DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments with respect to claims 1-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
	Specifically, the Office Action below has been updated to include newly cited prior art Niininen et al. (US Pub No 2018/0150758) in combination with Mehra for disclosing the amended limitations.  

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Mehra et al. (US Pat No 9,825,989) in view of Niininen et al. (US Pub No 2018/0150758).

With respect to claim 1, Mehra teaches a system comprising: 
one or more processing units (e.g., Fig. 2 #275); and 
a computer-readable storage medium having computer-executable instructions stored thereupon, which, when executed by the one or more processing units (e.g., Fig. 2B #290), cause the one or more processing units to: 
[learn] a model based on stored patterns of alerts that are known to be associated with security issues (e.g., attack-specific engine includes attack-specific logic that may be specifically tailored to analyze one of various malware attacks, including APT, POS, and Crimeware attacks @ Col. 6, lines 6-19 and using stored patterns of alerts @ Col. 6, lines 14-16, Col. 9, lines 7-18 and 44-47); 
apply the model to determine that individual alerts, in a pattern of alerts, have been generated by an alert monitoring system deployed in association with a resource or a group of resources based on actions detected in association with the resource or the group of resources (e.g., the MCD system, teaching an alert monitoring system, identify suspicious objects relating to resources and generating an attack alert for the EWS @ Col. 5, lines 7-9, and the attack alert is communicated to the input engine for analysis, feature extraction and classification @ Col. 5, line 64-Col. 6, lines 5); 
making predictions based on the pattern of alerts (e.g., using probabilistic or machine-learning algorithms, the correlation engine is configured to determine an “attack value”, which is used to compare with a predetermined threshold value to determine whether an early warning alert should be generated, which teaches the early warning alert as a probabilistic prediction of a next alert to be triggered @ Col. 6, lines 33-41); and 
present, in a graphical user interface, information associated with the next alert and the pattern of alerts (e.g., the reporting engine may issue an early warning alert or report such as email message, text message, display screen image, etc. @ Col. 7, lines 5-7 and the report .  
Mehra disclose the claimed subject matter as discussed above with respect to using model specific to the type of alerts but does not explicitly disclose the processing units learn a model based on stored patterns of alerts that are known to be associated with security issues and predict, based on application of the model, a next alert that is to be triggered in the pattern of alerts.  However, Niininen teaches the processing units learn a model based on stored patterns of alerts that are known to be associated with security issues (e.g., the alert classifier initiate a retraining of the predictive machine learning model based on a change in the monitored network system ¶ 0088) and predict, based on application of the model, a next alert that is to be triggered in the pattern of alerts (e.g., the alert classifier trains a predictive machine language model, calculate a probability that the subsequent alert is actionable or non-actionable, and also the subsequent alert is presented in a network monitoring user interface based on the probability ¶ 0096).  Therefore, based on Mehra in view of Niininen, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Niininen to the system of Mehra in order to provide a system that continuously learns, via machine learning, to identify incident causing alarms and highlights them in a network monitoring user interface for review, thereby advantageously reducing the work, time, resources, etc. associated with classifying alerts (¶ 0037).

With respect to claim 2, the references above further teach wherein the information includes a type of malicious activity likely to be associated with the next alert and the pattern of alerts (e.g., the report includes detailed instructions pertaining to specific attack types @ Mehra Col. 7, lines 5-17).



With respect to claim 4, the references above further teach wherein the probability of the next alert being generated increases as a number of alerts in the pattern of alerts increases (e.g., using heuristic, probabilistic, and/or machine learning algorithms based on the received alert and the “attack value” increase as more attack alerts are added to the model @ Mehra Col. 12-19).

With respect to claim 5, the references above further teach wherein the computer-executable instructions further cause the one or more processing units to: compare the probability of the next alert being generated to a probability threshold; determine that the probability of the next alert being generated is greater than the probability threshold; and present, in the graphical user interface, the information associated with the next alert and the pattern of alerts based at least in part on determining that the probability of the next alert being generated is greater than the probability threshold (e.g., compare the “attack value” to a threshold @ Mehra Col. 6, lines 33-42 and if the attack value matches or exceeds the predetermined threshold value, the reporting engine present a notification @ Mehra Col. 6, lines 59-62, Col. 7, lines 5-8, and Figs. 4).  

With respect to claim 6, the references above further teach wherein: the model determines an estimated time at which the next alert is to be generated; and the information includes the estimated time at which the next alert is to be generated (e.g., predict a forecast for a given future time period @ Mehra Col. 4, lines 46-62).

