DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim status summary
Presently, claims 1-20 remain pending. No claims have been amended. 

Response to Arguments
Applicant's arguments filed on 12/22/2021 have been fully considered but they are not persuasive.

Applicant argues that the amended claim limitations can overcome the §101 rejection because a reading of the claims as whole allegedly amounts to significantly more than the judicial exception and that it can allegedly provide a technological improvement (Applicant’s reply pgs. 7-14). Applicant also argues that the claims do not amount to mental process or another abstract idea category (e.g. math concepts or organizing human activity) and that the claims are patent eligible under step 1 since they recite a system (Applicant’s reply pgs. 7-14). Applicant again brings up example 39 in the 2019 PEG guidance regarding the allowable claim describing a training of a neural network, as well as provides summaries of the §101 analysis related to MCRO and various memos providing guidance that the whole claim should be considered when determining §101 subject matter eligibility (Applicant’s reply pgs. 7-14). Applicant again reiterates arguments and case law and memos made in the last response 

Firstly, there is no dispute regarding step 1 of the §101 analysis. The claims were already determined to be an eligible statutory category. Thus, there is no dispute regarding the claims’ eligibility under step 1. 

Secondly, contrary to Applicant’s assertions, the claims are considered as a whole. But even when considered as a whole, the claims do not amount to significantly more than the judicial exception. The claims as a whole recites a system that uses cognitive computing techniques (i.e. mental processes) to perform probability computations of gathered partial or full data sets and includes a hardware processing arrangement that comprises of periodic execution units and event reception components to detect and signal anomalies using probabilities and fuzzy data. The system being varied in the other independent claim sets to also include a signal manager and a threat detector, respectively, to manage signals and detect threats. The hardware components include a processor and various units and components that are recited at a high level of generality such that they amount to a generic computer that can be utilized to perform the mental process or gather data. The use of a generic computer to perform the mental process computations does not represent a technological improvement, but rather just denotes the use of 
As mentioned, the various claims recite the use of probabilities and fuzzy logic to determine an abnormality, wherein the probabilities computation include normalization and expectancy over a full or partial data sets that are received, and detecting anomalies when it is determined that such probability outside a fuzzy range for one actor at a particular time frame. Such computations and detection can be performed mentally since it is merely computing probability values over full or partial data sets and detecting anomalies based on a determination of the probability value within normal detection range. That is, under a broadest reasonable interpretation, the limitations denote mental processes because making probability computations and determinations are a process that is based on observations, evaluations, judgments, or opinions that are performable in the human mind or with the aid of pencil and paper (see MPEP 2106.04(a)(2)(III)). The fact that Applicant choose to perform these computations via a computing device as recited by the various hardware and period execution units is simply the use of a generic computing device to perform the mental process (see MPEP 2106.04(a)(2)(III)(C)) and does not negate the point that the limitations recite a mental process. 
Furthermore, the idea of probabilities normalized around a data set and expectancy are concepts that are well-known to PHOSITA, wherein normalization and expectancy via Gaussian distribution or standard deviations are commonly known and used mathematical concepts. Likewise, fuzzy logic is a concept that has long been known to PHOSITA having been introduced in 1965 by Zadeh. Thus, the use of probabilities, fuzzy logic, normalization, and Denning as was shown in the mapping. As such, there is no technological improvement. 
The other limitations recite event reception components to operate on the events, selectively provide information, and various descriptions of the terrain. As previously stated and shown below, these are additional elements related to: applying the judicial exception because it is essentially instructions for the components to operate on event data; selecting data which is an insignificant extra-solution activity; and field of use for applying the judicial exception. As such, these additional elements are not significantly more than the judicial exception. 
Thus, the claims as a whole comprises mental processes with additional limitations that do not amount to something significantly more than the judicial exception and do not represent a technological improvement. Therefore, the claims are ineligible under §101. 
It is noted that the other independent claims add in a signal manager to manage signals and a threat detector to detect threats based on the provided information, respectively. And as previously noted and shown below, these limitations constitute mental processes because managing signals and detecting a threat based on provided information are processes that are based on observations, evaluations, judgments, or opinions that are performable in the human mind or with the aid of pencil and paper (see MPEP 2106.04(a)(2)(III)). The fact that Applicant choose to perform these computations via a computing device as recited by the signal manager and the threat detector is simply the use of generic computing devices to perform the mental 

Thirdly, Applicant again cites various case law and example 39 to argue that the claims are §101 eligible. Example 39 recites a method for training a neural network (NN) for facial detection purposes, wherein the training comprises collecting and transforming a data set, creating a first training data set, training the NN in a first stage using the first data set, creating a second training data set for a second stage of training, and then training the NN in a second stage using the second training data set. Note that the claim in example 39 clearly recites that the NN is being trained via two stages using two data sets. Accordingly, it is not practical for the human mind to train a NN, much less train in two different stages using two data sets. Thus, there is no abstract idea, namely mental process, involved in example 39, rendering it §101 eligible. Given this analysis, we now turn to the claims at issue in the present case.
Here, the claims recite a system that can use cognitive computing techniques (i.e. mental processes) and comprises of a hardware processing arrangement that comprises of periodic execution units and event reception components, as well as a signal manager and a threat detector in additional configurations, to detect and signal anomalies using probabilities and fuzzy computation. The claims do not recite a neural network or training of such a neural network. Rather, the preamble of claim 1 simply recites the use of “cognitive computing techniques” in a system, while the other independent claims 8 and 15 simply recite a system. All the claims recite a hardware processing arrangement. As previously stated, the system and hardware amounts to a generic computer.

