DETAILED ACTION
This is a non-final Office action in response to communications received on 5/29/2019.  Claims 1-23 are pending and are examined.  The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Drawings
The drawings filed 5/29/2019 are acknowledged.
Provisional/Foreign Priority
No foreign or provisional priority is acknowledged.  

Objections
Claims 1, 12 and 23 are objected for the following informalities: the claim language “a triggered rule which processing has triggered an offense” is confusing and misleading.  Did Applicant intend to claim “rule which processing triggered a determination of the incoming security event as an offense”?  Also, it is unclear from the language “processing has triggered an offense” if the current rule counter and indicator of compromise counter are only incremented when the incoming security event is determined to be an offense?  Appropriate clarification/correction is required.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claim 23 is rejected under 35 U.S.C. § 101 because the limitations of the claims are directed to non-statutory subject matter.
Claim 23 recites “a computer program product . . . comprising: one or more computer-readable tangible storage medium and program instructions stored on at least one of the one or more storage medium”.  Applicant’s Specification does not provide a definition of the tangible storage medium that limits it explicitly to hardware (Spec. para. [0136] discloses the storage medium “may be, for example, but is not limited to”) and "while the recitation ‘non-transitory’ is a viable option for overcoming the presumption that those media encompass signals or carrier waves, merely indicating that such media are ’physical’ or ‘tangible’ will not overcome such presumption” (In re Mewherter, Appeal No. 2012-007692, p. 14 (BPAI 2013) (precedential) (quoting U.S. Patent and Trademark Office, Evaluating Subject Matter Eligibility Under 35 USC § 101 (August 2012 Update) (pp. 11-14), available at http://www.uspto.gov/patents/law/exam/101_training_aug2012.pdf).  Pending claims are interpreted as broadly as their claims reasonably allow.  See In re Zletz, 893 F.2d 319 (Fed. Cir. 1989).  The broadest reasonable interpretation of a claim drawn to a storage medium (also called machine readable medium and other such variations) typically covers forms of non-transitory tangible media and transitory propagating signals per se in view of the ordinary and customary meaning of recording medium, particularly when the specification is silent (See MPEP 2111.01).  When the broadest reasonable interpretation of a claim covers a signal per se, the claim must be rejected under 35 U.s.C. §1 01 as covering non-statutory subject matter.  See In re Nuijten, 500 F.3d 
A claim drawn to such a storage medium that covers both transitory and non-transitory embodiments may be amended to narrow the claim to cover only statutory embodiments to avoid a rejection under 35 U.S.C. § 101 by adding the limitation "non-transitory" to the claim. Cf Animals - Patentability, 1077 Off. Gaz. Pat. Office 24 (April 21, 1987).

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 
Claim limitations in claims 12-21 in this application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: first generation unit, increment module, second generator unit and sorting module.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1-21 and 23 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 1, 12 and 23 are rejected as indefinite because the claim phrase “sorting within each rule the indicators of compromise in the indicator of compromise index according to weighted current indicator of compromise counter values” is unclear.  Each of the claims discloses “generating a rule index of rules” and “generating an indicator of compromise index for each of the rules . . . comprising an indicator value”, however claims 1, 12 and 23 do not disclose that the indicator of compromise index is actually located WITHIN each rule.  Did Applicant intend to claim “sorting within each of the rules” or “sorting within the rule index of rules” or is the indicator of compromise index actually within each rule?  Further, there is insufficient antecedent basis for “the indicators of compromise” as the claims only disclose the indicator of compromise as comprising a single indicator value to be used for comparison.  Appropriate clarification/correction is required.
Claims 10 and 21 are rejected as indefinite because the values/definitions of the algorithm terms “past rule counter”, “observed events” and “pseudo security events” are 
Claim 12 is rejected as indefinite because the claim term “the generator unit” lacks antecedent basis.  Claim 12 discloses two generation units – a first generation unit and a second generation unit.  It is unclear which, if either, of these generation units is being referenced by this claim term.  Appropriate clarification/correction is required.
Claim limitation 12-21 invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.  However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. Specifically, claims 14-22 disclose a first generation unit for generating, increment module for increasing, second generator unit for generating and sorting module for sorting without disclosing the hardware which implements the functions of these units/modules.  In addition, the Examiner could not find disclosure in the Specification explaining what hardware in the system performs the units/modules of claims 12-21.  Therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph.
Applicant may:
(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 

If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 
(a)        Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1.	Determining the scope and contents of the prior art.
2.	Ascertaining the differences between the prior art and the claims at issue.
3.	Resolving the level of ordinary skill in the pertinent art.
4.	Considering objective evidence present in the application indicating obviousness or nonobviousness.


