Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The following is a Final Office action in response to communications received on January 13, 2022. Claims 1-21 are pending and addressed below.

Examiner’s Note
Applicant’s amendments have caused new claim objection issues which are addressed herein below.

Response to Arguments
Applicant’s amendments are sufficient to overcome the Drawing objections set forth in the previous Office Action.
Applicant’s arguments regarding the 35 U.S.C. 103 rejections set forth in the previous Office Action have been fully considered but are moot in view of the new grounds of rejection. Applicant has amended the claims in such a way that the scope of the claims has been change. Accordingly, a new rejection is being used to address the newly amended claim limitations. 

Claim Objections
Claims 1, 3, 5, 8, 10 and 18 are objected to because of the following informalities:  
Claim 1 recites the phrase “the tactic processor” in line 12. It is suggested the phrase be amended to “the at least one tactic processor” for clarity and consistency. Claim 1 also recites the phrase “the tactics”. It is suggested the phrase be amended to “[[the]] tactics” for clarity since there are two different previously recited tactics.
Claim 3 recites the phrase “the data.” It is suggested the phrase be amended to “the received data” to differentiate from the other “data” newly recited in parent claim 1. Claim 18 is objected to for similar reasons to claim 3.
Claims 5 recites the phrase “the tactic processor”. It is suggested the phrase be amended to “the at least one tactic processor” for clarity and consistency.
Claims 8 recites the phrase “the tactic processor”. It is suggested the phrase be amended to “the at least one tactic processor” for clarity and consistency.
Claim 10 recites the phrase “the tactics”. It is suggested the phrase be amended to “[[the]] tactics” for clarity since there are two different previously recited tactics.
Appropriate correction is required.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-21 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Neumann (U.S. Patent No. 10,728,263).
As to claim 1, Neumann discloses a system for detection of security threats or malicious actions, comprising: 
one or more processors and at least one memory having stored therein a plurality of instructions that when executed by the one or more processors implement one or more components (col. 4 lines 21-41 and claim 1, Neumann teaches a processor and a memory storing instructions) configured to: 
receive data from one or more data producers (col. 8 lines 44-60 and Fig. 3A, Neumann teaches receiving log data from network devices); 
submit the data to a behavior processor (col. 21 lines 1-22 and Fig. 3A, Neumann teaches the log data is sent to a behavioral characteristics detection module); 
identify one or more behaviors from the data based on datum, features, and/or characteristics included therein using the behavior processor (col. 4 line 42 – col. 5 line 6, col. 21 lines 1-22, col. 21 line 49 – col. 22 line 8 and Fig. 3A, Neumann teaches detecting behavioral characteristics from the log data by the behavioral characteristics detection module, the behavioral characteristics comprising actions (behaviors)); 
provide the one or more identified behaviors to at least one tactic processor (col. 21 lines 1-22, col. 22 lines 9-64 and Fig. 3A, Neumann teaches providing the behavioral characteristics to a behavioral fragmentation determination module); 
identify one or more tactics based on a determination that the one or more identified behaviors relate to one or more tactics stored in a tactic data store using the tactic processor, wherein the tactics comprise a plurality of known behaviors ordered according to a selected relationship therebetween (col. 4 line 21 – col. 5 line 6, col. 11 lines 45-58, col. 12 lines 5-22, col. 15 lines 5-58, col. 21 lines 1-22, col. 22 lines 9-64, col. 25 lines 20-33 and Fig. 3A, Neumann teaches determining behavioral fragments at the behavioral fragmentation determination module, the behavioral fragments comprising sets of related behavioral characteristics. The behavioral fragments are determined using a correlation profile stored in a data source data repository (tactic data store)); 
submit the one or more identified tactics to a tactic classifier (col. 21 lines 1-22, col. 22 lines 9-64 and Fig. 3A, Neumann teaches providing the behavioral fragments to an attack identification module); and 
determine, using the tactic classifier, whether the one or more identified tactics are indicative of one or more security threats or malicious actions based (col. 15 lines 5-32, col. 21 lines 1-22, col. 22 lines 9-64, col. 25 lines 20 43 and Fig. 3A, Neumann teaches the attack identification module uses the behavioral fragments to determine an attack (malicious actions). Since the fragments (tactics) are based on characteristics (actions/behaviors), the attack identification is considered to be based on each the tactics and behaviors.).
Claim 10 recites substantially similar subject matter to claim 1 and is therefore, rejected for similar reasons to claim 1 above.
As to claim 2, Neumann discloses the system of claim 1, wherein the one or more components are further configured to generate an alert or alarm to notify a user of a security threat or malicious action if the one or more identified tactics are determined to be indicative of one or more security threats or malicious actions (col. 3 line 61 – col. 4 line 8 and col. 14 lines 22-33, Neumann teaches generating an alert.).
Claim 11 recites substantially similar subject matter to claim 2 and is therefore, rejected for similar reasons to claim 2 above.
As to claim 3, Neumann discloses the system of claim 1, wherein the data includes a system log, user metadata, infrastructure data, or combinations thereof (col. 2 lines 20-42 and col. 4 line 42 – col. 5 line 6, Neumann teaches logs.).