Applicant had again sought to bring in the case law to argue why the interpretation of the claims allegedly goes against the courts, but this argument is not persuasive or supported. As was previously shown and again shown below, the claims recite a mental process that can be performed on a generic computer, with elements that amount to additional insignificant activity. Moreover, the claims do no recite a technological improvement. Accordingly, there is no contravention of the courts or case law. Recitation of the case law cannot imbue §101 eligibility into the claims where none presently exist.  

For these reasons, the claims are not presently §101 eligible. It is noted that no amendments are currently being made to address the §101 rejection. Rather, only various arguments which have been made before are being made. Accordingly, Applicant is advised to make amendments to address the §101 issues rather than reiterating previous arguments with the current ineligible claim set. Applicant is advised to amend the claims to bring forth the elements of the invention that would address the §101 issues. The specification describes elements that could be used to provide such amendments to advance prosecution by addressing the §101 issues. Applicant is invited to seek an interview for additional guidance and a discussion regarding such potential amendments that can enable the claims to overcome the §101 rejection. 
Applicant argues that the previously cited reference Laidlaw allegedly does not teach the claim limitation regarding the probability with fuzzy number for an actor (Applicant’s reply pg. 16). This is not persuasive. Regarding Laidlaw [0338], it was not used to teach the hardware arrangement that detects and signals anomalies. This citation teaches the probability range associated with a SQLIA (SQL Injection Attack) along with the fuzzy logic indicator range, e.g. high, medium, or low, based on analyzing a PCAP file (packet capture application file). Wherein the higher logic indicators denote an abnormality, i.e. an attack, and it is understood that the PCAP file possesses data comprising IP addresses, i.e. data from an actor/entity. As such, Laidlaw [0338] teaches the limitation regarding the probability, normal range, and fuzzy logic associated with an actor. 

Applicant also argues that the various previously cited Laidlaw reference sections allegedly do not teach the claim limitation regarding the data set and at least one event comprising at least one action by one actor within a specific time period (Applicant’s reply pg. 17). This is not persuasive. The citations at Laidlaw [0109], [0125], [0198]-[0199], and [0280] describe captured data packets comprising IP addresses that occurs within a time frame metric, e.g. a particular date and time that includes at run time or in real time. The capture data packets described denote the sets of received data in the claim limitation, the activity comprising an attack denotes an event comprising at least one action, an attacker associated with an IP address denotes an actor, and the time of the attack during run time or in real time (e.g. during the day) denoting a specific time within a specific time period. Thus, contrary to Applicant’s arguments, the citations do teach the claim limitations. 

Applicant also argues that Laidlaw in combination with the other previously cited references allegedly do not teach the claim limitations (Applicant’s reply pg. 18). As explained above, Laidlaw teaches the claim limitations. And Laidlaw in combination with the other cited references teaches the claim limitations as shown in the mappings. Accordingly, this argument is not persuasive. 

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. 
In evaluating subject matter eligibility under 35 U.S.C. §101, it must be determined whether the claim is directed to one of the four statutory categories of invention, i.e., process, machine, manufacture, or composition of matter (Step 1). If the claim falls within one of the four statutory categories, then the second step in the analysis is to determine whether the claim is directed to a judicial exception (Step 2A). 
The Step 2A analysis is broken down into two prongs. In the first prong (Step 2A, Prong 1), it is determined whether or not the claims recite a judicial exception (e.g., mathematical concepts, mental processes, or certain methods of organizing human activity). If it is determined in Step 2A, Prong 1 that the claims recite a judicial exception, then the analysis proceeds to the second prong (Step 2A, Prong 2), where it is determined whether or not the claims integrate the judicial exception into a practical application. If so, then the evaluation ends and there is no §101 
In Step 2B, if an abstract idea is present within the claim, then any element or combination of elements in the claim must sufficiently amount to significantly more than the abstract idea itself in order to qualify as eligible subject matter under §101. 
Applicant is advised to consult the 2019 PEG for more details of this analysis.

Step 1
	Under the first part of the analysis, claims 1-7 recite a system, claims 8-14 recite another system, and claims 15-20 recite another system. Accordingly, these claims fall within the four statutory categories and the analysis now proceeds to Step 2A, Prong 1. 

Step 2A, Prong 1
	Under this step, a determination is made as to whether the claims recite a judicial exception (e.g. mathematical concepts, mental processes, or certain methods of organizing human activity). In this case, the claims are determined to recite a judicial exception as explained below.
Claims 1-7 are analyzed below. Independent claims 8 and 15 are substantially similar to independent claim 1 and thus are rejected for the same/similar reasons as claim 1. It is noted that independent claims 8 and 15 have a limitation that is different from claim 1 and thus those limitations are analyzed below for clarity. 
Dependent claims 9-14 are substantially similar to dependent claims 2-7 and are rejected for the same/similar reasons as claims 2-7. Dependent claims 16-19 are substantially similar to Dependent claim 20 is substantially similar to claim 6, and thus is rejected for the same/similar reasons as claim 6. It is noted that claim 20 has a limitation that differs from claim 6, so claim 20 is analyzed below for clarity. 