This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.   
Claims 1-2, 4-5, 12-13, 15-16 and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Desch (US 2017/0187741 A1) in view of Leonard Renners et al., Modeling and Learning Incident Prioritization, in The 9th IEEE International Conference .
Regarding claim 1, Desch discloses the limitations substantially as follows:
A method for processing security events by applying a rule-based alarm scheme for determining whether a received security event is considered as offense, the method comprising (Desch, paras. [0052], [0059]: disclose detecting occurrences of security event corresponding to indicators of compromise, and generate one or more alarms to be transmitted to a user device):
generating a rule index of rules, the rules to be applied when receiving an incoming security event (Desch, paras. [0005], [0042], [0049]: discloses generation of a set of rules for application to events (i.e. applied when receiving incoming events) in order to detect and manage indicators of compromises);
generating an indicator of compromise index for each of the rules, each entry of the indicator of compromise index comprising an indicator value to be used for a comparison against an attribute of a security event (Desch,  para. [0005], [0034], [0042], [0049], [0053]: generating indicator of compromise values such as hash values (i.e. IOC index) for each of the set of rules, where an indicator of compromise value comprising a hash value is matched/compared against attributes of an event);
processing the incoming security event by applying the rules, wherein processing the incoming security event by applying the rules comprises (Desch, paras. [0042]: processing events for security by applying rules):
increasing, in a rule incrementation step, a current rule counter relating to a triggered rule which processing has triggered an offense (Desch, paras. [0060]-[0061]: increasing a level of severity and an incremental counter (i.e., counters for triggered rule is incremented) for a rule corresponding to the Indicator of compromise), and
increasing a current indicator of compromise counter pertaining to the triggered rule (Desch, paras. [0060]: discloses maintaining an incremental counter for an indicator of compromise based on processing or matching performed by a set of rules);
generating data about known attacks and related indicators of compromise (Desch, paras. [0034], [0042], [0045], [0060]: generating alerts, status reports and instructions for addressing communications from malicious addresses and vulnerabilities (i.e. data about known attacks) based upon a determined severity for the indicators of compromise for the attack/event); and 
processing events by applying the rules, wherein processing comprises (Desch, [0042] processing events for security by applying rules): 
increasing a current rule counter relating to the triggered rule which processing has triggered the offense, (Desch, paras. [0060]-[0061]: incrementing an incremental counter and a level of severity (i.e. current rule counters), where the level of severity is required to match a threshold required for an applicable rule to be disseminated, where the rule is generated and disseminated/triggered in relation to determining the severity of the indicator of compromise) and 
increasing a current indicator of compromise counter pertaining to the triggered rule (Desch, paras. [0006], [0060]-[0061]: discloses maintaining an incremental counter for an indicator of compromise based on processing or matching performed by a set of rules), 
sorting the rules in the rule index according to respective weighted rule counter values (paras. [0005]-[0006], [0038]-[0039], [0041]-[0042], [0060]-[0061]: adjusting/prioritizing certain rules over other rules (i.e. sorting the rules of the rules index) based upon determining the severity and status (i.e. active or inactive) of indicators of compromise values for each rule (i.e. with each rule) according to a set of factors/weights for the IOC values including the counter and lifecycle for the rules/IOC values (i.e. weighted rule counter values), and  
P201807826US0140 of 47sorting, within each rule, the indicators of compromise in the indicator of compromise index according to weighted current indicator of compromise counter values (paras. [0005]-[0006], [0038]-[0039], [0041]-[0042], [0059]-[0061]: sorting/normalizing the indicators of compromise values for each rule (i.e. within each rule) according to a set of factors/weights for the indicator of comprise values including occurrences of the indicator of compromise values (i.e. weighted IOC counter values)).
Desch does not disclose the limitations of claim 1 as follows:
	processing the incoming security event by sequentially applying the rules, wherein processing the incoming security event by sequentially applying the rules comprises
	generating a pseudo security event from received data about known attacks;
	processing the pseudo security events by sequentially applying the rules, wherein processing the pseudo security events comprises:
	increasing a current rule of pseudo security events;
increasing a current indicator of compromise counter for pseudo security events;
However, in the same field of endeavor, Renners discloses the limitations of claim 1 as follows:
	generating a pseudo security event from received data about known attacks (pp. 398-402, sections II, III, IV & V: applying machine learning to generate training data comprising incidents (i.e. pseudo security events) from data received identifying what targets have been identified as vulnerable against attacks by known hostile hosts (i.e. data about known attacks));
	processing the pseudo security events by applying the rules, wherein processing the pseudo security events comprises (pp. 398-402, sections II, III, IV & V: processing the incidents of the labeled training data by applying rules, wherein processing the incidents of the labeled training data comprises):
increasing a current rule counter of pseudo security events (pp. 400-402, sections III, IV and V: increasing the number of leaves and rules (i.e. current rule counter) for incidents of training data);
increasing a current indicator of compromise counter for pseudo security events (pp. 400-402, sections III, IV and V, Figs. 2-3: increasing a severity indicator (i.e. current indicator of compromise counter) for incidents from the training data);
Renners is combinable with Desch because both are from the same field of endeavor of improving Security and information event management (SIEM) systems.  It would have been obvious to one of ordinary skill in the art at the time of the invention to integrate Renners’ method of applying machine learning and data mining techniques to generate rules with the system of Desch in order to build a generic model suitable for describing different calculation schemes and “use contextual information to remove false positives” (Renners, p. 398).    
Neither Desch or Renners explicitly disclose the remaining limitations of claim 1 as follows:
		processing by sequentially applying the rules, wherein processing by sequentially applying the rules comprises
		processing by sequentially applying the rules
However, in the same field of endeavor Pernicha discloses the remaining limitations of claim 1 as follows:
	processing by sequentially applying the rules, wherein processing by sequentially applying the rules comprises (Pernicia, paras. [0044], [0061]: processing rules in a sequence reordered based upon weight hit counter);
	processing by sequentially applying the rules (Pernicia, paras. [0044], [0061]: processing rules in reordered sequence);
sorting the rules in the rule index according to respective weighted rule counter values (Pernicia, paras. [0044], [0061]: reordering/sorting the rules according to weighted rule values including the number of times the rule has been used (i.e. weighted rule counter values)), 
Pernicha is combinable with Renners and Desch because all three are from the same field of endeavor of managing rules to improve system security.  It would have been obvious to one of ordinary skill in the art at the time of the invention to integrate Pernicha’s method of processing rules sequentially with the system of Renners and Desch in order to lower the computational effort spent by the system by enabling the system to process first the rules most likely to be relevant.  