With respect to claim 7, the references above further teach wherein the computer-executable instructions further cause the one or more processing units to: determine that a severity level associated with the next alert is greater than a severity level threshold; and present, in the graphical user interface, the information associated with the next alert and the pattern of alerts based at least in part on determining that the severity level associated with the next alert is greater than the severity level threshold (e.g., determining a severity level of each alert @ Niininen Fig. 8, Severity column).  Mehra discloses the “alert value” as discussed above but does not explicitly disclose a severity level, which Niininen teaches above.  The motivation to combine the teaching of Niininen to the system of Mehra remains the same as the independent claim 1 above.
 
With respect to claim 8, the references above further teach wherein the computer-executable instructions further cause the one or more processing units to extract features from the individual alerts in the pattern of alerts, wherein: the features include words used to describe the individual alerts; and the model is trained to map the words used to describe the individual alerts to a linguistic context and to predict the next alert based on identifying one or more words in the linguistic context that follow the words used to describe the individual alerts (e.g., the alert patterns including features extracted from various analysis, feature extraction and classification using various logic, such as heuristics, exploit/vulnerability logic and parsing logic @ Mehra Col. 5, lines 64-Col. 6, lines 33).

With respect to claim 9, the references above further teach wherein the model uses neural networks and natural language processing (e.g., machine learning algorithms @ Mehra Col. 6, lines 46-14).  



The limitations of claim 11 are substantially similar to claim 2 above, and therefore the claim is likewise rejected.

The limitations of claim 12 are substantially similar to claim 3 above, and therefore the claim is likewise rejected.

The limitations of claim 13 are substantially similar to claim 4 above, and therefore the claim is likewise rejected.

The limitations of claim 14 are substantially similar to claim 5 above, and therefore the claim is likewise rejected.

The limitations of claim 15 are substantially similar to claim 6 above, and therefore the claim is likewise rejected.

The limitations of claim 16 are substantially similar to claim 7 above, and therefore the claim is likewise rejected.

The limitations of claim 17 are substantially similar to claim 8 above, and therefore the claim is likewise rejected.



With respect to claim 19, Mehra teaches a system comprising: 
one or more processing units (e.g., Fig. 2 #275); and 
a computer-readable storage medium having computer-executable instructions stored thereupon, which, when executed by the one or more processing units (e.g., Fig. 2B #290), cause the one or more processing units to: 
receive a plurality of alerts associated with a plurality of resources being monitored by a security operations center, wherein an individual alert is generated by an alert monitoring system deployed in association with a particular resource or a particular group of resources based on one or more detected actions that are associated with a potential security issue (e.g., the MCD system, teaching an alert monitoring system deployed with a particular resource, identify suspicious objects relating to the resources and generating an attack alert for the EWS @ Col. 5, lines 7-9, and the attack alert is communicated to the input engine for analysis, feature extraction and classification @ Col. 5, line 64-Col. 6, lines 5, and the EWS may be communicatively coupled with communication network and operates as a data capturing device, also referred to as a network tap @ Col. 7, lines 46-50); 
apply a model to identify, within the plurality of alerts, a pattern of alerts that are associated with a particular resource or a particular group of resources (e.g., upon receipt of the attack alert, analyze, classify, and generate a classified result @ Col. 5, line 64-Col. 6, lines 5); 
making predictions based on the pattern of alerts (e.g., using probabilistic or machine-learning algorithms, the correlation engine is configured to determine an “attack value”, which is used to compare with a predetermined threshold value to determine whether an early ; and 
present, in a graphical user interface, information associated with the next alert and the pattern of alerts, wherein the information includes a probability of the next alert being triggered (e.g., the reporting engine may issue an early warning alert or report such as email message, text message, display screen image, etc. @ Col. 7, lines 5-7 and the report include detailed instructions pertaining to a probability attack value, specific attack types, potential issues thereto, security holes, and best practices to prevent one or more predicted malware attacks @ Col. 7, lines 15-17).  
Mehra disclose the claimed subject matter as discussed above with respect receiving and/or pull coding to receive a plurality of alerts but does not explicitly disclose predict, based on application of the model, a next alert that is to be triggered in the pattern of alerts.  However, Niininen teaches predict, based on application of the model, a next alert that is to be triggered in the pattern of alerts (e.g., the alert classifier trains a predictive machine language model, calculate a probability that the subsequent alert is actionable or non-actionable, and also the subsequent alert is presented in a network monitoring user interface based on the probability ¶ 0096).  Therefore, based on Mehra in view of Niininen, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Niininen to the system of Mehra in order to provide a system that continuously learns, via machine learning, to identify incident causing alarms and highlights them in a network monitoring user interface for review, thereby advantageously reducing the work, time, resources, etc. associated with classifying alerts (¶ 0037).

	With respect to claim 20, the references above further teach wherein the graphical user interface presents an option to provide feedback indicating whether the next alert and the pattern of .

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHAU LE whose telephone number is (571)270-7217. The examiner can normally be reached M-F 8:00-5:00.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, CARL COLIN can be reached on (571) 272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/CHAU LE/Primary Examiner, Art Unit 2493