Claim 1 recites:
A system for defuzzification of multiple qualitative signals into human-centric threat notifications using cognitive computing techniques, comprising (which amounts to a mental process that can be performed on a generic computer as denoted by the system. See MPEP 2106.04(a)(2)(III)(C).): 
...
a series of periodic execution units configured to determine probabilities normalized around value and degree of expectancy over full or partial sets of received data (which amounts to a mental process that can be performed on a generic computer as denoted by the execution units. See MPEP 2106.04(a)(2)(III)(C).),…; and 
…; 
wherein the hardware processing arrangement detects and signals anomalies when one determined probability is outside a normal fuzzy number range for the one actor for the one specific time period (which amounts to a mental process that can be performed on a generic computer as denoted by the hardware. See MPEP 2106.04(a)(2)(III)(C).). 



Claim 3 recites:
The system of claim 1, wherein the system detects and signals hazards (which amounts to a mental process that can be performed on a generic computer as denoted by the system. See MPEP 2106.04(a)(2)(III)(C).), ….

Claim 6 recites:
The system of claim 3, wherein the system detects and signals threats (which amounts to a mental process that can be performed on a generic computer as denoted by the system. See MPEP 2106.04(a)(2)(III)(C).), …. 

Claim 7 recites:
The system of claim 5, wherein: 
	…
threats are connected in a heterogeneous graph comprising nodes and edges, wherein nodes can be actors or assets and edges define the dynamic time-frame as well as the strength of their connection as a function of risk (which amounts to a mental process. See MPEP 2106.04(a)(2)(III).).

Claim 8 recites substantively the same limitations as in claim 1 and so is rejected for the same reasons as claim 1. Claim 8 recites the additional different limitation:
… a signal manager configured to manage signals for one of the series of periodic execution units and the plurality of event reception components (which amounts to a mental process that can be performed on a generic computer as denoted by the detector and execution units. See MPEP 2106.04(a)(2)(III)(C).)….

Claim 15 recites substantively the same limitations as in claim 1 and so is rejected for the same reasons as claim 1. Claim 15 recites the additional different limitation:
… a threat detector configured to detect threats based on information provided by the series of periodic execution units and the plurality of event reception components (which amounts to a mental process that can be performed on a generic computer as denoted by the detector and execution units. See MPEP 2106.04(a)(2)(III)(C).)….

Claim 20 recites:
The system of claim 17, wherein the threat detector operates with the series of periodic execution units and the plurality of event reception components to detect and signal threats (which amounts to a mental process that can be performed on a generic computer as denoted by the detector and execution units. See MPEP 2106.04(a)(2)(III)(C).),

Step 2A, Prong 2
Following the determination that the claims recite a judicial exception, it must now be determined if the claims recite additional elements that integrate the exception into a practical application of the exception (Step 2A, Prong 2). In this case, after considering all claim elements individually and as an ordered combination, it is determined that the claims do not include additional elements that integrate the exception into a practical application of the exception as explained below.
Claim 1 recites:
…
a hardware processing arrangement comprising at least one processor, the hardware processor arrangement comprising (which amounts to generic computer hardware. See MPEP 2106.05(d).);
… wherein full or partial sets of received data comprise at least one event comprising at least one action associated with one actor at a specific time within one specific time period (which amounts to an additional element of a field of use. See MPEP 2106.05(h).); and 
a plurality of event reception components configured to operate on each event in a stream relevant to a terrain (which amounts to an additional element of applying the judicial exception. See MPEP 2106.05(f).) 
and selectively provide information to the series of periodic execution units (which amounts to an additional element of selecting a particular source of data or type of data to be manipulated. See MPEP 2106.05(g).), 
wherein the terrain comprises a day of a year, a time of the day of the year, and an average weighted value structure that evolves over time to reflect behavior of the one actor (which amounts to an additional element of a field of use. See MPEP 2106.05(h).)….

Claim 2 recites:
The system of claim 1, wherein an anomaly has properties including severity and degree of inconsistency from normal behavior represented by mathematical distance, wherein severity is a class of anomaly assigned by an analytical component that detected and measured the anomaly (which amounts to an additional element of a field of use. See MPEP 2106.05(h).)
Claim 3 recites:
… wherein a hazard is an unperfected threat associated with an actor without regard to any related assets or the behavior of other actors (which amounts to an additional element of a field of use. See MPEP 2106.05(h).).

Claim 4 recites:
The system of claim 3, wherein a hazard represents risk to an enterprise based on cumulative multi-dimensional behaviors comprising anomalous states generated from thresholds, orders of operation, peer-to-peer similarity, and actor behavior change over time (which amounts to an additional element of a field of use. See MPEP 2106.05(h).).

Claim 5 recites:
The system of claim 4, wherein a hazard has two properties comprising severity and weighted risk (which amounts to an additional element of a field of use. See MPEP 2106.05(h).).

Claim 6 recites:
… wherein a threat is a perfected threat that ties together actors with behaviors of other actors and assets used by all actors in a hazard collection (which amounts to an additional element of a field of use. See MPEP 2106.05(h).).



Claim 7 recites:
…threats develop a sequence of operations over a dynamic time-frame (which amounts to an additional element of a field of use. See MPEP 2106.05(h).); and ….