Regarding claims 2 and 13, Desch, Renners and Pernicha disclose the limitations of the method of claim 1 and the system of claim 12.  
Pernicha discloses the limitations of claims 2 and 13 as follows:
	wherein the sorting the rules also comprises: 
	determining the weighted rule counter values by combining weighted past rule counter values and weighted current rule counter values of the rule (Pernicha, paras. [0060]-[0061]: determining the weighted hit counter by combining hit count data from previous time frames (i.e. past weighted rule counter values) with weighted hit count data of current time frame).
It would have been obvious to one of ordinary skill in the art at the time of the invention to integrate Pernicha’s method of determining the weighted rule counter values based on historical data with the system of Renners and Desch in order to increase the flexibility of the system by enabling the rules to be dynamically reordered based upon “the scope and attributes of policy rules and weights assigned to particular types of traffic, preference settings, priority settings, network traffic characteristics, and/or network usage statistics based on automatic or manual criteria, at any given time, with or without administrator intervention” (Pernicha, para. [0061]).

 Regarding claims 4 and 15, Desch, Renners and Pernicha disclose the limitations of the method of claim 1 and the system of claim 12.  
Desch discloses the limitations of claims 4 and 15 as follows:
	wherein the rule incrementation step also comprises: 
	increasing the current rule counter by a fixed number or by a number indicative of a severity of the offense (Desch, paras. [0060]-[0061]: increasing the level of severity based upon determining how severe the threat is associated with indicators of compromise of the event). 	

Regarding claims 5 and 16, Desch, Renners and Pernicha disclose the limitations of the method of claim 1 and the system of claim 12.  
Desch discloses the limitations of claims 5 and 16 as follows:
	wherein the increasing the current indicator of compromise counter also comprises: increasing the current indicator of compromise counter by a fixed number (Desch, paras. [0060]-[0061]: incrementing the counter for the indicator of compromise by a fixed increment).

