Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments have been fully considered but they are not persuasive.  Examiner has incorporated Cohen US 2018/0234435 to meet the claims as amended.

Applicant’s argument regarding USC 112(f) has been considered but is not persuasive.    Applicant’s argument that the term “a comparison module configured to” interacts with other elements is insufficient.   Examiner interprets “a comparison module configured to” as a substitute for “means for” and or “module for”.

See MPEP 2181:
“a claim limitation that does not use the term "means" or "step" will trigger the rebuttable presumption that 35 U.S.C. 112(f)  does not apply. See, e.g., Phillips v. AWH Corp., 415 F.3d 1303, 1310, 75 USPQ2d 1321, 1324 (Fed. Cir. 2005) (en banc); CCS Fitness, Inc. v. Brunswick Corp., 288 F.3d 1359, 1369, 62 USPQ2d 1658, 1664 (Fed. Cir. 2002); Personalized Media Commc’ns, LLC v. ITC, 161 F.3d 696, 703-04, 48 USPQ2d 1880, 1886–87 (Fed. Cir. 1998). Even in the face of this presumption, the examiner should nonetheless consider whether the presumption is overcome. The presumption that 35 U.S.C. 112(f)  does not apply to a claim limitation that does not use the term "means" is overcome when "the claim term fails to 'recite 
The standard is whether the words of the claim are understood by persons of ordinary skill in the art to have a sufficiently definite meaning as the name for structure." Williamson v. Citrix Online, LLC, 792 F.3d 1339, 1349, 115 USPQ2d 1105, 1111 (Fed. Cir. 2015). The issue in Williamson was whether a "distributed learning control module" limitation in claims directed to a distributed learning system should be interpreted as a means-plus-function limitation. See Williamson, 792 F.3d at 1347. The Federal Circuit concluded that ‘‘the ‘distributed learning control module’ limitation fails to recite sufficiently definite structure and that the presumption against means-plus function claiming is rebutted." Id. at 1351. In support, the Federal Circuit determined that "the word ‘module’ does not provide any indication of structure because it sets forth the same black box recitation of structure for providing the same specified function as if the term ‘means’ had been used." Id. at 1350–51.
    PNG
    media_image1.png
    18
    19
    media_image1.png
    Greyscale


Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.


Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.






Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


Claims 1-6, 10-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Puri US 10,043,006 in view of Reybok Jr US 2018/0324207 in view of Cohen US 2018/0234435


As per claims 1, 10 Puri teaches A method for a cyber threat defense system, comprising: comparing input data monitoring a network entity to at least one machine-learning model trained on a normal benign behavior of the network entity using a normal behavior benchmark describing parameters corresponding to a normal pattern of activity for that network entity to spot behavior on the network deviating from a normal benign behavior of that network entity, where the network entity is at least one of a user and a device associated with a network; identifying whether the network entity is in a breach state of the normal behavior benchmark; identifying whether the breach state and a chain of relevant behavioral parameters deviating from the normal benign behavior of that network entity correspond to a cyber threat; (Column 2 lines 22-45, Column 3 lines 1-38; Column 4 lines 36-42)  (Puri teaches a cyber threat defense system that uses machine learning using a normal baseline of behavior for users or applications to detect anomalous behavior by comparing real time data to the baseline; and identifying attacks and cyber kill chains) 




It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teaching of Reybok Jr with Puri because it helps prevent security breaches.
Cohen teaches causing one or more autonomous actions to be taken to contin the cyber threat when a threat risk parameter from the cyber threat module is equal to or above an actionable threshold with an autonomous response module rather than a human taking an action causing the one or more autonomous actions to be taken to contain the cyber threat initiating the one or more autonomous actions to counteract the behavior on the network deviating from the normal benign behavior of that network entity, leaving the normal behavior unaffected. [0035][0052][0054][0090][0091] (Cohen teaches there is an automated cyber security system that takes automatic action based on a threshold and uses a policy to minimize disruption)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the automation of Cohen with the prior art because it expedites malware resolution.  As per claim 2  Cohen teaches reviewing any suggested response actions detailed in an inoculation package with the autonomous response module and select a most appropriate actions to take in a current situation. [0035][0052][0054][0090][0091]  (teaches reviewing options for remediation according to policy.
Reybok Jr additionally teaches remediation measures and review [0077]-[0079]

