DETAILED ACTION
1. 	This Non-Final Office Action is in response to application filed on 02/08/2019.  	Claims 1-20 are being considered on the merits. 	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Drawings
2. 	The drawings filed on 02/08/2019 are accepted. 
Information Disclosure Statement
3.	The information disclosure statement (IDS) submitted on 02/20/2019 has been considered. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, an initialed and dated copy of the Applicant’s IDS form 1449 filed on 02/20/2019 is attached to this office action. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



4.	Claims 1-6, 9, 11-15 and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over US Pub No. US 2018/0124072 A1 to Hamdi, (hereinafter, “Hamdi”) in view of US Pub. No. US 2017/0223033 A1 to Wagner, (hereinafter, “Wagner”).

As per claim 1, Hamdi teaches an apparatus comprising: 
an interface to a network; a memory; and at least one processor (Hamdi, para. [0042] “The client 102 and server 106 may be deployed as and/or executed on any type and form of computing device, e.g. a computer, network device or appliance capable of communicating on any type and form of network and performing the operations described herein. FIGS. 1C and 1D depict block diagrams of a computing device 100 useful for practicing an embodiment of the client 102 or a server 106. As shown in FIGS. 1C and 1D, each computing device 100 includes a central processing unit 121, and a main memory unit 122. As shown in FIG. 1C, a computing device 100 may include a storage device 128, an installation device 116, a network interface 118, an I/O controller 123, display devices 124a-124n, a keyboard 126 and a pointing device 127, e.g. a mouse. The storage device 128 may include, without limitation, an operating system, software, and a software of a computer environment monitoring and management (CEMM) system 120. As shown in FIG. 1D, each computing device 100 may also include additional optional elements, e.g. a memory port 103, a bridge 170, one or more input/output devices 130a-130n (generally referred to using reference numeral 130), and a cache memory 140 in communication with the central processing unit 121.”), wherein the at least one processor is to: 
select platform parameters supported by a plurality of nodes (Hamdi, para. [0136] “The method 900 can include the asset profiling engine 312 determining a set of profiling parameters (step 930). The set of profiling parameters can represent parameters to be requested from the target asset, such as asset information (e.g., IP address, MAC address, NetBIOS, etc.), asset configuration parameters, asset communication logs, asset CPU usage, packet drop rate, the like, or a combination thereof. In some implementations, determining the profiling parameters can include the asset profiling engine 312 selecting a profiling template for profiling the target asset. A profiling template can include (or represent) a query for sending to the target asset. In some implementations, the asset profiling engine 312 can determine the set of profiling parameters (or the profiling template) according to a hierarchical asset profiling scheme. The hierarchical asset profiling scheme can include multiple profiling templates, each associated with a respective profiling depth.”); 
provide workload requests to the plurality of nodes; receive results from the workload requests (Hamdi, para. [0106] “The method 700 can include the scheduling engine 314 receiving or detecting an indication of a trigger event (step 710). For instance, for periodic or scheduled data collection events (e.g., scheduled or periodic events to profile assets or acquire data from external sources such as the vulnerability scanner(s)” And para. [0108] “Upon receiving the acknowledgement, the scheduling engine 314 can send a request for the data to the data source (step 740), and receive the data over the data link (step 750). The scheduling engine 314 can receive a data query from the asset profiling engine 312 or the data collection engine 304, and forward the query to the data source over the communication link. The asset profiling engine 312 (or the data collection engine 304) can determine or select the data query based on, for example, the data source, the event triggering the data acquisition, or a combination thereof.” [0137] “The method 900 can include the asset profiling engine 312 transmitting, via the one or more established communication links, a query to the one or more computing devices to request the determined profiling parameters (step 940), and receive, via the established communication link(s), data including one or more parameter values responsive to the query (step 950). The received parameter values can include, for example, communication logs of the target asset (or the communication devices) indicative of IP addresses with which the target asset communicated (or is communicating) for a given last period of time (e.g., the last few days, the last few hours, the last 60, 30 or 20 minutes, or any other time period), configuration data including hardware or software configuration parameters (e.g., browser settings, user access list, access level per user, etc.), CPU usage data (cumulative CPU usage, CPU usage per software module, cache memory usage values, etc.), network usage data, memory usage data, the like or a combination thereof.”); 
determine whether any result is a majority or consistent with historical results (Hamdi, para. [0078] “The data collection engine 304 can receive, from various data sources, data (e.g., vulnerability scanning results and/or search results or alerts from databases 240, 250 or 260) indicative of cyber security subject matters or issues related to the computing and network environment 210. The data received from a given data source can include, for each cyber security subject matter indicated in the data, a respective identifier assigned by that data source. Upon receiving cyber security data from a given data source, the data collection engine 304 can scan that data to extract or determine one or more identifiers of cyber security subject matters indicated therein. The data collection engine 304 can compare each extracted identifier to identifiers associated with the CEMM system” And para. [0150] “the controller engine 310 can send an indication of the state(s) of operation, the abnormal behavior, the determined cause, the received profiling parameters, or a combination thereof to the front-end system 224 for display on a computer device 223. For example, the controller engine 310 can send an alert indicative of the target asset, the abnormal behavior, or the determined cause to a computer device 223 running a client application of the CEMM system 220. The controller engine 310 can provide state assessment data, e.g., one or more received parameter values, indication of the comparison(s) result(s), indication of the abnormal behavior, indication of determined cause, or a combination thereof of the target asset, for display on the computer device 223.”); and 
Hamdi teaches all the limitations of claim 1 above, however fails to explicitly teach but Wagner teaches:
disable the node associated with a result is not a majority or not consistent with historical results (Wagner, para. [0057] “a scanlet of scanlets 520.sub.1-520.sub.A associated with SMB is used to detect and/or analyze: certain syntax (e.g., psexec, which can be used for remote process execution), encryption, n-gram calculation of filenames, behavioral analytics on the source and/or destination nodes, and usage by the source and/or destination nodes of the SMB protocol. By way of further non-limiting example, a scanlet of scanlets 520.sub.1-520.sub.A associated with DNS is used to detect and/or analyze: n-gram calculation on a dns-query, TTL (Time to Live) value (e.g., analytics on normal value), response code (e.g., analytics on normal value), and usage by the source and/or destination nodes of the DNS protocol. By way of additional non-limiting example, a scanlet of scanlets 520.sub.1-520.sub.A associated with RDP is used to detect and/or analyze: known bad command, encryption, connection success rates, and usage by the source and/or destination nodes of the DNS protocol.” And para. [0080] “remediation can be optionally performed. Using the recursive multi-layer examination described above in relation to FIGS. 5-7B, remediation can block the particular breach/attack, as well as similar breaches/attacks using the same or similar methodology, when it is still in progress. For example, remediation includes at least one of: quarantining particular nodes (e.g., certain nodes are not allowed to communicate with each other), re-imaging particular nodes, banning particular applications and/or protocols from a particular data center or network (e.g., when there is no business rationale to permit it), updating a security policy (which allowed the breach/attack to occur), and the like.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Wagner’s security node remediation into Hamdi’s situational awareness environment, with a motivation to identify any security breach or intrusion through malicious nodes and communications and remediate the security breach (Wagner, para. [0006]). 
As per claim 2, the combination of Hamdi and Wagner teach the apparatus of claim 1, wherein the workload requests provided to the plurality of nodes request a same operation and the platform parameters are different on at least two nodes of the plurality of nodes (Hamdi, para. [0126] “The visualization engine 320 can also support a table visual mode for displaying data in a table format. Each row in a table graphical object can be associated with a respective asset or data point, whereas table columns can represent specific characteristics of the assets or data points. Primary and secondary filters can allow selection of the data portion to be displayed. Selecting an individual data point or asset can cause the visualization engine 320 to display expanded details on that data point or asset. Another visual mode can be a charts visual mode that enables display of data via multiple charts. Separate charts can be associated with respective parameters or characteristics of assets or data points.”).
As per claim 3, the combination of Hamdi and Wagner teach the apparatus of claim 1, wherein the platform parameters comprises a software platform and application language and wherein the platform parameters are different on at least two nodes (Hamdi, para. [0068] “The computing and network environment 210 can include a plurality of computer servers 211 and a plurality of client devices 212 that are communicatively coupled together, for example, via network devices such as one or more switches 213, one or more wireless modems 214, and/or other network devices…The computing and network environment 210 can include a plurality of software platforms or applications executing on the computer servers 211 and/or the client devices 212.” And para. [0085] “The security profile 530 can include information and variables related to the cyber security of the respective asset. For instance, the security profile 530 can include variables indicative of a security zone of the asset, network security variables, platform security variables, application security variables and data security variables. The network security variables can include, for example, parameters or information indicative of a DNS, a load balancer (LB), a firewall (FW), defensive techniques against denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks, and/or an intrusion detection system (IDS) associated with the asset. The network security variables can also include indications of web gateways coupled to the asset and/or security tunnels supported by the asset. For a given software application, the respective application security variables can include parameters or information indicative of a respective type and/or category and/or respective components. The security variables can include parameters related to penetration testing requirements and/or sustainability solutions for one or more software applications supported by the respective asset. The data security variables can include parameters indicative of data sensitivity level(s), encryption techniques and/or authentication or access control measures associated with the respective asset. The platform security variables can include, for example configuration parameters, patching requirements, indication of antivirus software, indication of least-privileged access level(s), priority of containment in case of attack and/or priority of shutdown in case of an attack outbreak associated with the respective asset.”).
As per claim 4, the combination of Hamdi and Wagner teach the apparatus of claim 1, wherein to determine whether any result is a majority or consistent with historical results, the at least one processor is to analyze one or more of workload completion latency or results (Hamdi, para. [0078] “The data collection engine 304 can receive, from various data sources, data (e.g., vulnerability scanning results and/or search results or alerts from databases 240, 250 or 260) indicative of cyber security subject matters or issues related to the computing and network environment 210. The data received from a given data source can include, for each cyber security subject matter indicated in the data, a respective identifier assigned by that data source. Upon receiving cyber security data from a given data source, the data collection engine 304 can scan that data to extract or determine one or more identifiers of cyber security subject matters indicated therein. The data collection engine 304 can compare each extracted identifier to identifiers associated with the CEMM system” And para. [0150] “the controller engine 310 can send an indication of the state(s) of operation, the abnormal behavior, the determined cause, the received profiling parameters, or a combination thereof to the front-end system 224 for display on a computer device 223. For example, the controller engine 310 can send an alert indicative of the target asset, the abnormal behavior, or the determined cause to a computer device 223 running a client application of the CEMM system 220. The controller engine 310 can provide state assessment data, e.g., one or more received parameter values, indication of the comparison(s) result(s), indication of the abnormal behavior, indication of determined cause, or a combination thereof of the target asset, for display on the computer device 223.”).