	Regarding claim 12, Desch teaches the limitations substantially as follows:
A STEM system for processing security events by applying a rule-based alarm scheme for determining whether a received security event is considered as offense (Desch, paras. [0052], [0059]: disclose detecting occurrences of security event corresponding to indicators of compromise, and generate one or more alarms to be transmitted to a user device), the system comprising: 
	a first generation unit adapted for generating a rule index of rules, the rules to be applied when receiving an incoming security event (Desch, paras. [0005], [0042], [0049]: discloses generation of a set of rules for application to events (i.e. applied when receiving incoming events) in order to detect and manage indicators of compromises), wherein the generator unit is also adapted for generating an indicator of compromise index for each of the rules, each entry of the indicator of compromise index comprising an indicator value to be used for a comparison against an attribute of a security event (Desch,  para. [0005], [0034], [0042], [0049], [0053]: generating indicator of compromise values such as hash values (i.e. IOC index) for each of the set of rules, where an indicator of compromise value comprising a hash value is matched/compared against attributes of an event); 
	a correlation engine adapted for processing the incoming security event by applying the rules (Desch, paras. [0042]: processing events for security by applying rules); 
	an increment module adapted for increasing a current rule counter relating to a triggered rule which processing has triggered an offense (Desch, paras. [0060]-[0061]: increasing a level of severity and an incremental counter (i.e., counters for triggered rule is incremented) for a rule corresponding to the Indicator of compromise), wherein the increment module is also adapted for increasing a current indicator of compromise counter pertaining to the triggered rule (Desch, paras. [0060]: discloses maintaining an incremental counter for an indicator of compromise based on processing or matching performed by a set of rules); and 
	a second generator unit adapted for received data about known attacks and related indicators of compromise (Desch, paras. [0034], [0042], [0045], [0060]: generating alerts, status reports and instructions for addressing communications from malicious addresses and vulnerabilities (i.e. data about known attacks) based upon a determined severity for the indicators of compromise for the attack/event), 
	wherein the correlation engine is also adapted for processing events by applying the rules (Desch [0042] discloses that a set of rules may sense, detect, and prevent instances of associated indicator of compromises by sequentially identifying whether different attributes of an event (e.g., an IP address, a hash value, etc.) match values of indicators of compromise), 
	wherein the processing comprises increasing a current rule counter relating to the triggered rule which processing has triggered the offense (Desch, paras. [0060]-[0061]: incrementing an incremental counter and a level of severity (i.e. current rule counters), where the level of severity is required to match a threshold required for an applicable rule to be disseminated, where the rule is generated and disseminated/triggered in relation to determining the severity of the indicator of compromise), and increasing a current indicator of compromise counter pertaining the triggered rule (Desch, paras. [0006], [0060]-[0061]: discloses maintaining an incremental counter for an indicator of compromise based on processing or matching performed by a set of rules), and 
	a sorting module adapted for sorting the rules in the rule index according to a respective weighted rule counter values (paras. [0005]-[0006], [0038]-[0039], [0041]-[0042], [0060]-[0061]: adjusting/prioritizing certain rules over other rules (i.e. sorting the rules of the rules index) based upon determining the severity and status (i.e. active or inactive) of indicators of compromise values for each rule (i.e. with each rule) according to a set of factors/weights for the IOC values including the counter and lifecycle for the rules/IOC values (i.e. weighted rule counter values), and adapted for sorting, within each rule, the indicators of compromise in the indicator of compromise index according to weighted indicator of compromise counter values (paras. [0005]-[0006], [0038]-[0039], [0041]-[0042], [0059]-[0061]: sorting/normalizing the indicators of compromise values for each rule (i.e. within each rule) according to a set of factors/weights for the indicator of comprise values including occurrences of the indicator of compromise values (i.e. weighted IOC counter values)).
Desch does not explicitly disclose the remaining limitations of claim 12 as follows:
	processing the incoming security event by sequentially applying the rules, wherein processing the incoming security event by sequentially applying the rules
	generating a pseudo security event from received data about known attacks;
	processing the pseudo security events by sequentially applying the rules, wherein processing the pseudo security events 
	increasing, by a pseudo security event counter module, a current rule of pseudo security events;
increasing, by a counter for indicator of compromise for pseudo security events, a current indicator of compromise counter for pseudo security events;
However, in the same field of endeavor, Renners discloses the limitations of claim 12 as follows:
	generating a pseudo security event from received data about known attacks (pp. 398-402, sections II, III, IV & V: applying machine learning to generate training data comprising incidents (i.e. pseudo security events) from data received identifying what targets have been identified as vulnerable against attacks by known hostile hosts (i.e. data about known attacks));
processing the pseudo security events by applying the rules, wherein processing the pseudo security events comprises (pp. 398-402, sections II, III, IV & V: processing the incidents of the labeled training data by applying rules, wherein processing the incidents of the labeled training data comprises):
	increasing, by a pseudo security event counter module, a current rule counter of pseudo security events (pp. 400-402, sections III, IV and V: increasing the number of leaves and rules (i.e. current rule counter) for incidents of training data);
increasing, by a counter for indicator of compromise for pseudo security events, a current indicator of compromise counter for pseudo security events (pp. 400-402, sections III, IV and V, Figs. 2-3: increasing a severity indicator (i.e. current indicator of compromise counter) for incidents from the training data);
Renners is combinable with Desch because both are from the same field of endeavor of improving Security and information event management (SIEM) systems.  It would have been obvious to one of ordinary skill in the art at the time of the invention to integrate Renners’ method of applying machine learning and data mining techniques to generate rules with the system of Desch in order to build a generic model suitable for describing different calculation schemes and “use contextual information to remove false positives” (Renners, p. 398).    
Neither Desch or Renners explicitly disclose the remaining limitations of claim 12 as follows:
processing by sequentially applying the rules, wherein processing by sequentially applying the rules comprises
		processing by sequentially applying the rules
However, in the same field of endeavor Pernicha discloses the remaining limitations of claim 12 as follows:
	processing by sequentially applying the rules, wherein processing by sequentially applying the rules comprises (Pernicia, paras. [0044], [0061]: processing rules in a sequence reordered based upon weight hit counter);
	processing by sequentially applying the rules (Pernicia, paras. [0044], [0061]: processing rules in reordered sequence);
sorting the rules in the rule index according to respective weighted rule counter values (Pernicia, paras. [0044], [0061]: reordering/sorting the rules according to weighted rule values including the number of times the rule has been used (i.e. weighted rule counter values)), 
Pernicha is combinable with Renners and Desch because all three are from the same field of endeavor of managing rules to improve system security.  It would have been obvious to one of ordinary skill in the art at the time of the invention to integrate Pernicha’s method of processing rules sequentially with the system of Renners and Desch in order to lower the computational effort spent by the system by enabling the system to process first the rules most likely to be relevant.  
	