As per claim 3.  Cohen teaches starting the one or more autonomous responses with a minimum level of disruption aiming to surgically stop an attack by the cyber threat without affecting normal organizational activity, and adapting the one or more responses whten the attack by the cyber threat at least one of , i) changes in nature and ii) becomes more aggressive, then the autonomouse response module will select more sever controls to apply to an infected device, and or devices.  [0030]-[0035][0052][0054][0084][0090][0091]  (teaches reviewing options for remediation according to policy with the aim to cause minimum disruption, and responses change in nature based on the threat input data)


As per claim 4.  Cohen teaches creating an inoculation package containing one or more digital antibodies for previously unknown cyber threats with the one or more autonomous responses to take in response to an attack by the cyber threat and using an intelligence model to determine what an appropriate autonomous response in the one or more autonomous responses should be to the previously unknown threat to defend the network against the previously unknown cyber threat. [0087][0094][0095] (Teaches creating automatic new responses/remediation/signatures for previously unknown attacks ans determining what response to take to defend the network)
See also: [0030]-[0035][0052][0054][0084][0090][0091]  
As per claim 5. Reybok Jr teaches The method for the cyber threat defense system of claim 1, further comprising: receiving, from a user analyst, at least one of a triggering input directing transmission of the inoculation notice to the target device and a blocking input preventing transmission of the inoculation notice to the target device. [0020][0021] (user customer shares observable security data with other customers)As per claim 6. Reybok Jr teaches The method for the cyber threat defense system of claim 1, further comprising: generating a threat risk parameter listing a set of values describing aspects of the cyber threat. [0019][0079]  (teaches both a set of values associated with the threat and a risk profile)
As per claim 11, Puri teaches A cyber-threat coordinator-component, comprising: a comparison module configured to execute a comparison of the input data input data monitoring a network entity to at least one machine-learning model trained on a normal benign behavior of the network entity using a normal behavior benchmark describing parameters corresponding to a normal pattern of activity for that network entity to spot behavior on the network deviating from a normal benign behavior of that network entity to identify whether the network entity is in a breach state of the normal behavior benchmark, where the network entity representing at least one of a user and a device associated with a network; a cyber threat module configured to identify whether the breach state identified by the comparison module and a chain of relevant 


Reybok Jr teaches an inoculation module configured to generate an inoculation pattern describing the breach state and the chain of relevant behavioral parameters corresponding to the cyber threat identified by the cyber threat module and to store the inoculation pattern in an inoculation record in a network-accessible inoculation database. [0019]  (identification of security threats, properties and mitigation)
Cohen teaches causing one or more autonomous actions to be taken to contin the cyber threat when a threat risk parameter from the cyber threat module is equal to or above an actionable threshold with an autonomous response module rather than a human taking an action causing the one or more autonomous actions to be taken to contain the cyber threat initiating the one or more autonomous actions to counteract the behavior on the network deviating from the normal benign behavior of that network entity, leaving the normal behavior unaffected. [0035][0052][0054][0090][0091] (Cohen teaches there is an automated cyber security system that takes automatic action based on a threshold and uses a policy to minimize disruption)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the automation of Cohen with the prior art because it expedites malware 
Reybok Jr additionally teaches remediation measures and review [0077]-[0079]
As per claim 13. Reybok teaches The apparatus for the cyber threat defense system of claim 11, wherein the inoculation module is configured to create an entity cluster to group the network entity with other entities of the network based on the chain of relevant behavior parameters of the inoculation pattern. [0019][0079] [0081] [0086] (sends to group members, to mediate based on kill chain properties)As per claim 14. Reybok teaches The apparatus for the cyber threat defense system of claim 13, wherein the inoculation module is configured to select a target device for notification regarding the inoculation pattern based on the entity cluster. [0107][0108] (group member)As per claim 15. Cohen teaches starting the one or more autonomous responses with a minimum level of disruption aiming to surgically stop an attack by the cyber threat without affecting normal organizational activity, [0030]-[0035][0052][0054][0084][0090][0091]  (teaches reviewing options for remediation according to policy with the aim to cause minimum disruption, and responses change in nature based on the threat input data)
As per claim 16.  Cohen teaches and adapting the one or more responses whten the attack by the cyber threat at least one of , i) changes in nature and ii) becomes more aggressive, then the autonomouse response module will select more sever controls to apply to an infected device, and or devices.  [0030]-[0035][0052][0054][0084][0090][0091]  (teaches reviewing options for remediation according to policy with the aim to cause minimum disruption, and responses change in nature based on the threat input data)
As per claim 17. Reybok teaches The apparatus for the cyber threat defense system of claim 11, wherein the inoculation module is configured to update the inoculation pattern in the inoculation record based on a subsequent event. [0019]As per claim 18. Cohen teaches creating an inoculation package containing one or more digital antibodies for previously unknown cyber threats with the one or more autonomous responses to take in response to an attack by the cyber threat [0087][0094][0095] (Teaches creating automatic new responses/remediation/signatures for previously unknown attacks ans determining what response to take to defend the network)