As per claim 5, the combination of Hamdi and Wagner teach the apparatus of claim 1, wherein to determine whether any result is a majority or consistent with historical results, the at least one processor is to compare one or more of workload completion latency or results with prior workload completion latency or results for a same workload using same platform parameters (Hamdi, para. [0176] “For each data segment, the controller engine 310 can compute one or more statistical parameters each corresponding to a respective set of data values. For example, for CPU usage values, cache memory usage values, bandwidth usage values, or data packet drop rate values in the data segment, the controller engine 310 can compute respective mean, variance, standard deviation or median values. The controller engine 310 can replace data values in a data segment with respective statistical parameter values, for example, once a certain time period (e.g., one day, one week, one month, or any other time period) passes after generating that data segment. In other words, as data gets old, the controller engine 310 can delete a portion of it and replace it with respective statistical values. The use of statistical values instead of the whole set of data allows for significant reduction in the amount of memory storage used by the back-end system 222 or the amount of data transmitted to the front-end system 224. Also, the use of the statistical values can allow for fast display or analysis of data corresponding to a relatively long time period (e.g., corresponding to a plurality of old data segments). The controller engine 310 can store the modified data (e.g., with the statistical values replacing data portions) in the data base 306 as historical data.”).
As per claim 6, the combination of Hamdi and Wagner teach the apparatus of claim 1, wherein to disable the node associated with a result is not a majority or not consistent with historical results, the at least one processor is to not permit workloads to be performed on the disabled node (Wagner, para. [0057] “a scanlet of scanlets 520.sub.1-520.sub.A associated with SMB is used to detect and/or analyze: certain syntax (e.g., psexec, which can be used for remote process execution), encryption, n-gram calculation of filenames, behavioral analytics on the source and/or destination nodes, and usage by the source and/or destination nodes of the SMB protocol. By way of further non-limiting example, a scanlet of scanlets 520.sub.1-520.sub.A associated with DNS is used to detect and/or analyze: n-gram calculation on a dns-query, TTL (Time to Live) value (e.g., analytics on normal value), response code (e.g., analytics on normal value), and usage by the source and/or destination nodes of the DNS protocol. By way of additional non-limiting example, a scanlet of scanlets 520.sub.1-520.sub.A associated with RDP is used to detect and/or analyze: known bad command, encryption, connection success rates, and usage by the source and/or destination nodes of the DNS protocol.” And para. [0080] “remediation can be optionally performed. Using the recursive multi-layer examination described above in relation to FIGS. 5-7B, remediation can block the particular breach/attack, as well as similar breaches/attacks using the same or similar methodology, when it is still in progress. For example, remediation includes at least one of: quarantining particular nodes (e.g., certain nodes are not allowed to communicate with each other), re-imaging particular nodes, banning particular applications and/or protocols from a particular data center or network (e.g., when there is no business rationale to permit it), updating a security policy (which allowed the breach/attack to occur), and the like.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Wagner’s security node remediation into Hamdi’s situational awareness environment, with a motivation to identify any security breach or intrusion through malicious nodes and communications and remediate the security breach (Wagner, para. [0006]). 
As per claim 9, the combination of Hamdi and Wagner teach the apparatus of claim 1, wherein the platform parameters comprise one or more of. operating system, virtual machine, file system, programming language of the workload, central processing unit (CPU) clock speed, graphics processing unit (GPU) clock speed, memory allocation, storage allocation, or network interface transmit and receive rates (Hamdi, para. [0085] “The security profile 530 can include information and variables related to the cyber security of the respective asset. For instance, the security profile 530 can include variables indicative of a security zone of the asset, network security variables, platform security variables, application security variables and data security variables. The network security variables can include, for example, parameters or information indicative of a DNS, a load balancer (LB), a firewall (FW), defensive techniques against denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks, and/or an intrusion detection system (IDS) associated with the asset. The network security variables can also include indications of web gateways coupled to the asset and/or security tunnels supported by the asset. For a given software application, the respective application security variables can include parameters or information indicative of a respective type and/or category and/or respective components. The security variables can include parameters related to penetration testing requirements and/or sustainability solutions for one or more software applications supported by the respective asset. The data security variables can include parameters indicative of data sensitivity level(s), encryption techniques and/or authentication or access control measures associated with the respective asset. The platform security variables can include, for example configuration parameters, patching requirements, indication of antivirus software, indication of least-privileged access level(s), priority of containment in case of attack and/or priority of shutdown in case of an attack outbreak associated with the respective asset.”).
