DETAILED ACTION
This office action is in response to the application filed on 03/13/2020. Claims 1-20 are pending and are examined.	
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Notes on Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 

(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth 

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitations are: “A system for scaling a processing resource of a security information and event management system for processing a set of security events, the system comprising: an identifying unit configured to identify an event property of a set of security events; an assessing unit configured to assess the identified event property against a predetermined rule; and a scaling unit configured to”, in claim 16 and “wherein the scaling unit is further configured to”,  in claim 18.  

Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, claims 16 and 18 are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.

The Structure and description of such a system is being illustrated by drawings Fig. 2, Fig. 4 and Fig 5, and at least description paragraphs [0042], [0066]- [0071] and [0076].

If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 102 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-20, are rejected under AIA  35 U.S.C. 102(a) (1) as being unpatentable over Rossman. (U.S. Patent. No. 10,050,999 B1, referred to as Rossman).

Regarding claims 1, 10 and 16, Rossman teaches:
A system for scaling a processing resource of a security information and event management system for processing a set of security events (Fig. 4; C12, ln 1-8, “FIG. 4 illustrates an exemplary system for auto scaling computing resources 432 in 420”; Fig. 7; C20, ln 4-8), the system comprising: 
an identifying unit configured to identify an event property of a set of security events (Fig. 4, Item 445; C12, ln 18-45, “In one example, a security threat detection service 445 (EN: identifying unit) may detect a cyber-attack that is launched against computing resources 432 in the service provider environment 420, as well as a type of cyber-attack. For example, the security threat detection service 445 may detect a denial-of-service attack or unwanted traffic in the service provider environment 420. The security threat detection service 445 may detect signature-based attacks that involve malicious intrusions, malware, etc. (EN: an event property of a set of security events)”; Fig. 7, Step 710; C20, ln 4-8);
an assessing unit configured to assess the identified event property against a predetermined rule (Fig. 4, Item 450; C13, ln 10- 40, “the security threat mitigation service 450 (EN: assessing unit) may calculate a period of time for sustaining the performance of the auto scaling event. The security threat mitigation service 450 may calculate the period of time for sustaining auto scaling based on the type of cyber-attack (EN: assess the identified event property against a predetermined rule), an estimated computing resource capacity of the cyber-attacker and an estimated computing resource capacity of the customer's environment in the service provider environment 420.”); Fig. 4, Item 465; C16, ln 8-38, “The auto scaling detection service 465 (EN: assessing unit) may identify the attack based on the computing resources 432 under attack, and calculate an expected amount of time until the cyber-attack is completed or successful, or reaches a critical mass or poses a threat of (EN: assess the identified event property against a predetermined rule) to the customer's computing resources 432.”; Fig. 7, Step 720; C20, ln 17- 28); and 
a scaling unit configured to, in response to the assessed event property satisfying the predetermined rule, scale a processing resource for processing the set of security events based on the predetermined rule (Fig. 4, Item 465; C16, ln 8-38, “the auto scaling detection service 465 (EN: scaling unit) may calculate the expected amount of time before the cyber-attack is completed. Based on the expected amount of time before the cyber-attack is completed (EN: assessed event property satisfying the predetermined rule), the auto scaling detection service 465 may determine to throttle the customer's auto scaling event or shut down the customer's auto scaling event”; Fig. 7, Steps 730- 740; C20, ln 29- 54, “as in block 730. A type of auto scaling event to perform may be selected using heuristic scaling rules. An amount of time to perform the selected auto scaling event may be less than the expected amount of time before the computing resources become compromised… as in block 740. The auto scaling event may include auto scaling out the computing resources in the service provider environment to cause the computing resources to not be compromised in the expected amount of time”).

Regarding claim 10, Rossman further teaches:
A computer program product for scaling a processing resource of a security information and event management system for processing a set of security events, the computer program product comprising a computer readable storage medium having (C23, ls 52- 64, “The technology described here can also be stored on a computer readable storage medium that includes volatile and non-volatile, removable and non-removable media implemented with any technology for the storage of information such as computer readable instructions, data structures, program modules, or other data”; Fig. 7; C20, ln 4-54, EN: method performed)).

