Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Examiner's Note. 
   The references related to the application cited in the specification (pages 6-7) are not considered by the examiner. If appficant wants the references to be considered, appficant should file an Information Disclosure Statement including all the references cited in the specification and provide copies of the Non-Patent Literature. 


             			Abstract Objections
Applicant is reminded of the proper language and format for an abstract of the disclosure. The abstract should be in narrative form and generally limited to a single paragraph on a separate sheet within the range of 50 to 150 words.  It is important that the abstract not exceed 150 words in length since the space provided for the abstract on the computer tape used by the printer is limited.  The form and legal phraseology often used in patent claims, such as "means" and "said," should be avoided.  The abstract should describe the disclosure sufficiently to assist readers in deciding whether there is a need for consulting the full patent text for details.The language should be clear and concise and should not repeat information given in the title.  It should avoid using phrases which can be implied, such as, "The disclosure concerns," "The disclosure defined by this invention," "The disclosure describes," etc.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-28 are rejected under 35 U.S.C. 103 as being unpatentable over Baoyi Wang et al. (“A Distributed Intrusion Detect Model Based on Alert Data Correlation Analysis”, Boyi hereinafter, 2010) in view of Chih-Hung Wang et al. (“Adaptive Feature-Weighted Alert Correlation System Applicable in Cloud Environment”, Chih hereinafter, 2013).

As to claim 1, Baoyi teaches a method of correlating a plurality of alerts in a network environment including multiple computing devices coupled through one or more networks (e.g., Figure 1, right column of page 669, “II. AN ACADIDS (DISTRIBUTED INTRUSION DETECT SYSTEM BASED ON ALERT DATA CORRELA nON ANALYSIS)”,  “Figure I, which can be classified to the bottom alert analysis module, the middle-level clustering correlation module, the high-level event correlation module and the decision response module etc.” , “The high-level event correlation modules are located on the highlevel nodes of the distributed networks which receive the alert message from the low-level notes to cluster the more comprehensive message”, “alerts in a short period of time”)  comprising:

 	analyzing the plurality of alerts  (e.g., see page 669, “The bottom alert analysis modules analyze the alert message preliminarily to remove the false alert, and they can send the analyzed alert message to the middle-level clustering correlation modules and to the response module to alert partly”)  ; 
 	correlating the plurality of alerts via an alert correlation module comprising one or more of a sequence model (e.g., see  “Start Time “ , TABLE 1 and “detection, and proposes an alert data association model of the distributed intrusion detection, and gives the correlation algorithm of each alert correlation module. By using the model and the correlation method, it can be more quicklyand effectively to realize the multi-level and multi-angle correlation among the warning data time, space and process to remove the redundancy” in page 673) , a topology reinforcement module (e.g., see page 670, “the authentication filter function to these modules if required, the use of which is to remove the alert which is irrelevant to the networks and the system environment or which is the false alert that has deterministic effects and regularity, so that we can reduce the alert message quantity”), and a similarity reinforcement module (e.g., see page 669, “The middle-level clustering correlation modules cluster the alert message which has similar attributes to the meta-alert message to reduce the alert quantity, and they can send the alert message to the high-level event correlation 
 	clustering the plurality of alerts attributable to a common triggering event (e.g., see page 669 “The middle-level clustering correlation modules cluster the alert message which has similar attributes to the meta-alert message” for “the high-level and distributed attack and the possible next attack”. Also, see page 670, “alert clustering and mergence based on the same attack type and attack source is as TABLE 1. The alert lO is the new created correlation alert based on alert 1 and alert 2.” in page 671).  
 	However, Baoyi does not explicitly teach the plurality of alerts in a time sequence .
 	Chih teaches  correlating plurality of alerts via an alert correlation module comprising one or more of a sequence model (e.g., see  page 43, “using the Temporal Correlation Table.
Temporal Correlation Table records the information in the last period of time” and “a sequence of alerts that match the pre-defined scenarios.” In page 41), analyzing the plurality of alerts  in a time sequence (e.g., see  page 44 “A. Historical Alert Data “, “store these alerts in the Alerts Database. In every hourly interval, we take out the historical alert data in the 
 

As to claim 2, Baoyi does not teach converting one or more raw alerts into one or more normalized alerts for analysis . However, Chih teaches converting one or more raw alerts into one or more normalized alerts for analysis (e.g., see page 44, “E. Feature-Weighted Alert Filtering “, “The filtered alerts will be merged into the “AlertSets” and “Aggregator is used to merge the same alerts which have thesame feature value” in page 42).  Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Baoyi by adopting the teachings of Chih to “enhance the alert correlation accuracy from some directions”  (see Chih , Conclusion).


As to claim 3, Baoyi does not  teach wherein the raw alerts are normalized for analysis and provided to a data pipeline .However, Chih teaches   wherein the raw alerts are normalized for analysis and provided to a data pipeline (e.g., see Figure 1..” and TABLE 1,  page 44, “E. Feature-Weighted Alert Filtering “, “The filtered alerts will be merged into the “AlertSets” and “Aggregator is used to merge the same alerts which have the same feature value” in page 42).  Thus, it would have been obvious to one of ordinary skill in the art before the 


As to claim 4, Baoyi does not  teach wherein the sequence model is trainable using historical alert sequences on a neural network. However,  Chih teaches  wherein the sequence model is trainable using historical alert sequences on a neural network (e.g., seepage 44, “A. Historical Alert Data” and “neural-network alert correlation is to be able to find the relationships between alerts by observing the past alerts or training data.” In para 41). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to  modify the method of Baoyi by adopting the teachings of  Chih to “enhance the alert correlation accuracy from some directions”  (see Chih , Conclusion).