As per claim 11, Hamdi teaches a method comprising: 
allocating platform parameters to a set of nodes connected to a fabric, wherein platform parameters of at least two nodes are different (Hamdi, para. [0136] “The method 900 can include the asset profiling engine 312 determining a set of profiling parameters (step 930). The set of profiling parameters can represent parameters to be requested from the target asset, such as asset information (e.g., IP address, MAC address, NetBIOS, etc.), asset configuration parameters, asset communication logs, asset CPU usage, packet drop rate, the like, or a combination thereof. In some implementations, determining the profiling parameters can include the asset profiling engine 312 selecting a profiling template for profiling the target asset. A profiling template can include (or represent) a query for sending to the target asset. In some implementations, the asset profiling engine 312 can determine the set of profiling parameters (or the profiling template) according to a hierarchical asset profiling scheme. The hierarchical asset profiling scheme can include multiple profiling templates, each associated with a respective profiling depth.”);
issuing a service request to recipient nodes in the set of nodes, the service request comprising a request written in a computing language supported by its recipient node; receiving results from the recipient nodes (Hamdi, para. [0106] “The method 700 can include the scheduling engine 314 receiving or detecting an indication of a trigger event (step 710). For instance, for periodic or scheduled data collection events (e.g., scheduled or periodic events to profile assets or acquire data from external sources such as the vulnerability scanner(s)” And para. [0108] “Upon receiving the acknowledgement, the scheduling engine 314 can send a request for the data to the data source (step 740), and receive the data over the data link (step 750). The scheduling engine 314 can receive a data query from the asset profiling engine 312 or the data collection engine 304, and forward the query to the data source over the communication link. The asset profiling engine 312 (or the data collection engine 304) can determine or select the data query based on, for example, the data source, the event triggering the data acquisition, or a combination thereof.” [0137] “The method 900 can include the asset profiling engine 312 transmitting, via the one or more established communication links, a query to the one or more computing devices to request the determined profiling parameters (step 940), and receive, via the established communication link(s), data including one or more parameter values responsive to the query (step 950). The received parameter values can include, for example, communication logs of the target asset (or the communication devices) indicative of IP addresses with which the target asset communicated (or is communicating) for a given last period of time (e.g., the last few days, the last few hours, the last 60, 30 or 20 minutes, or any other time period), configuration data including hardware or software configuration parameters (e.g., browser settings, user access list, access level per user, etc.), CPU usage data (cumulative CPU usage, CPU usage per software module, cache memory usage values, etc.), network usage data, memory usage data, the like or a combination thereof.”); 
determining if a result is consistent with a majority of results or consistent with historical results (Hamdi, para. [0078] “The data collection engine 304 can receive, from various data sources, data (e.g., vulnerability scanning results and/or search results or alerts from databases 240, 250 or 260) indicative of cyber security subject matters or issues related to the computing and network environment 210. The data received from a given data source can include, for each cyber security subject matter indicated in the data, a respective identifier assigned by that data source. Upon receiving cyber security data from a given data source, the data collection engine 304 can scan that data to extract or determine one or more identifiers of cyber security subject matters indicated therein. The data collection engine 304 can compare each extracted identifier to identifiers associated with the CEMM system” And para. [0150] “the controller engine 310 can send an indication of the state(s) of operation, the abnormal behavior, the determined cause, the received profiling parameters, or a combination thereof to the front-end system 224 for display on a computer device 223. For example, the controller engine 310 can send an alert indicative of the target asset, the abnormal behavior, or the determined cause to a computer device 223 running a client application of the CEMM system 220. The controller engine 310 can provide state assessment data, e.g., one or more received parameter values, indication of the comparison(s) result(s), indication of the abnormal behavior, indication of determined cause, or a combination thereof of the target asset, for display on the computer device 223.”); and 
Hamdi teaches all the limitations of claim 11 above, however fails to explicitly teach but Wagner teaches:
disconnecting a node among the recipient nodes associated with the result that is consistent with the majority of results or not consistent with historical results  (Wagner, para. [0057] “a scanlet of scanlets 520.sub.1-520.sub.A associated with SMB is used to detect and/or analyze: certain syntax (e.g., psexec, which can be used for remote process execution), encryption, n-gram calculation of filenames, behavioral analytics on the source and/or destination nodes, and usage by the source and/or destination nodes of the SMB protocol. By way of further non-limiting example, a scanlet of scanlets 520.sub.1-520.sub.A associated with DNS is used to detect and/or analyze: n-gram calculation on a dns-query, TTL (Time to Live) value (e.g., analytics on normal value), response code (e.g., analytics on normal value), and usage by the source and/or destination nodes of the DNS protocol. By way of additional non-limiting example, a scanlet of scanlets 520.sub.1-520.sub.A associated with RDP is used to detect and/or analyze: known bad command, encryption, connection success rates, and usage by the source and/or destination nodes of the DNS protocol.” And para. [0080] “remediation can be optionally performed. Using the recursive multi-layer examination described above in relation to FIGS. 5-7B, remediation can block the particular breach/attack, as well as similar breaches/attacks using the same or similar methodology, when it is still in progress. For example, remediation includes at least one of: quarantining particular nodes (e.g., certain nodes are not allowed to communicate with each other), re-imaging particular nodes, banning particular applications and/or protocols from a particular data center or network (e.g., when there is no business rationale to permit it), updating a security policy (which allowed the breach/attack to occur), and the like.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Wagner’s security node remediation into Hamdi’s situational awareness environment, with a motivation to identify any security breach or intrusion through malicious nodes and communications and remediate the security breach (Wagner, para. [0006]). 