Regarding claims 2, 11 and 17, Rossman teaches all the features of claims 1, 10 and 16, as outlined above.
Rossman further teaches:
wherein the processing resource serves at least one tenant, wherein each of the at least one tenant is assigned a quantity of the processing resource (Fig. 3; C10, ls 3- 22, “the computing service 300 may be established for an organization by or on behalf of the organization. That is, the computing service 300 may offer a “private cloud environment.” In another example, the computing service 300 may support a multi-tenant environment (EN: at least one tenant is assigned a quantity of the processing resource), wherein a plurality of customers may operate independently (i.e., a public cloud environment)”).

Regarding claims 3 and 12, Rossman teaches all the features of claims 2 and 11, as outlined above.
Rossman further teaches:
(C2, ls 6-21, “The security threat mitigation service may perform any one of a number of auto scaling events on the computing resources in order to mitigate the cyber-attack, such as auto scaling out the computing resources (i.e., adding computing resources) or auto scaling in the computing resources (i.e., removing computing resources). (EN: scaling the quantity of the processing resource assigned to each of the at least one tenant affected by the set of security events)”).

Regarding claims 4, 13 and 19, Rossman teaches all the features of claims 1, 10 and 16, as outlined above.
Rossman further teaches:
wherein a first security event of the set of security events comprises a change in regular operations of the security information and event management system, wherein the change indicates that a security policy has been violated and/or a security safeguard has failed (Fig. 4, Item 445; C12, ln 18-45, “In one example, a security threat detection service 445 may detect a cyber-attack that is launched against computing resources 432 in the service provider environment 420, as well as a type of cyber-attack. For example, the security threat detection service 445 may detect a denial-of-service attack or unwanted traffic in the service provider environment 420. The security threat detection service 445 may detect signature-based attacks that involve malicious intrusions, malware, etc. The security threat detection service 445 may identify data 445 may identify host-based behavior, such as the behavior of applications or user traffic in the service provider environment 420. When the security threat detection service 445 detects malicious activity in the service provider environment 420 (EN: wherein the change indicates that a security policy has been violated), a threat alarm may be activated and the security threat detection service 445 may notify a security threat mitigation service 450 of the cyber-attack”; Fig. 7, Step 710; C20, ln 4-8);

Regarding claims 5, 14 and 20, Rossman teaches all the features of claims 1, 10 and 16, as outlined above.
Rossman further teaches:
wherein the event property comprises at least one of an event pattern of the set of security events; an event quantity of the set of security events;  P201808448US01Page 26 of31an event type of each of the set of security events; and a rate of receiving the set of security events (Fig. 2, Item 222, ; C7, ln 12- 27, “In addition, the cyber-attack identification module 222 may identify a type of cyber-attack (e.g., a denial-of-service attack) being inflicted on the service provider environment 200. The computing resources 242 that are being subjected to the cyber-attack and the type of cyber-attack (EN: an event type of each of the set of security events) may be detected using a security threat detection system that operates in the service provider environment 200, and the security threat detection system may notify the cyber-attack identification module 222 of the 242 under attack and the type of cyber-attack that is being inflicted on the service provider environment 200.”; Fig. 4, Item 445; C12, ln 18-45).

Regarding claims 6 and 15, Rossman teaches all the features of claims 1 and 10, as outlined above.
Rossman further teaches:
wherein the predetermined rule comprises one or more predetermined tests that are satisfied in response to a specific condition being met by the set of security events (Fig. 1, Item 145, C5, ls 7- 56, “The security threat detection service 145 may detect the cyber-attack using machine learning or heuristic rules to track communications to a customer's environment in the service provider environment 120 to identify packet patterns and attack signatures. In addition, the security threat detection service 145 may identify the attack signatures by performing deep packet inspection of the communications to the customer's environment in the service provider environment 120 (EN: predetermined rule comprises one or more predetermined tests). The security threat detection service 145 may notify a security threat mitigation service 150 of the computing resources 132 under attack. More specifically, the security threat detection service 145 may provide a notification outlining the type of cyber-attack and a class of computing resources 132 that are under attack (EN: response to a specific condition being met by the set of security events). The security threat detection service 145 and the security threat mitigation service 150 may operate on a server 140 in the service provider environment 120.”; Fig. 4, Item 445; C12, ln 18-45 “The security threat detection service 445 may identify data packet (EN: predetermined rule comprises one or more predetermined tests).

