprises an identical asset and a common host or a similarity in characteristics of the associated channels; 
joining the host-group associated with the at least one super-channel into the host-group associated with the stored super-channel; 
joining the super-channel feature set associated with the at least one super- channel into the stored super-channel feature set; computing features for at least one entity associated with the stored super- channel; and 
storing the joined super-channel feature set for the stored super-channel of into said at least one data repository;
wherein the step of computing, comprises: 
joining host-groups having at least one common host and updating the associated channels to relate to the joined host-group; 
grouping a set of super-channels associated with the same host-group; and 
computing the associated features of the host-group by joining the feature values associated with each super-channel associated with the host-group;
wherein the step of computing, comprises: 
joining host-groups having at least one common host and updating the associated channels to relate to the joined host-group; grouping a set of super-channels associated with the same host-group; and computing the associated features of the host-group by joining the feature values associated with each super-channel associated with the host-group.
19. (Canceled)

26. (New) A method for detecting security threats associated with at least one client network, the method for use in a system, said system comprising:
at least one network entity associated with said at least one client network and configured to enable outbound communication via a communication network;
at least one asset configured to communicate with one of a plurality of hosts via said communication network;
and at least one log-analytic detection platform configured to analyze a plurality of log files associated with a plurality of channels, each said plurality of channels connecting an asset with a host, and further configured to determine a risk factor at least based on said outbound communications log for at least one entity, each of said plurality of channels being characterized by a channel identification pair comprising said asset and said host, said method for operating said at least one log-analytics detection platform comprising:
obtaining, via said communication network, said plurality of log files from said at least one client network, each of said plurality of log files comprising at least one log record associated with at least one channel, said plurality of log files including at least one outbound communications log;
extracting a channel feature set for each of said plurality of channels from said plurality of log files, said channel feature set comprises data pertaining to at least one associated entity, at least one channel feature being information regarding one of a domain or internet protocol (IP) address of a host;
aggregating said channel associated features for each of said plurality of channels into at least one data repository; 
generating said risk factor for said least one entity associated with entities of said plurality of channels, said risk factor characterized by an entity score; and

wherein the step of aggregating, comprises:
retrieving, from said at least one data repository, a stored channel and an associated stored channel feature set identified by said channel identification pair;
joining the channel feature set with the stored channel feature set matched by said entity identification pair;
computing features for at least one entity associated with the stored channel; and
storing the joined channel feature set into said at least one data repository; and
wherein the step of computing further comprises:
grouping a set of channels matched by the associated host; and
computing the features of the associated host by joining the feature associated with each channel which is associated with the host.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NEGA WOLDEMARIAM whose telephone number is (571)270-7478. The examiner can normally be reached Monday to Friday, 8am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 5712726798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/NEGA WOLDEMARIAM/Examiner, Art Unit 2433           

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433