As per claim 19. Cohen teaches an intelligence model to determine what an appropriate autonomous response in the one or more autonomous responses should be to the previously unknown threat to defend the network against the previously unknown cyber threat. 
See also: [0030]-[0035][0052][0054][0084][0090][0091]  


As per claim 20 Puri teaches A network, comprising: at least one firewall; at least one network switch; multiple computing devices operable by users of the network; a cyber-threat coordinator-component that includes a comparison module configured to execute a comparison of the input data monitoring a network entity to at least one machine-learning model trained on a normal benign behavior of the network entity using a normal behavior benchmark describing parameters corresponding to a normal pattern of activity for that network entity to spot behavior on the network deviating from a normal benign behavior of that network entity to identify whether the network entity is in a breach state of the normal behavior benchmark, where the network entity is at least one of a user and a device associated with a network; a cyber threat module configured to identify whether the breach state identified by the comparison module and a chain of relevant behavioral parameters deviating from the normal benign behavior of that network entity correspond to a cyber threat; ; (Column 2 lines 22-45, Column 3 lines 1-38; Column 4 lines 36-42)  (Puri teaches a cyber threat defense system that uses machine learning using a normal baseline of behavior for users or applications to detect anomalous behavior by comparing real time data to the baseline; and identifying attacks and cyber kill chains) 



Cohen teaches causing one or more autonomous actions to be taken to contin the cyber threat when a threat risk parameter from the cyber threat module is equal to or above an actionable threshold with an autonomous response module rather than a human taking an action causing the one or more autonomous actions to be taken to contain the cyber threat initiating the one or more autonomous actions to counteract the behavior on the network deviating from the normal benign behavior of that network entity, leaving the normal behavior unaffected. [0035][0052][0054][0090][0091] (Cohen teaches there is an automated cyber security system that takes automatic action based on a threshold and uses a policy to minimize disruption)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the automation of Cohen with the prior art because it expedites malware resolution.  
Claim 7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Puri US 10,043,006 in view of Reybok Jr US 2018/0324207 in view of Jou US 2018/0052993


As per claim 7.  Jou teaches The method for the cyber threat defense system of claim 6, further comprising: populating the threat risk parameter with at least one of a confidence score indicating a threat likelihood describing a probability that the breach state is the cyber threat, a severity score indicating a percentage that the network entity in the breach state is deviating from the at least one model, and a consequence score indicating a severity of damage attributable to the cyber threat. [0003][0008][0027][0051]-[0054] (teaches the score and percentage likelihood a breach has occurred including behavior and comparing the behavior to a baseline behavior)
Reybok teaches other scoring including severity score [0079].

It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the percent comparison of Jou with the previous art because it provides and easily understandable probability of infection/breach.  

Claims 8-9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Puri US 10,043,006 in view of Reybok Jr US 2018/0324207 in view of Rajasekharan US 2019/0044963

As per claim 8.  Rajasekharan teaches The method for the cyber threat defense system of claim 
It would have been obvious to one of ordinary skill in the art  at the time the invention was filed to use the threshold of Rajasekharan with the prior art combination in order to reduce false positives.
As per claim 9. Rajasekharan The method for the cyber threat defense system of claim 8, further comprising: assigning a weight to each benchmark score to assign a relative importance to each benchmark score. [0013][0030]-[0032]  (teaches comparing a behavior model to anomaly






Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER BROWN whose telephone number is (571)272-3833.  The examiner can normally be reached on M-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to 






/CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439