Regarding claim 7, Rossman teaches all the features of claims 1, as outlined above.
Rossman further teaches:
wherein identifying an event property of a set of a security events comprises: receiving the set of security events; processing each of the set of security events; and identifying the event property of each of the set of processed security events (Fig. 4, Item 445; C12, ln 18-45, “The security threat detection service 445 may detect signature-based attacks that involve malicious intrusions, malware, etc. The security threat detection service 445 may identify data packet patterns and/or perform deep packet inspection in order to detect the signature-based attacks. In addition, the security threat detection service 445 may identify host-based behavior, such as the behavior of applications or user traffic in the service provider environment 420”).

Regarding claims 8, Rossman teaches all the features of claims 1, as outlined above.
Rossman further teaches:
wherein scaling the processing resource for processing the set of security events based on the predetermined rule comprises: generating a response to the satisfied predetermined rule; and scaling the quantity of the processing resource for processing the set of security events based on the generated response (Fig. 4, Item 465; C16, ln 8-38, “the auto scaling detection service 465 may calculate the expected amount of time before the cyber-attack is completed. Based on the expected amount of time before the cyber-attack is completed, the auto scaling detection service 465 may determine to throttle the customer's auto scaling event or shut down the customer's auto scaling event” (EN: a response to the satisfied predetermined rule); Fig. 7, Steps 730- 740; C20, ln 29- 54, “as in block 730. A type of auto scaling event to perform may be selected using heuristic scaling rules. An amount of time to perform the selected auto scaling event may be less than the expected amount of time before the computing resources become compromised… as in block 740. The auto scaling event may include auto scaling out the computing resources in the service provider environment to cause the computing resources to not be compromised in the expected amount of time”; C2, ls 6-21, “The security threat mitigation service may perform any one of a number of auto scaling events on the computing resources in order to mitigate the cyber-attack, such as auto scaling out the computing resources (i.e., adding computing resources) or auto scaling in the computing resources (i.e., removing computing resources (EN: scaling the quantity of the processing resource).

Regarding claims 9, Rossman teaches all the features of claims 8, as outlined above.
Rossman further teaches:
wherein generating the response comprises at least one of: generating a security offense alert; sending a notification; performing vulnerability scans; and performing a predetermined rule action (Fig. 4, Item 470; C15, ln 45- 65, “the security threat 450 may send a 470 notification to an operator. The notification 470 may indicate the computing resources 432 that were attacked, the auto scaling event performed to mitigate the cyber-attack, etc. The security threat mitigation service 450 may send the notification 470 via a message queuing service that operates in the service provider environment 420. Alternatively, the message may be sent via email, instant messaging, SMS (simple messaging service) or other similar messaging services. The security threat mitigation service 450 may send the notification 470 in parallel with initiating the auto scaling event to be performed”; Fig. 7, Step 750; C20, ls 55-63).

Regarding claims 18, Rossman teaches all the features of claims 17, as outlined above.
Rossman further teaches:
wherein the scaling unit is further configured to, in response to the assessed event property satisfying the predetermined rule, scale the quantity of the processing resource assigned to each of the at least two tenants affected by the set of security events (C2, ls 6-21, “The security threat mitigation service may perform any one of a number of auto scaling events on the computing resources in order to mitigate the cyber-attack, such as auto scaling out the computing resources (i.e., adding computing resources) or auto scaling in the computing resources (i.e., removing computing resources); Fig. 3; C10, ls 3- 22, “the computing service 300 may be established for an organization by or on behalf of the organization. That is, the computing service 300 may offer a “private cloud environment.” In another example, the computing service 300 may (EN: at least two tenants), wherein a plurality of customers may operate independently (i.e., a public cloud environment)”).

Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:  See PTO-892.  
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HASSAN SAADOUN whose telephone number is (571)272-8408. The examiner can normally be reached Mon-Fri 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 





/HASSAN SAADOUN/Examiner, Art Unit 2435  

/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435