Claim 8 recites substantively the same limitations as in claim 1 and so is rejected for the same reasons as claim 1. The additional elements in claim 8 being substantially similar to claim 1 are related to additional elements that do not amount to significantly more than the judicial exception, and thus are rejected for the same reasons as in claim 1.

Claim 15 recites substantively the same limitations as in claim 1 and so is rejected for the same reasons as claim 1. The additional elements in claim 15 being substantially similar to claim 1 are related to additional elements that do not amount to significantly more than the judicial exception, and thus are rejected for the same reasons as in claim 1.

Claim 20 recites:
…
wherein a threat is a perfected threat that ties together actors with behaviors of other actors and assets used by all actors in a hazard collection (which amounts to an additional element of a field of use. See MPEP 2106.05(h).).

Step 2B 
Based on the Step 2A determination that the claims are directed to a judicial exception, it must now be determined if the claims contain any element or combination of elements that 
Furthermore, the claim limitation elements recited above also correspond to well-understood, routine, and conventional activities as described below.

Claim 1 recites:
…
a hardware processing arrangement comprising at least one processor, the hardware processor arrangement comprising (which amounts to generic computer hardware in correlation with a well-understood, routine, and conventional activity. See MPEP 2106.05(d).);
… wherein full or partial sets of received data comprise at least one event comprising at least one action associated with one actor at a specific time within one specific time period (which amounts to an additional element in correlation with a well-understood, routine, and conventional activity of a field of use. See MPEP 2106.05(h).); and
a plurality of event reception components configured to operate on each event in a stream relevant to a terrain (which amounts to an additional element in correlation with a well-understood, routine, and conventional activity of applying the judicial exception. See MPEP 2106.05(f).) 
(which amounts to an insignificant extra-solution activity that is well-understood, routine, and conventional of selecting a particular source of data or type of data to be manipulated. See MPEP 2106.05(g).), 
wherein the terrain comprises a day of a year, a time of the day of the year, and an average weighted value structure that evolves over time to reflect behavior of the one actor(which amounts to an additional element in correlation with a well-understood, routine, and conventional activity of a field of use. See MPEP 2106.05(h).)….

Claim 2 recites:
The system of claim 1, wherein an anomaly has properties including severity and degree of inconsistency from normal behavior represented by mathematical distance, wherein severity is a class of anomaly assigned by an analytical component that detected and measured the anomaly (which amounts to an additional element in correlation with a well-understood, routine, and conventional activity of a field of use. See MPEP 2106.05(h).).

Claim 3 recites:
… wherein a hazard is an unperfected threat associated with an actor without regard to any related assets or the behavior of other actors (which amounts to an additional element in correlation with a well-understood, routine, and conventional activity of a field of use. See MPEP 2106.05(h).).


Claim 4 recites:
The system of claim 3, wherein a hazard represents risk to an enterprise based on cumulative multi-dimensional behaviors comprising anomalous states generated from thresholds, orders of operation, peer-to-peer similarity, and actor behavior change over time (which amounts to an additional element in correlation with a well-understood, routine, and conventional activity of a field of use. See MPEP 2106.05(h).).

Claim 5 recites:
The system of claim 4, wherein a hazard has two properties comprising severity and weighted risk (which amounts to an additional element in correlation with a well-understood, routine, and conventional activity of a field of use. See MPEP 2106.05(h).).

Claim 6 recites:
… wherein a threat is a perfected threat that ties together actors with behaviors of other actors and assets used by all actors in a hazard collection (which amounts to an additional element in correlation with a well-understood, routine, and conventional activity of a field of use. See MPEP 2106.05(h).).

Claim 7 recites:
…threats develop a sequence of operations over a dynamic time-frame (which amounts to an additional element in correlation with a well-understood, routine, and conventional activity of a field of use. See MPEP 2106.05(h).); and ….

Claim 8 recites substantively the same limitations as in claim 1 and so is rejected for the same reasons as claim 1. The additional elements in claim 8 being substantially similar to claim 1 are related to well-understood, routine, and conventional activities, and thus are rejected for the same reasons as in claim 1.

Claim 15 recites substantively the same limitations as in claim 1 and so is rejected for the same reasons as claim 1. The additional elements in claim 15 being substantially similar to claim 1 are related to well-understood, routine, and conventional activities, and thus are rejected for the same reasons as in claim 1.