	Regarding claim 23, Desch teaches the limitations substantially as follows;
A computer program product for processing security events by applying a rule-based alarm scheme for determining whether a received security event is considered as offense (Desch, paras. [0052], [0059]: disclose detecting occurrences of security event corresponding to indicators of compromise, and generate one or more alarms to be transmitted to a user device), the computer program product comprising: 
	one or more computer-readable tangible storage medium and program instructions stored on at least one of the one or more tangible storage medium, the program instructions executable by a processor, the program instructions comprising:
	program instructions to generate a rule index of rules, the rules to be applied when receiving an incoming security event (Desch, paras. [0005], [0042], [0049]: discloses generation of a set of rules for application to events (i.e. applied when receiving incoming events) in order to detect and manage indicators of compromises); 
	program instructions to generate an indicator of compromise index for each of the rules, each entry of the indicator of compromise index comprising an indicator value to be used for a comparison against an attribute of a security event (Desch,  para. [0005], [0034], [0042], [0049], [0053]: generating indicator of compromise values such as hash values (i.e. IOC index) for each of the set of rules, where an indicator of compromise value comprising a hash value is matched/compared against attributes of an event); 
	program instructions to process the incoming security event by applying the rules (Desch, paras. [0042]: processing events for security by applying rules); 
	program instructions to increase a current rule counter relating to a triggered rule which processing has triggered an offense (Desch, paras. [0060]-[0061]: increasing a level of severity and an incremental counter (i.e., counters for triggered rule is incremented) for a rule corresponding to the Indicator of compromise); 
	program instructions to increase a current indicator of compromise counter pertaining to the triggered rule (Desch, paras. [0060]: discloses maintaining an incremental counter for an indicator of compromise based on processing or matching performed by a set of rules);
	program instructions to generate data about known attacks and related indicators of compromise (Desch, paras. [0034], [0042], [0045], [0060]: generating alerts, status reports and instructions for addressing communications from malicious addresses and vulnerabilities (i.e. data about known attacks) based upon a determined severity for the indicators of compromise for the attack/event); and 
	program instructions to process the events by applying the rule (Desch, [0042] processing events for security by applying rules)s, wherein the processing comprises program instructions to increase a current rule counter relating to the triggered rule which processing has triggered the offense (Desch, paras. [0060]-[0061]: incrementing an incremental counter and a level of severity (i.e. current rule counters), where the level of severity is required to match a threshold required for an applicable rule to be disseminated, where the rule is generated and disseminated/triggered in relation to determining the severity of the indicator of compromise), and 
	program instructions to increase a current indicator of compromise counter pertaining to the triggered rule (Desch, paras. [0006], [0060]-[0061]: discloses maintaining an incremental counter for an indicator of compromise based on processing or matching performed by a set of rules); 
	program instructions to sort the rules in the rule index according to respective weighted rule counter values (paras. [0005]-[0006], [0038]-[0039], [0041]-[0042], [0060]-[0061]: adjusting/prioritizing certain rules over other rules (i.e. sorting the rules of the rules index) based upon determining the severity and status (i.e. active or inactive) of indicators of compromise values for each rule (i.e. with each rule) according to a set of factors/weights for the IOC values including the counter and lifecycle for the rules/IOC values (i.e. weighted rule counter values); and 
	program instructions to sort, within each rule, the indicators of compromise in the indicator of compromise index according to weighted indicator of compromise counter values (paras. [0005]-[0006], [0038]-[0039], [0041]-[0042], [0059]-[0061]: sorting/normalizing the indicators of compromise values for each rule (i.e. within each rule) according to a set of factors/weights for the indicator of comprise values including occurrences of the indicator of compromise values (i.e. weighted IOC counter values)).