As per claim 12, the combination of Hamdi and Wagner teach the method of claim 11, wherein allocating platform parameters to a set of nodes connected to a fabric comprises: 
allocating one or more of operating system, file system, programming language supported and performance specification to nodes in the set of nodes, wherein one node uses different platform parameters than platform parameters of another node (Hamdi, para. [0126] “The visualization engine 320 can also support a table visual mode for displaying data in a table format. Each row in a table graphical object can be associated with a respective asset or data point, whereas table columns can represent specific characteristics of the assets or data points. Primary and secondary filters can allow selection of the data portion to be displayed. Selecting an individual data point or asset can cause the visualization engine 320 to display expanded details on that data point or asset. Another visual mode can be a charts visual mode that enables display of data via multiple charts. Separate charts can be associated with respective parameters or characteristics of assets or data points.”).
As per claim 13, the combination of Hamdi and Wagner teach the method of claim 11, wherein the service request issued to recipient nodes in the set of nodes requests performance of same functions (Hamdi, para. [0166] “The asset profiling engine 312 can receive, from the asset, via the communication link, asset profiling data, responsive to the query (step 1140). The profiling data received from the asset can include parameter values corresponding to profiling parameters indicated in the request. If the profiling process was initiated responsive to a detected discrepancy, the asset profiling engine 312 or the controller engine 310 can update or assess the reliability of the vulnerability scanning data received at step 1120 using the received profiling data. For example, if three data sources have the same value for a given variable (e.g., similar within a % error/deviation), and the received profiling data confirms that value, the controller engine 310 can mark the variable value as a low error variable value. If, however, three (or other number of) data sources are reporting mismatching value for the variable, then the asset profiling engine 312 can take full control of polling this variable value from the asset, for example, by profiling the asset one or more times to provide a more reliable value of the variable. The asset profiling engine 312 can update the vulnerability data with the value received from the asset.”).
As per claim 14, the combination of Hamdi and Wagner teach the method of claim 11, wherein the determining if a result is consistent with a majority of results or consistent with historical results comprises determining if a time to service request completion or result from a node vary from a time to (Hamdi, para. [0122] “the sphere visual mode can be adequate for displaying data indicative of real-time varying relationships between various assets, such as communication links established between separate assets of the computing and network environment 210. For example, the visualization engine 320 can display changes in the curved lines 816 in real time as relationships (e.g., connections or dependencies) between the selected asset and other assets change over time.”).
As per claim 15, the combination of Hamdi and Wagner teach the method of claim 11, wherein the determining if a result is consistent with a majority of results or consistent with historical results comprises determining if a time to service request completion differs from one or more prior executions of the service request (Hamdi, para. [0176] “For each data segment, the controller engine 310 can compute one or more statistical parameters each corresponding to a respective set of data values. For example, for CPU usage values, cache memory usage values, bandwidth usage values, or data packet drop rate values in the data segment, the controller engine 310 can compute respective mean, variance, standard deviation or median values. The controller engine 310 can replace data values in a data segment with respective statistical parameter values, for example, once a certain time period (e.g., one day, one week, one month, or any other time period) passes after generating that data segment. In other words, as data gets old, the controller engine 310 can delete a portion of it and replace it with respective statistical values. The use of statistical values instead of the whole set of data allows for significant reduction in the amount of memory storage used by the back-end system 222 or the amount of data transmitted to the front-end system 224. Also, the use of the statistical values can allow for fast display or analysis of data corresponding to a relatively long time period (e.g., corresponding to a plurality of old data segments). The controller engine 310 can store the modified data (e.g., with the statistical values replacing data portions) in the data base 306 as historical data.”).
As per claim 17, the combination of Hamdi and Wagner teach the method of claim 11, comprising: selecting a node from the set of nodes to execute a controller and migrating the controller to the selected node (Hamdi, para. [0128] “The visualization engine 320 can also provide action controls allowing the user to initiate specific with respect to the displayed data. For example, action controls can allow the user to initiate actions taken upon one or more assets in real time, such as causing the CEMM system 220 to launch a vulnerability scan, ping an asset, profiling one or more assets, or delete a data portion. The action controls can also allow a user to export displayed data into one or more file formats.” And para. [0114] “When an engine or a software module of the back-end system 222 wants to redirect data to another entity in the front-end system 224 (e.g., the visualization engine 320), it can send a message to the software bus 302 indicative of the data (e.g., via a respective pointer) and the destination engine or module. The software bus 302 can then handle the transfer of the data to the destination engine or module. In some implementations, the software bus 302 can handle data transfer between different modules according to queue or a list of prioritized data transfer tasks.” And para. [0188] “Data blocks 1320a, 1320b, and 1320c can be associated with separate users, separate client applications, or separate types of functional profiles. The controller engine 310 may be configured to maintain a single set of pointers associated with a corresponding data block for users sharing the same functional profile. The controller engine 310 may update the set of pointers (e.g., to point to distinct data segments or sub-segments) as new data is acquired by the data collection engine 304 or the asset profiling engine 312. For example, if the data block 1320a is defined to include vulnerability data associated with the latest vulnerability scan, the controller engine 310 can update the set of pointers upon new vulnerability scan data is received by the data collection engine.”).