As to claim 5, Baoyi teaches  wherein the topology reinforcement is created through a network discovery (e.g., see page 670 , “The output of alert information of the bottom alert
analysis modules can be sent to the response modules to alert partly and also be sent to the next middle-level clustering correlation module to be analyzed. This module reduces the
false alert generated by the detector and the requirement to the bandwidth and the alert message quantity to improve the rationality and efficiency of the correlation analysis. “, “the authentication filter function to these modules if required, the use of which is to remove the alert which is irrelevant to the networks and the system environment or which 

As to claim 6, Baoyi does not teach  wherein the similarity reinforcement is based on a natural language process. However, Chih teaches wherein the similarity reinforcement is based on a natural language process ( e.g., see page 41 “Alert correlation based on known scenario is a method that the administrator or expert uses the attack languages such as STATL [1] or LAMDBA”. According  common knowledge that is well known  in the technology “ LaMDA stands for “Language Model for Dialogue Applications.” Following from previous models such as BERT and GPT-3, LaMDA is also based on the transformer architecture, open-sourced by Google in 2017. ... A chatbot with these abilities could perfectly engage in natural conversations with people”. Thus, wherein the similarity reinforcement is based on a natural language process). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to  modify the method of Baoyi by adopting the teachings of  Chih to “enhance the alert correlation accuracy from some directions”  (see Chih , Conclusion).


As to claim 7, Baoyi teaches  wherein a first alert in an alert sequence is used to invoke a sequence model (e.g., see page 671, “to correlate the attacks sequence of the high-level clustering alerts”, See TABLE1).  

As to claim 8, Baoyi does not teach  alert sequence training of a neural network. However, Chih teaches alert sequence training of a neural network (e.g., see page 41-42, The goal of using the statistic or neural-network alert correlation is to be able to find the relationships between alerts by observing the past alerts or training data training samples and much time for the improvement of detection accuracy. After alert correlation, the associated alerts can be grouped to reduce the complexity of security analysis and thus the intruders’ attack intention or plan can be exposed”). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to  modify the method of Baoyi by adopting the teachings of  Chih to “enhance the alert correlation accuracy from some directions”  (see Chih , Conclusion).


As to claim 9, Baoyi teaches further taking information from an input alert at a first timestep; calculating an alert sequence (see rejection of claim 1 above ). However, Baoyi does not teach predicting a time interval for which a simulation will progress. Chih teaches taking information from an input alert at a first timestep; calculating an alert sequence; predicting a time interval for which a simulation will progress (e.g., page 43-45 “to estimate the causal relationship 


As to claim 10, Baoyi does not teach alert embedding.  However, Chih teaches alert embedding ( e.g., see page 45, “learned from the alert correlation experience in the past” and “neural-network alert correlation is to be able to find the relationships between alerts by observing the past alerts or training data”, “vector machine (SVM), and further proposed a technique called Alert Correlation Matrix (ACM) used to store the past correlation 


As to claim 11, Baoyi does not teach running a training workload as a scheduled batch job on a training node.  However, Chih teaches running a training workload as a scheduled batch job on a training node  (e.g., see page 42-43, “A. Alert Correlation Based on Neural Network Zhu and Ghorbani [5] proposed a method to calculate the correlation probability between any two of alerts by multilayer perceptron (MLP) and support vector machine (SVM), and further proposed a technique called Alert Correlation Matrix (ACM) used to store the past correlation experience of any two types of alerts”, “The MLP and SVM are trained with small number of patterns and these patterns are manually generated and labeled”). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to  modify the method of Baoyi by adopting the teachings of  Chih to “enhance the alert correlation accuracy from some directions”  (see Chih , Conclusion).


As to claim 12, Baoyi teaches wherein the plurality of alerts are not analyzed individually or in alert pairs (e.g., page 670, “Figure I. A Distributed Intrusion Detect System based on Alert Data Correlation Analysis Module”).  


distributed intrusion system to reduce the false alerts by analyzing the intensity of the alert data”. Thus, One or more computer-readable storage media storing computer- executable instructions for causing a computer to perform a method would have been inherent).

As to claims 14-24, see rejection of claims 2-12 above.

As to claim 25, see rejection of claim 1 above. Baoyi teaches further a system for correlating alerts in a computing environment including multiple computing devices coupled through one or more networks (e.g., pages 669-670,  wherein “the Confidentiality and the usability of the computer resources. The intrusion detection can discover the intrusion by collecting and analyzing the information from the knot of the computer system or networks to find the action which violates the security strategy and the sign of stack in the networks or system. The IDS (Intrusion Detection System) is the combination of the software and hardware of the intrusion detection [I). The traditional CIDS(Centralized Intrusion Detection System) are divided into the IDS based on the host and the IDS based on the networks because of the different data source, such as the noted freeware Snort [2] and so on. The CIDS is usually used in the small-size networks because they can't meet the needs of the security of the large-size networks, and specially can't discover the distributed-collaboration attacks. 


As to claims 26-28, see rejection of claims 3-5 above.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:


.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABDOU K SEYE whose telephone number is (571)270-1062. The examiner can normally be reached M-F 9-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Dennis Chow can be reached on 5712727767. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ABDOU K SEYE/Examiner, Art Unit 2194                                                                                                                                                                                                        


/DOON Y CHOW/Supervisory Patent Examiner, Art Unit 2194