Claim 20 recites:
…
wherein a threat is a perfected threat that ties together actors with behaviors of other actors and assets used by all actors in a hazard collection (which amounts to an additional element in correlation with a well-understood, routine, and conventional activity of a field of use. See MPEP 2106.05(h).).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1 and 8 are rejected under 35 U.S.C. § 103 as being unpatentable over Laidlaw et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2015/0163242, hereinafter Laidlaw) in view of Denning, “An Intrusion-Detection Model” (hereinafter Denning) and Stute (U.S. Pat. App. Pre-Grant Pub. No. 2013/0117852, hereinafter Stute).
Regarding claim 1, Laidlaw teaches:
A system for defuzzification of multiple qualitative signals ([0019], [0135], and [0348]: describing a defuzzification process of the fuzzy outputs to obtain risk value related to attributes from captured data packets that can be a threat.) into human-centric threat notifications ([0135]-[0136] and [0153]: describing the output of cyber threat risk to the user/administrator.) using cognitive computing techniques ([0109] and [0111]: describing that the cyber threat profiler (CTP) tool, comprising the intrusion detection system and various fuzzy engines, is an expert system that implements AI process. That is, the CTP can include the use of cognitive computing techniques.), comprising: 
a hardware processing arrangement comprising at least one processor, the hardware processor arrangement comprising ([0088] and [0093]: describing a computing environment and configuration comprising a computer, servers, and hardware components, wherein such devices can include processors.): 
a series of periodic execution units configured to determine probabilities ([0111], [0132], and [0134]-[0135]: describing the “fuzzy rules generation engine”/“predictive model generation engine” can operate in correlation with the “fuzzy interference engine” as part of the cyber threat profiler (CTP) tool, wherein the various engines may execute over a series of rule bases, thus effectively performing as a series of periodic execution components. Wherein the engines can apply fuzzy logic based rules, with fuzzy logic comprising probabilities ([0169] and [0173]).) …over full or partial sets of received data ([0130] and [0134]: describing that the engines operate over “data relating to cyber alerts detected by Intrusion Detection System 411 in target computing environment 401 and, based on attribute data derived from captured packets relating to the alerted attack”.),
([0109], [0125], [0198]-[0199], and [0280]: describing that the captured data set/packets can include information comprising the time, the type of attack, and the attacker’s location that can occur in real time at runtime.); and 
a plurality of event reception components ([0125]: describing that the use of event reception components, e.g. the feature extraction engine 412, which can denote a terrain updater because it extracts and updates terrain in the taxonomy with information such as “IP address of the sender of the message on the network constituting the alerted attack, the platform being used by the attacker to mount the alerted attack, and a sensed attack type”). Fig. 5 shows that there are a plurality of event reception components (412a…c).)
configured to operate on each event in a stream relevant to a terrain ([0125]: describing that the feature extraction engine 412 is configured to “pre-process[] packet data [i.e. the stream] to extract data pertaining to one or more attributes of the attack [events relevant to a terrain]”.) and selectively provide information to the series of periodic execution units ([0148]-[0149]: describing that the feature extraction engine 412 selectively provides data related to the alert to the fuzzy inference engine (i.e. a periodic execution component). See also Fig. 4: showing the plurality of engines that can be executed.),…; 
wherein the hardware processing arrangement detects and signals anomalies ([0088] and [0103]: describing that the CTP tool, as operated via a computer hardware and software, can detect potential cyber security threats and provide the resulting indication of risk to the user/administrator.) when one determined probability is outside a normal fuzzy number range for the one actor ([0338]-[00338]: describing the fuzzy logic an denote low, medium, high risk associated with the probability that the attack is coming from a particular IP address, i.e. corresponding to a particular actor/attacker.)…. 

While the cited references teach the limitations of claim 1, they do not explicitly teach: “normalized around value and degree of expectancy” on line 6. Denning discloses the claim limitations, teaching: that the intrusion detection expert system creates an activity profile for an actor to characterize the actor’s behavior and to establish a baseline. A probability determination using a mean and standard deviation model can be utilized to determine if a new observed action is outside a confidence level as defined by the probabilities and normalized via a mean and standard deviation model. That is, if the action is some d deviations from the mean, then the action can be characterized as abnormal wherein it is understood that the probability related to outlier values is 1/d2 value. (Denning pg. 225). 
Thus, it would have been obvious to Person Having Ordinary Skill in the Art (PHOSITA) before the effective filing date (EFD) to modify the system in the cited references to include the computations in Denning. Doing so would enable “[a] model of a real-time intrusion-detection expert system capable of detecting break-ins, penetrations, and other forms of computer abuse is described…. The model includes profiles for representing the behavior of subjects with respect to objects in terms of metrics and statistical models, and rules for acquiring knowledge about this behavior from audit records and for detecting anomalous behavior. The model is independent of any particular system, application environment, system vulnerability, or type of intrusion, thereby providing a framework for a general-purpose intrusion detection expert system.” (Denning Abstract). 

While the cited references teach the limitations of claim 1, they do not explicitly teach: “wherein the terrain comprises a day of a year, a time of the day of the year, and an average weighted value structure that evolves over time to reflect behavior of the one actor” on lines 12-14 and “for the one specific time period” on lines 16-17. Stute discloses the claim limitations, teaching: 
“wherein the terrain comprises a day of a year (Stute [0078]-[0081] and [0150]: describing data being obtained for a day of a year.), 
a time of the day of the year (Stute [0078]-[0081] and [0150]: describing data being obtained for a time period, e.g. per hour, per day, or in 15 min increments, or in 30 min increments, etc. for a day of a year.), and 
an average weighted value structure that evolves over time to reflect behavior of the one actor (Stute [0008]-[0009] and [0151]-[0152]: describing average weight/weight sum computations for detecting abnormal activity upon breaching “some changeable threshold”. See also Stute [0088]-[0092]: describing the threshold in further detail, wherein breaching the threshold denotes emergent anomalous behavior. See also Stute [0030]-[0031] and [0047]: further describing emergent anomalous behavior.)”.
“for the one specific time period”: describing various examples specific “time periods”, e.g. per hour per day, each week of the month, etc. (Stute [0078] and [0081]).
Thus, it would have been obvious to Person Having Ordinary Skill in the Art (PHOSITA) before the effective filing date (EFD) to modify the system in the cited references to include the timeframe and average weight in Stute. Doing so would enable “[s]ystems and methods of detecting emergent behaviors in communications networks are disclosed. In some embodiments, a method may include decomposing a plurality of data packets into a plurality of component data types associated with a candidate alert representing a potential security threat in a network… as detected in the network in a given time period. The method may further include calculating a score that indicates a discrepancy between an amount of data in each of the subset of the component data types and the counts for each corresponding historical data type in the same time period, and handling the candidate alert based upon the score.” (Stute Abstract). Wherein the detection comprises “methods for detecting emerging behaviors associated with cyber security attacks, such as advanced persistent threat (APT) attacks, on communications networks” to accurately identify a security threat (Stute [0006]). 