As to claim 4, Neumann discloses the system of claim 1, wherein to identify the one or more behaviors, the behavior processor is configured to map the one or more datum, features, or characteristics included in the data against known behaviors stored in a behavior data store (col. 5 lines 33-57, col. 10 lines 60 – col. 11 line 16, col. 12 lines 5-22, col. 15 line 33 – col. 16 line 2, and col. 25 lines 20-33, Neumann teaches a using behavior information in a data source for mapping data to behavioral characteristics.).
Examiner supplies the same rationale for the combination of the references as in claim 1 above.
Claim 12 recites substantially similar subject matter to claim 4 and is therefore, rejected for similar reasons to claim 4 above.
As to claim 5, Neumann discloses the system of claim 1, wherein to identify the one or more tactics, the tactic processor is configured to map the one or more identified behaviors against known tactics stored in a tactic data store (col. 5 lines 33-57, col. 10 lines 60 – col. 11 line 16, col. 12 lines 5-22, col. 15 line 33 – col. 16 line 2, col. 17 lines 25-49, and col. 25 lines 20-33, Neumann teaches mapping behavior against profiles stored in a repository to identify the fragments.).
Examiner supplies the same rationale for the combination of the references as in claim 1 above.

As to claim 6, Neumann discloses the system of claim 1, wherein the one or more components are further configured to identify, using the behavior processor, one or more additional behaviors based on the one or more datum, features, or characteristics; the one or more identified behaviors; or combinations thereof (col. 10 line 60 – col. 11 line 16, col. 13 lines 9-36, and col. 22 lines 33-64, Neumann teaches identifying additional behavioral characteristics.).
Claim 14 recites substantially similar subject matter to claim 6 and is therefore, rejected for similar reasons to claim 6 above.
As to claim 7, Neumann discloses the system of claim 1, wherein the one or more components are further configured to extract or identify, using the behavior processor, one or more additional behaviors based on the one or more identified tactics (col. 5 line 58 – col. 6 line 21, col. 6 line 46 – col. 7 line 15, col. 23 line 51 – col. 4 line 6, Neumann teaches determining additional behavioral characteristics based on behavioral fragments.).
Claim 15 recites substantially similar subject matter to claim 7 and is therefore, rejected for similar reasons to claim 7 above.
As to claim 8, Neumann discloses the system of claim 1, wherein the one or more components are further configured to identify, using the tactic processor, one or more additional tactics based on the one or more identified behaviors, the one or more identified tactics, or combinations thereof (col. 10 line 60 – col. 11 line 16, col. 13 lines 9-36, col. 17 lines 25-49, and col. 22 lines 33-64, Neumann teaches using identifying additional fragments.).
Claim 16 recites substantially similar subject matter to claim 8 and is therefore, rejected for similar reasons to claim 8 above.
As to claim 9, Neumann discloses the system of claim 1, wherein the tactic classifier includes a statistical model or a machine learning model (col. 19 line 54 – col. 20 line 23, Neumann teaches machine-learning.).
Claim 17 recites substantially similar subject matter to claim 9 and is therefore, rejected for similar reasons to claim 9 above.
As to claim 19, Neumann discloses the method of claim 10, further comprising: determining, by the tactic processor, a composite tactic based on one or more (1) identified tactics or (2) a combination of one or more identified tactics and one or more identified behaviors (col. 18 lines 8-40, Neumann teaches combining behavioral fragments.).
As to claim 20, Neumann discloses the method of claim 19, wherein a determined composite tactic is comprised of a plurality of individual tactics (col. 18 lines 8-40, Neumann teaches combining behavioral fragments.).
As to claim 21, Neumann discloses the system of claim 1, wherein the selected relationship between the plurality of known behaviors of the identified tactics comprises a chronological relationship, parent-child relationship, network port source and destination match relationship, or combination thereof (col. 15 lines 5-32, col. 19 line 54 – col. 20 line 23, and col. 25 lines 20-33, Neumann teaches a sequence of behavior characteristics for use in identifying fragments. The sequence is considered to be a chronological relationship.).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Seul et al. (U.S. Pub. No. 2020/0336497) – cited for teaching determining a cyber-attack pattern – Fig. 1

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THADDEUS J PLECHA whose telephone number is (571)270-7506. The examiner can normally be reached M-F 8-4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on 571-272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/THADDEUS J PLECHA/Examiner, Art Unit 2438