As per claim 18, Hamdi teaches a system comprising: 
(Hamdi, para. [0042] “The client 102 and server 106 may be deployed as and/or executed on any type and form of computing device, e.g. a computer, network device or appliance capable of communicating on any type and form of network and performing the operations described herein. FIGS. 1C and 1D depict block diagrams of a computing device 100 useful for practicing an embodiment of the client 102 or a server 106. As shown in FIGS. 1C and 1D, each computing device 100 includes a central processing unit 121, and a main memory unit 122. As shown in FIG. 1C, a computing device 100 may include a storage device 128, an installation device 116, a network interface 118, an I/O controller 123, display devices 124a-124n, a keyboard 126 and a pointing device 127, e.g. a mouse. The storage device 128 may include, without limitation, an operating system, software, and a software of a computer environment monitoring and management (CEMM) system 120. As shown in FIG. 1D, each computing device 100 may also include additional optional elements, e.g. a memory port 103, a bridge 170, one or more input/output devices 130a-130n (generally referred to using reference numeral 130), and a cache memory 140 in communication with the central processing unit 121.”), wherein the at least one processor is to: 
select a set of nodes (Hamdi, para. [0112] “if the data collection engine 304 receives data indicative of a new discovered vulnerability, the controller engine 310 can identify a first set of assets directly affected by that vulnerability. Also, the controller engine can 310 identify a second set of assets that are dependent (e.g., with respect to one or more respective functionalities/operations) on assets of the first set.”); and 
cause the nodes to utilize the selected platform parameters, wherein the platform parameters for a node are different than platform parameters for another node (Hamdi, para. [0068] “The computing and network environment 210 can include a plurality of computer servers 211 and a plurality of client devices 212 that are communicatively coupled together, for example, via network devices such as one or more switches 213, one or more wireless modems 214, and/or other network devices…The computing and network environment 210 can include a plurality of software platforms or applications executing on the computer servers 211 and/or the client devices 212.” And para. [0085] “The security profile 530 can include information and variables related to the cyber security of the respective asset. For instance, the security profile 530 can include variables indicative of a security zone of the asset, network security variables, platform security variables, application security variables and data security variables. The network security variables can include, for example, parameters or information indicative of a DNS, a load balancer (LB), a firewall (FW), defensive techniques against denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks, and/or an intrusion detection system (IDS) associated with the asset. The network security variables can also include indications of web gateways coupled to the asset and/or security tunnels supported by the asset. For a given software application, the respective application security variables can include parameters or information indicative of a respective type and/or category and/or respective components. The security variables can include parameters related to penetration testing requirements and/or sustainability solutions for one or more software applications supported by the respective asset. The data security variables can include parameters indicative of data sensitivity level(s), encryption techniques and/or authentication or access control measures associated with the respective asset. The platform security variables can include, for example configuration parameters, patching requirements, indication of antivirus software, indication of least-privileged access level(s), priority of containment in case of attack and/or priority of shutdown in case of an attack outbreak associated with the respective asset.”).
Hamdi teaches all the limitations of claim 18 above, however fails to explicitly teach but Wagner teaches:
(Wagner, para. [0111] “a user can select a cyber security policy to apply to the network. The application of the cyber security policy causes visual changes in the appearance of the GUI. For example, nodes or communication paths that are non-compliant with the cyber security policy are changed to have a visually distinctive appearance as compared to those nodes which are compliant. This allows a user to quickly assess and identify network nodes that may cause data breaches or other cyber security failures. [0116] The method begins with a step 1002 of receiving a query that comprises a selection of Internet protocol (IP) addresses belonging to nodes within a network. These IP addresses can be a range of IP addresses or Classless Inter-Domain Routing (CIDR) range that identifies locations of assets within a network. The query can also specify a single IP address or selections of IP addresses not necessarily tied to a specific range of IP addresses.” And para. [0117] “the IP address range belongs to network nodes that provide a particular application or function using a similar application layer protocol. In another example, the IP address range can correspond to nodes within a network that are required to be PCI or HIPAA compliant.” And para. [0118] “Once the IP addresses have been identified from the query, characteristics of the nodes identified by the IP addresses are obtained in step 1004. It will be understood that a node can include any network device, either virtual or physical, that exists in a network. This could include virtual machines, physical machines, applications, services, containers, microsegmented features, and so forth. Any object on the network performing computational and/or communicative activities can be selected.”);
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Wagner’s security node remediation into Hamdi’s situational awareness environment, with a motivation to identify any security breach or intrusion through malicious nodes and communications and remediate the security breach (Wagner, para. [0006]). 