Regarding independent claim 8, claim 8 is substantially similar to independent claim 1 and therefore is rejected on the same grounds as claim 1. Claim 8 is another system claim that corresponds to system claim 1. 
A mapping is shown below for the limitations of claim 8 that differ from claim 1. Laidlaw teaches:
“…a signal manager configured to manage signals for one of the series of periodic execution units and the plurality of event reception components ([0125]: describing a “feature extraction engine” that extracts various specific features of the capture data packet, i.e. components of the signal, relating to attributes of an attack for further processing, thereby managing the signals. See also Fig. 4: showing the plurality of engines that can be executed.)
Claims 2, 9, and 16 are rejected under 35 U.S.C. § 103 as being unpatentable over Laidlaw et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2015/0163242, hereinafter Laidlaw), Denning, “An Intrusion-Detection Model” (hereinafter Denning), and Stute (U.S. Pat. App. Pre-Grant Pub. No. 2013/0117852, hereinafter Stute) in view of Charles et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2017/0083815, hereinafter Charles). 

Regarding claim 2, the rejection of claim 1 is incorporated. Laidlaw teaches:
The system of claim 1, wherein an anomaly has properties including severity ([0135]-[0136]: describing that the cyber threat risk denotes the severity of the detected anomaly, i.e. threat.) and ….

While the cited references teach the limitations of claim 2, they do not explicitly teach: “degree of inconsistency from normal behavior represented by mathematical distance, wherein severity is a class of anomaly assigned by an analytical component that detected and measured the anomaly”. Charles discloses the claim limitations, teaching: that the degree of inconsistency is the normality score based on mathematical distance of the models, e.g. “edit distance or Levenshtein distance” (Charles [0036]-[0037]). Wherein detecting anomalies and behavior inconsistent with normal behavior can be determined by calculating a “normality score” for a live event sequence based on similarity (or dissimilarity) to a model representing normal behavior, and then signaling a threat analyzer of possible anomalous behavior (Charles [0027] and [0030]-[0031]). The detection and signal can be done via the system comprising analytical components such as the “behavioral data evaluator” and the “threat analyzer” (Charles [0022]). 
Charles. Doing so would enable “[c]urrent behavior can be evaluated to efficiently identify behavioral anomalies with process models of different scopes and/or different degrees of precision. For meaningful behavioral evaluation of an actor (i.e., a user or a device), these multiple process models are constructed with different sets of event logs of a system. A model of a scope of an individual actor and a model of a scope of a group of actors are constructed and used for evaluation. These models of different scope expand “normal” behavior of an actor to include behavior of the group of actors. Although these process models of different scopes likely have different precision, additional models of different precision and/or different scopes can be constructed and used for behavioral evaluation. These different process models allow for behavioral variation within relevant groups of actors.” (Charles Abstract). 

Regarding claim 9, claim 9 is substantially similar to claim 2 and therefore is rejected on the same grounds as claim 2. Claim 9 is another system claim that corresponds to system claim 2.

Regarding claim 16, claim 16 is substantially similar to claim 2 and therefore is rejected on the same grounds as claim 2. Claim 16 is another system claim that corresponds to system claim 2.


Claims 3, 6, 10, 13, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Laidlaw et al. (U.S. Pat. App. Pre-Grant Pub. No. 2015/0163242, hereinafter Laidlaw), Denning, “An Intrusion-Detection Model” (hereinafter Denning), and Stute (U.S. Pat. App. Pre-Grant Pub. No. 2013/0117852, hereinafter Stute) in view of Kruglick (U.S. Pat. No. 9,882,920, hereinafter Kruglick).

Regarding claim 3, the rejection of claim 1 is incorporated. While the cited references teach the claim limitations and “the system detects and signals hazards”, they do not explicitly teach: “wherein a hazard is an unperfected threat associated with an actor without regard to any related assets or the behavior of other actors”. Kruglick discloses the claim limitations, teaching: that when a user executes a “watched” or unusual event, the system stores occurrence of that event in a database representing the initial threat/hazard. Wherein the initial threat is unperfected since it is raw data that is initially stored without regard to assets or acts by other users, which may be identified later when the system attempts to perform groupings of unusual events. (Kruglick col. 5, lines 30-50). 
Thus, it would have been obvious to Person Having Ordinary Skill in the Art (PHOSITA) before the effective filing date (EFD) to modify the system in the cited references to include the threat detection in Kruglick. Doing so would enable monitoring and detection of attacks on a datacenter, wherein “the correlation of administrative events enables the detection of confluences of repeated unusual events that may indicate a mass hacking attack, thereby allowing attacks kicking network signatures to be detected. Detection of the attack may also allow the repair of affected systems and the prevention of further hacking before the vulnerability has been analyzed or repaired.” (Kruglick Abstract). 
Regarding claim 6, the rejection of claim 3 is incorporated. While the cited references teach the claim limitations and “the system detects and signals hazards”, Kruglick further teaches: 
wherein a threat is a perfected threat that ties together actors with behaviors of other actors and assets used by all actors in a hazard collection (Kruglick col. 5, lines 26-30 and 50-67 to col. 6, lines 1-34: describing that the detected intrusions/threats can be “subject to a cross-deployment/cross-user time correlation to determine groupings of significant/unusual administrative events”, wherein the cross-deployment can also include across a plurality of devices. That is, the threats can be perfected across other users and assets in the collected data.).
Thus, it would have been obvious to Person Having Ordinary Skill in the Art (PHOSITA) before the effective filing date (EFD) to modify the system in the cited references to include the threat detection in Kruglick. A motivation to combine the cited references with Kruglick was previously given.