	process the incoming security event by sequentially applying the rules, wherein processing the incoming security event by sequentially applying the rules comprises
	generate a pseudo security event from received data about known attacks;
	processing the pseudo security events by sequentially applying the rules, wherein processing the pseudo security events comprises:
	increase a current rule of pseudo security events;
increase a current indicator of compromise counter for pseudo security events;
However, in the same field of endeavor, Renners discloses the limitations of claim 23 as follows:
	generate a pseudo security event from received data about known attacks (pp. 398-402, sections II, III, IV & V: applying machine learning to generate training data comprising incidents (i.e. pseudo security events) from data received identifying what targets have been identified as vulnerable against attacks by known hostile hosts (i.e. data about known attacks));
	process the pseudo security events by applying the rules, wherein processing the pseudo security events comprises (pp. 398-402, sections II, III, IV & V: processing the incidents of the labeled training data by applying rules, wherein processing the incidents of the labeled training data comprises):
increase a current rule counter of pseudo security events (pp. 400-402, sections III, IV and V: increasing the number of leaves and rules (i.e. current rule counter) for incidents of training data);
increase a current indicator of compromise counter for pseudo security events (pp. 400-402, sections III, IV and V, Figs. 2-3: increasing a severity indicator (i.e. current indicator of compromise counter) for incidents from the training data);
Renners is combinable with Desch because both are from the same field of endeavor of improving Security and information event management (SIEM) systems.  It would have been obvious to one of ordinary skill in the art at the time of the invention to integrate Renners’ method of applying machine learning and data mining techniques to generate rules with the system of Desch in order to build a generic model suitable for describing different calculation schemes and “use contextual information to remove false positives” (Renners, p. 398).    
Neither Desch or Renners explicitly disclose the remaining limitations of claim 23 as follows:
		process by sequentially applying the rules, wherein processing by sequentially applying the rules comprises
		process by sequentially applying the rules
However, in the same field of endeavor Pernicha discloses the remaining limitations of claim 23 as follows:
	process by sequentially applying the rules, wherein processing by sequentially applying the rules comprises (Pernicia, paras. [0044], [0061]: processing rules in a sequence reordered based upon weight hit counter);
	process by sequentially applying the rules (Pernicia, paras. [0044], [0061]: processing rules in reordered sequence);
sort the rules in the rule index according to respective weighted rule counter values (Pernicia, paras. [0044], [0061]: reordering/sorting the rules according to weighted rule values including the number of times the rule has been used (i.e. weighted rule counter values)), 
Pernicha is combinable with Renners and Desch because all three are from the same field of endeavor of managing rules to improve system security.  It would have been obvious to one of ordinary skill in the art at the time of the invention to integrate Pernicha’s method of processing rules sequentially with the system of Renners and Desch in order to lower the computational effort spent by the system by enabling the system to process first the rules most likely to be relevant.  

Claims 3 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Desch (US 2017/0187741 A1) in view of Leonard Renners et al., Modeling and Learning Incident Prioritization, in The 9th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems (Sept 2017) (hereafter Renners) and Pernicha (US 2016/0191466), as applied to claims 1 and 12, further in view of Okubo (US 10,728,273).