As per claim 19, the combination of Hamdi and Wagner teach the system of claim 18, wherein the at least one processor is to: 
issue workload requests to the set of nodes in accordance with the applicable programming language for the set of nodes (Hamdi, para. [0106] “The method 700 can include the scheduling engine 314 receiving or detecting an indication of a trigger event (step 710). For instance, for periodic or scheduled data collection events (e.g., scheduled or periodic events to profile assets or acquire data from external sources such as the vulnerability scanner(s)” And para. [0108] “Upon receiving the acknowledgement, the scheduling engine 314 can send a request for the data to the data source (step 740), and receive the data over the data link (step 750). The scheduling engine 314 can receive a data query from the asset profiling engine 312 or the data collection engine 304, and forward the query to the data source over the communication link. The asset profiling engine 312 (or the data collection engine 304) can determine or select the data query based on, for example, the data source, the event triggering the data acquisition, or a combination thereof.” [0137] “The method 900 can include the asset profiling engine 312 transmitting, via the one or more established communication links, a query to the one or more computing devices to request the determined profiling parameters (step 940), and receive, via the established communication link(s), data including one or more parameter values responsive to the query (step 950). The received parameter values can include, for example, communication logs of the target asset (or the communication devices) indicative of IP addresses with which the target asset communicated (or is communicating) for a given last period of time (e.g., the last few days, the last few hours, the last 60, 30 or 20 minutes, or any other time period), configuration data including hardware or software configuration parameters (e.g., browser settings, user access list, access level per user, etc.), CPU usage data (cumulative CPU usage, CPU usage per software module, cache memory usage values, etc.), network usage data, memory usage data, the like or a combination thereof.”);  
determine whether a result is consistent with a majority of results or consistent with historical results arising from performance of the workload requests by the set of nodes (Hamdi, para. [0078] “The data collection engine 304 can receive, from various data sources, data (e.g., vulnerability scanning results and/or search results or alerts from databases 240, 250 or 260) indicative of cyber security subject matters or issues related to the computing and network environment 210. The data received from a given data source can include, for each cyber security subject matter indicated in the data, a respective identifier assigned by that data source. Upon receiving cyber security data from a given data source, the data collection engine 304 can scan that data to extract or determine one or more identifiers of cyber security subject matters indicated therein. The data collection engine 304 can compare each extracted identifier to identifiers associated with the CEMM system” And para. [0150] “the controller engine 310 can send an indication of the state(s) of operation, the abnormal behavior, the determined cause, the received profiling parameters, or a combination thereof to the front-end system 224 for display on a computer device 223. For example, the controller engine 310 can send an alert indicative of the target asset, the abnormal behavior, or the determined cause to a computer device 223 running a client application of the CEMM system 220. The controller engine 310 can provide state assessment data, e.g., one or more received parameter values, indication of the comparison(s) result(s), indication of the abnormal behavior, indication of determined cause, or a combination thereof of the target asset, for display on the computer device 223.”); and 
cause disconnection of a node not consistent with a majority of results or not consistent with historical results (Wagner, para. [0080] “remediation can be optionally performed. Using the recursive multi-layer examination described above in relation to FIGS. 5-7B, remediation can block the particular breach/attack, as well as similar breaches/attacks using the same or similar methodology, when it is still in progress. For example, remediation includes at least one of: quarantining particular nodes (e.g., certain nodes are not allowed to communicate with each other), re-imaging particular nodes, banning particular applications and/or protocols from a particular data center or network (e.g., when there is no business rationale to permit it), updating a security policy (which allowed the breach/attack to occur), and the like.”).
As per claim 20, the combination of Hamdi and Wagner teach the system of claim 18, wherein the at least one processor is to periodically modify platform parameters for at least one of the nodes (Hamdi, para. [0106] “The method 700 can include the scheduling engine 314 receiving or detecting an indication of a trigger event (step 710). For instance, for periodic or scheduled data collection events (e.g., scheduled or periodic events to profile assets or acquire data from external sources such as the vulnerability scanner(s) 230 or the databases 240, 250 or 260) the scheduling engine 314 can employ, for example, the Unix Cron process to time schedule initiation of execution of data acquisition. The Cron process can provide an indication to the scheduling engine 314 when the time for a data acquisition event arrives. In some instances, the scheduling engine 314 can receive an instruction from, for example, from the data collection engine 304, the controller engine 310 or the asset profiling engine 312 to initiate a data acquisition session/event with a given data source, such as a vulnerability scanner 230, an external database (e.g., database 240, 250 or 260) or an asset of the computing and network environment 210.” And para. [0108] “The asset profiling engine 312 (or the data collection engine 304) can determine or select the data query based on, for example, the data source, the event triggering the data acquisition, or a combination thereof.”).
s 7-8 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Hamdi and Wagner, as disclosed above, in further view of US Pub No. US 2019/0026466 A1 to Krasser, (hereinafter, “Krasser”).
As per claim 7, the combination of Hamdi and Wagner teach the apparatus of claim 1, however fail to explicitly teach but Krasser teaches: wherein the at least one processor is to select platform parameters of at least one node using pseudo-random selection (Krasser, para. [0119] “the feature-vector transformation 504 can be determined based on all the data included in, or used in determining, the broad model 222, or based on only a portion of that data. For example, broad model 222 can be trained on a corpus of feature vectors associated with training data streams 118. The data can include the feature vectors of the corpus. In some examples, operation 502 can include selecting the portion of the data, e.g., as a random (or pseudorandom, and likewise throughout the document) subsample of feature vectors in the corpus, or as a random sample from among feature vectors sufficiently close to the first feature vector 304.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Krasser’s malware detection into Wagner’s security node remediation and Hamdi’s situational awareness environment, with a motivation to detect and prevent execution of malicious software (Krasser, para. [0025]). 