Regarding claim 10, claim 10 is substantially similar to claim 3 and therefore is rejected on the same grounds as claim 3. Claim 10 is another system claim that corresponds to system claim 3.

Regarding claim 13, claim 13 is substantially similar to claim 6 and therefore is rejected on the same grounds as claim 6. Claim 13 is another system claim that corresponds to system claim 6.

Regarding claim 17, claim 17 is substantially similar to claim 3 and therefore is rejected on the same grounds as claim 3. Claim 17 is another system claim that corresponds to system claim 3.

Claims 4, 5, 11, 12, 15, and 18-20 are rejected under 35 U.S.C. § 103 as being unpatentable over Laidlaw et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2015/0163242, hereinafter Laidlaw), Denning, “An Intrusion-Detection Model” (hereinafter Denning), and Stute (U.S. Pat. App. Pre-Grant Pub. No. 2013/0117852, hereinafter Stute) in view of Kruglick (U.S. Pat. No. 9,882,920, hereinafter Kruglick) and Charles et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2017/0083815, hereinafter Charles). 

Regarding claim 4, the rejection of claim 3 is incorporated. While the cited references teach the claim limitations, Charles further teaches: 
The system of claim 3, wherein a hazard represents risk to an enterprise based on cumulative multi-dimensional behaviors (Charles [0021]: describing detecting a hazard (or unperfected threat) based on multiple models of different scopes (representing multi-dimensional behaviors) with varying attributes/characteristics. Wherein the normality scores can be aggregated, denoting cumulative multi-dimensional behaviors, and a comparison can be made with a normality threshold to distinguish normal behavior from abnormal behavior (Charles [0091]). The threats or hazards are risks to an enterprise or organization (Charles [0040] and [0089]).) 
(Charles [0036]-[0037] and [0040]: describing computation of normality scores and threshold as to what constitutes normal vs. abnormal behavior.), 
orders of operation (Charles [0030]: describing that determining similarity to a model based in part on “at least some of the activities in the similar process instances occur in a same sequence”.), 
peer-to-peer similarity (Charles [0027] and [0036]-[0037]: discusses use of peer to peer analysis including comparing against the various models. Wherein the one model may be a “group of actors” model where peers are identified based on a similarity (Charles [0029]).), and 
actor behavior change over time (Charles [0089]: describing that the models are revised over time to accommodate behavior changes of the group that the model relates to, wherein such changes would allow the system to still identify changes in actor behavior that outstrip the change in the behavior of the group as a whole.).
Thus, it would have been obvious to Person Having Ordinary Skill in the Art (PHOSITA) before the effective filing date (EFD) to modify the system in the cited references to include the detection in Charles. A motivation to combine the cited references with Charles was previously given. 

Regarding claim 5, the rejection of claim 4 is incorporated. Laidlaw teaches:
The system of claim 4, wherein a hazard has two properties comprising severity and weighted risk ([0060] and [0310]: describing that the risks can comprise different categories of risk, e.g. sophistication, integrity, etc., as well as a severity and priority/weight associated with the risk, e.g. low risk, medium risk, or high risk, etc. The risk level being crisp values obtained from defuzzification of data ([0135]-[0136]).

Regarding claim 11, claim 11 is substantially similar to claim 4 and therefore is rejected on the same grounds as claim 4. Claim 11 is another system claim that corresponds to system claim 4.

Regarding claim 12, claim 12 is substantially similar to claim 5 and therefore is rejected on the same grounds as claim 5. Claim 12 is another system claim that corresponds to system claim 5.

Regarding independent claim 15, claim 15 is substantially similar to independent claim 1 and therefore is rejected on the same grounds as claim 1. Claim 15 is another system claim that corresponds to system claim 1. 
A mapping is shown below for the limitations of claim 15 that differ from claim 1. Charles teaches:
“…a threat detector configured to detect threats (Charles [0027] and [0036]-[0037]: describing a behavioral data analyzer that can detect threats/anomalous behavior.) based on information provided by the series of periodic execution units and the plurality of event reception components (Charles [0027], [0030], and [0036]-[0037]: describing that the behavioral data analyzer can generate and provide periodic execution component data, such as peer-to-peer analysis. That is, a comparison can be made between actors and models, wherein one model may be a “group of actors” model where peers are identified based on a similarity (Charles [0029]) and the event distiller can provide information about the various events (Charles [0022]).); ….”
Thus, it would have been obvious to Person Having Ordinary Skill in the Art (PHOSITA) before the effective filing date (EFD) to modify the system in the cited references to include the detection in Charles. Doing so would enable “[c]urrent behavior can be evaluated to efficiently identify behavioral anomalies with process models of different scopes and/or different degrees of precision. For meaningful behavioral evaluation of an actor (i.e., a user or a device), these multiple process models are constructed with different sets of event logs of a system. A model of a scope of an individual actor and a model of a scope of a group of actors are constructed and used for evaluation. These models of different scope expand “normal” behavior of an actor to include behavior of the group of actors. Although these process models of different scopes likely have different precision, additional models of different precision and/or different scopes can be constructed and used for behavioral evaluation. These different process models allow for behavioral variation within relevant groups of actors.” (Charles Abstract). 