Desch discloses the limitations of claims 3 and 14 as follows:
	wherein the sorting, within each rule (paras. [0005]-[0006], [0038]-[0039], [0041]-[0042], [0059]-[0061]: sorting/normalizing the indicators of compromise values for each rule (i.e. within each rule)
Neither Desch, Renners or Pernicha discloses the limitations of claims 3 and 14 as follows:
the indicators of compromise also comprise: 
	determining the weighted indicator of compromise counter values by combining weighted past indicator of compromise value counter values and weighted current indicator of compromise counter values of the respective indicator of compromise.
However, in the same field of endeavor, Okubo discloses the remaining limitations of claims 3 and 14 as follows:
	the indicators of compromise also comprise: 
	determining the weighted indicator of compromise counter values by combining weighted past indicator of compromise value counter values and weighted current indicator of compromise counter values of the respective indicator of compromise (col. 3, l. 55 – col. 4, l. 5; col. 4, ll. 23-28 & 53-57; col. 5, ll. 14-30, Fig. 2: combining first and second values, which may comprise indicators of compromise including current and historical traffic (i.e. counting amount of traffic) (i.e. current and past IOC values), where the first and second values are assigned weights).
Okubo is combinable with Pernicha, Renners and Desch because all improving security systems by improving the means by which malicious behavior/traffic is identified and prevented.  It would have been obvious to one of ordinary skill in the art at the time of the invention to integrate Okubo’s method of combining weighted values from the past with the current with the system of Pernicha, Renners and Desch in order to generate a value that is more representative of the indicator of compromise (IOC) by incorporating values representing the IOC taken over time rather than using a single value of the IOC taken at one point in time.  

Claims 6 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Desch (US 2017/0187741 A1) in view of Leonard Renners et al., Modeling and Learning Incident Prioritization, in The 9th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems (Sept 2017) (hereafter Renners) and Pernicha (US 2016/0191466), as applied to claims 1 and 12, further in view of Shelton (US 2015/0213358).
Regarding claims 6 and 17, Desch, Renners and Pernicha disclose the limitations of the method of claim 1 and the system of claim 12.  
Neither Desh, Renners or Pernicha disclose the limitations of claims 6 and 17 as follows:
wherein the generating the pseudo security event comprises: 
	applying a tactic-technique-procedure (TTP) identifying data from the received data about known attacks, wherein the received data about known attacks are received via a structured threat information expression (STIX) protocol
However, in the same field of endeavor, Shelton discloses the limitations of claims 6 and 17 as follows:
	wherein the generating the pseudo security event comprises: 
	applying a tactic-technique-procedure (TTP) identifying data from the received data about known attacks, wherein the received data about known attacks are received via a structured threat information expression (STIX) protocol (Shelton, paras. [0049], [0055], [0079], [0132], [0145], [0147]: applying multiple analysis techniques (TTP) to identify threats based upon receiving historical data and NPL data reports, where the analyses and NPL data are received using STIX). 
Shelton is combinable with Pernicha, Renners and Desch because all improving security systems by improving the means by which malicious behavior/traffic is identified and prevented.  It would have been obvious to one of ordinary skill in the art at the time of the invention to integrate Shelton’s method of using STIX to receive and process attack data with the system of Pernicha, Renners and Desch in order to obtain data about cybersecurity threats in a common language that can be easily understood by humans and security technologies.  

Claims 7-8 and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Desch (US 2017/0187741 A1) in view of Leonard Renners et al., Modeling and Learning Incident Prioritization, in The 9th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems (Sept 2017) (hereafter Renners) and Pernicha (US 2016/0191466), as applied to claims 1 and 12, further in view of Singh (US 2017/0223037).
Regarding claims 7 and 18, Desch, Renners and Pernicha disclose the limitations of the method of claim 1 and the system of claim 12.  
Singh discloses the limitations of claims 7 and 18 as follows:
	wherein the generating the pseudo security event comprises: 
	generating a pseudo security event for each phase of a sequence of partial cyber-attacks represented by attack patterns (paras. [0011], [0389], [0700]: generating training models (i.e. pseudo security events) for attack patterns)
Singh is combinable with Renners, Desch and Pernicha because all four are from the same field of endeavor of managing and improving the processing of security events.  It would have been obvious to one of ordinary skill in the art at the time of the invention to integrate Singh’s method of generating models for attack patterns with the systems of Renners, Desch and Pernicha in order to enable users of the system to focus the system on training and improving system responses to a particular phase or pattern of attack.  