Regarding claim 18, claim 18 is substantially similar to claim 4 and therefore is rejected on the same grounds as claim 4. Claim 18 is another system claim that corresponds to system claim 4.

Regarding claim 19, claim 19 is substantially similar to claim 5 and therefore is rejected on the same grounds as claim 5. Claim 19 is another system claim that corresponds to system claim 5
Regarding claim 20, claim 20 is substantially similar to claim 6 and therefore is rejected on the same grounds as claim 6. Claim 20 is another system claim that corresponds to system claim 6. Wherein the references also teach the hardware processing arrangement, and such arrangement comprises the periodic execution units, event reception component, and threat detector that can operate together to detect and signal anomalies as recited in claim 20. 

Claims 7 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Laidlaw et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2015/0163242, hereinafter Laidlaw), Denning, “An Intrusion-Detection Model” (hereinafter Denning), Stute (U.S. Pat. App. Pre-Grant Pub. No. 2013/0117852, hereinafter Stute), Charles et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2017/0083815, hereinafter Charles), and Kruglick (U.S. Pat. No. 9,882,920, hereinafter Kruglick) in view of Jang et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2018/0046928, hereinafter Jang).

Regarding claim 7, the rejection of claim 5 is incorporated. Charles further teaches:
The system of claim 5, wherein: threats develop a sequence of operations over a dynamic time-frame (Charles [0019] and [0026]: discussing analyzing threats by analyzing a sequence of operations while the behavior is ongoing and growing while being evaluated, i.e. a dynamic time-frame.); and …. 




While the cited references teach the limitations of claim 7, they do not explicitly teach: 
“threats are connected in a heterogeneous graph comprising nodes and edges, wherein nodes can be actors or assets and edges define the dynamic time-frame as well as the strength of their connection as a function of risk”. Jang discloses the claim limitations, teaching:
“threats are connected in a heterogeneous graph comprising nodes and edges (Jang [0057]-[0058] and [0073]-[0074]: describing a flow analysis of threats as represented by a knowledge graph and offense context graph comprising of nodes and edges. Wherein the data in the knowledge graphs can comprise of heterogeneous data sets (Jang [0041]).),
wherein nodes can be actors or assets (Jang [0062] and [0070]: describing an example where the node can denote an actor, e.g. offending system(s) or user(s), as depicted in Figs. 6 and 8.) and 
edges define the dynamic time-frame as well as the strength of their connection as a function of risk (Jang [0070] and [0074]: describing examples of edges demonstrating the “LINKS” and “CONNECT” dynamic time frame activities, wherein the strength is a  conductance coefficient.)”.
Thus, it would have been obvious to Person Having Ordinary Skill in the Art (PHOSITA) before the effective filing date (EFD) to modify the system in the cited references to include the graphs in Jang. Doing so would enable “a signal flow analysis-based exploration of security knowledge represented in a graph structure comprising nodes and edges. “Conductance” values are associated to each of a set of edges. Each node has an associated “toxicity” value representing a degree of maliciousness associated with the node. The conductance value associated with an edge is a function of at least the toxicity values of the nodes to which the edge is incident.” (Jang Abstract). 
Regarding claim 14, claim 14 is substantially similar to claim 7 and therefore is rejected on the same grounds as claim 7. Claim 14 is another system claim that corresponds to system claim 7.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

The prior art made of record and not relied upon is considered pertinent to Applicant's disclosure:
Muddu et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2017/0063890): describing analyzing and detecting anomalies/threats. The security platform analyzes user/entity behaviors to detect the anomalies/threats and present notifications of a threat. Event data streams are analyzed using machine learning to produce a score related to the event data stream, wherein the batch data stream can be sorted and analyzed for a particular time 
Ramsey et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2014/0041028): describing pattern analysis using fuzzy logic as part of a fuzzy rule-based system to compute probabilities in the network traffic data indicative of an attack along with “a confidence score indicating a confidence in that probability”. The system also comprises a signature analyzer that “compares the network traffic 110 to a set of attack signatures typically stored in memory or a signature database”.  

Any inquiry concerning this communication or earlier communications from the examiner should be directed to SELENE A HAEDI whose telephone number is (571)270-5762.  The examiner can normally be reached on M-F 11 AM - 7 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, OMAR FERNANDEZ RIVAS can be reached on (571)272-2589.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR 

/S.H./Examiner, Art Unit 2121                                                                                                                                                                                                        
/OMAR F FERNANDEZ RIVAS/Supervisory Patent Examiner, Art Unit 2128