Singh discloses the limitations of claims 8 and 19 as follows:
	wherein the generating the pseudo security event comprises: 
	generating a pseudo security event for each indicator of compromise relating to a respective rule (Singh, paras. [0011], [0610], [0615], [0616], [0725]-[0726]: generating tests and training models including events and rules for indicators of compromise).
Singh is combinable with Renners, Desch and Pernicha because all four are from the same field of endeavor of managing and improving the processing of security events.  It would have been obvious to one of ordinary skill in the art at the time of the invention to integrate Singh’s method of generating tests and training models for indicators of compromise in order to enable the system to specialize and determine the optimal responses for each specific type of indicator of compromise.  

Claims 9 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Desch (US 2017/0187741 A1) in view of Leonard Renners et al., Modeling and Learning Incident Prioritization, in The 9th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems (Sept 2017) (hereafter Renners) and Pernicha (US 2016/0191466), as applied to claims 1 and 12, further in view of Wool (US 2009/0172800).
Regarding claims 9 and 20, Desch, Renners and Pernicha disclose the limitations of the method of claim 1 and the system of claim 12.  

	where the generating a pseudo security event (pp. 398-402, sections II, III, IV & V: applying machine learning to generate training data comprising incidents (i.e. pseudo security events)) also comprises: 
the current rule counter of pseudo security events (pp. 400-402, sections III, IV and V: counting the number of leaves and rules (i.e. current rule counter) for incidents of training data); and 
the current indicator of compromise counter for pseudo security events (pp. 400-402, sections III, IV and V, Figs. 2-3: a severity indicator counts the severity (i.e. current indicator of compromise counter) for incidents from the training data).
Neither Desh, Renners or Pernicha disclose the remaining limitations of claims 9 and 20 as follows:
		resetting the counter to zero;
		resetting the counter to zero;
However, in the same field of endeavor, Wool discloses the remaining limitations of claims 9 and 20 as follows:
		resetting the counter to zero (para. [0030]: resetting counters to zero);
		resetting the counter to zero (para. [0030]: resetting counters to zero);
Wool is combinable with Pernicha, Renners and Desch because all four are from the same field of endeavor of managing rules to improve system security.  It would have been obvious to one of ordinary skill in the art at the time of the invention to integrate Wool’s method of resetting the counters to zero when generating a new training or .  

Claims 11 and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Desch (US 2017/0187741 A1) in view of Leonard Renners et al., Modeling and Learning Incident Prioritization, in The 9th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems (Sept 2017) (hereafter Renners) and Pernicha (US 2016/0191466), as applied to claims 1 and 12, further in view of Pal (US 2020/0364223).
Regarding claims 11 and 22, Desch, Renners and Pernicha disclose the limitations of the method of claim 1 and the system of claim 12.  
Desch discloses the limitations of claims 11 and 22 as follows:
	buffering the incoming security event after a predetermined first number of rules have been processed and within each processed rule a predetermined second number of indicator of compromise counter groups have been processed (Desch, paras. [0060]-[0061]: buffering dissemination of rules for processing security events until after a number of rules meeting a threshold level of severity have been processed including processing a number of indicators of compromise with a severity level reaching the threshold); and 
Neither Desch, Renners or Pernicha discloses the remaining limitations of claims 11 and 22 as follows:
continue the processing of the buffered security event if a processing load of incoming security events decreases below a predefined load threshold value.
However, in the same field of endeavor, Pal discloses the remaining limitations of claims 11 and 22 as follows:
	continue the processing of the buffered security event if a processing load of incoming security events decreases below a predefined load threshold value (paras. [0447], [0561]: load balancing by delaying processing of events until the maximum number of events is below a load threshold).
Pal is combinable with Pernicha, Renners and Desch because all four are from the same field of endeavor of managing rules to improve responses by a system security to security events.  It would have been obvious to one of ordinary skill in the art at the time of the invention to integrate Pal’s method of load balancing with the system of Pernicha, Renners and Desch in order to improve performance of the system and prevent the system from becoming overloaded.  

	Allowable Subject Matter
Claims 10 and 21 would be allowable if rewritten to overcome the rejection(s) under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), 2nd paragraph, set forth in this Office action and to include all of the limitations of the base claim and any intervening claims.

Conclusion
For the above-stated reasons, claims 1-23 are rejected.

1) Gruss (US 9,601,000) discloses counting occurrences of an attribute associated with rules and weighting the counter of a riskier rule by a weight greater than 1 so that a high severity rule would be equivalent to 1.5 medium severity rules (col. 8, ll. 10-20; col. 12, ll. 35-55).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHARON S LYNCH whose telephone number is (571)272-4583.  The examiner can normally be reached on 10AM-6PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T Arani can be reached on 571-272-3787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SHARON S LYNCH/Primary Examiner, Art Unit 2438