As per claim 8, the combination of Hamdi, Wagner and Krasser teach the apparatus of claim 7, wherein the pseudo-random selection is to change or not change platform parameters of at least one node (Krasser, para. [0175] “patching module 228 can determine, for each training feature vector of a plurality of training feature vectors 1004, a respective training value 1006 indicating strength of association of that training feature vector with malware. The plurality of training feature vectors 1004 can include the second feature vector 712 and the third feature vector 718. In some examples, the plurality of training feature vectors 1004 can additionally or alternatively include the first feature vector 704. In some examples, accordingly, feature space 800 can be a scalar field that maps position (feature-vector contents) to strength of association. In some examples, patching module 228 can select the plurality of training feature vectors 1004 from the set 710 of feature vectors from which the clean data streams were selected as discussed herein with reference to operation 708. For example, patching module 228 can select a random subset of the set 710 of feature vectors to be the training feature vectors 1004. In some examples, patching module 228 can use minibatch-based or other random-sampling training techniques.” And para. [0176] “Each training value 1006 can be or include, e.g., a binary classification value such as a zero or one, a probability that the respective feature vector is associated with malware, or a value that represents both association with malware and confidence in the classification, e.g., a value between −1 and +1. Training values 1006 can be discrete or continuous. In this discussion, more positive values represent dirty (e.g., 0=clean, 1=dirty, or −1=clean, +1=dirty), although the opposite can be used, or another scale can be used (e.g., with values closer to 0 being more strongly associated with malware than either values closer to −1 or values closer to +1). In some examples, values of the scalar field can be interpolated for trial feature vectors 914 in between training feature vectors. Using a scalar field with interpolation can avoid mis-classifying a data stream based on a small difference, e.g., due to calculation precision. Moreover, for feature values outside a hull of the training feature vectors, interpolation can be performed to a value representing “unknown” (e.g., zero on a −1 to +1 scale) to permit effectively representing the limits of applicability of the model.”).
As per claim 16, the combination of Hamdi and Wagner teach the apparatus of claim 11, further comprising: 
 (Hamdi, para. [0133] “The method 900 can include the controller engine 310 (or the asset profiling engine 312) identifying a target asset of the computing and network environment 210 for profiling or assessing respective state(s) of operation (step 910). The controller engine 310 can identify the target asset based on, for example, timing information related to scheduled events (e.g., scheduled periodic asset profiling events or scheduled system assessment events), a detected event (e.g., abnormal or unusual behavior of the computing and network environment 210), a discrepancy in maintained or collected data (e.g., vulnerability scanning data, previous asset profiling data and/or specification profiles' data), a recently published cyber security threat or vulnerability, a received alert, the like, or a combination thereof. For example, the back-end system 222 can be configured to periodically or regularly profile some assets of the computing and network environment 210, for example, according to a respective profiling frequency. For example, when the profiling period elapses, the controller engine 310 can send an instruction to the asset profiling engine 312 to initiate profiling of the assets. The controller engine 312 can identify the target asset based on respective ranking value(s). For example, the controller engine 312 can identify assets with respective ranking values exceeding a given ranking threshold value for profiling.”); 
The combination of Hamdi and Wagner teach all the limitations of claim 16 above, however fail to explicitly teach but Krasser teaches:
selecting platform parameters pseudo-randomly (Krasser, para. [0119] “the feature-vector transformation 504 can be determined based on all the data included in, or used in determining, the broad model 222, or based on only a portion of that data. For example, broad model 222 can be trained on a corpus of feature vectors associated with training data streams 118. The data can include the feature vectors of the corpus. In some examples, operation 502 can include selecting the portion of the data, e.g., as a random (or pseudorandom, and likewise throughout the document) subsample of feature vectors in the corpus, or as a random sample from among feature vectors sufficiently close to the first feature vector 304.”); and 
modifying the platform parameters of the selected node using the selected platform parameters (Krasser, para. [0175] “patching module 228 can determine, for each training feature vector of a plurality of training feature vectors 1004, a respective training value 1006 indicating strength of association of that training feature vector with malware. The plurality of training feature vectors 1004 can include the second feature vector 712 and the third feature vector 718. In some examples, the plurality of training feature vectors 1004 can additionally or alternatively include the first feature vector 704. In some examples, accordingly, feature space 800 can be a scalar field that maps position (feature-vector contents) to strength of association. In some examples, patching module 228 can select the plurality of training feature vectors 1004 from the set 710 of feature vectors from which the clean data streams were selected as discussed herein with reference to operation 708. For example, patching module 228 can select a random subset of the set 710 of feature vectors to be the training feature vectors 1004. In some examples, patching module 228 can use minibatch-based or other random-sampling training techniques.” And para. [0176] “Each training value 1006 can be or include, e.g., a binary classification value such as a zero or one, a probability that the respective feature vector is associated with malware, or a value that represents both association with malware and confidence in the classification, e.g., a value between −1 and +1. Training values 1006 can be discrete or continuous. In this discussion, more positive values represent dirty (e.g., 0=clean, 1=dirty, or −1=clean, +1=dirty), although the opposite can be used, or another scale can be used (e.g., with values closer to 0 being more strongly associated with malware than either values closer to −1 or values closer to +1). In some examples, values of the scalar field can be interpolated for trial feature vectors 914 in between training feature vectors. Using a scalar field with interpolation can avoid mis-classifying a data stream based on a small difference, e.g., due to calculation precision. Moreover, for feature values outside a hull of the training feature vectors, interpolation can be performed to a value representing “unknown” (e.g., zero on a −1 to +1 scale) to permit effectively representing the limits of applicability of the model.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Krasser’s malware detection into Wagner’s security node remediation and Hamdi’s situational awareness environment, with a motivation to detect and prevent execution of malicious software (Krasser, para. [0025]). 
6.	Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Hamdi and Wagner, as disclosed above, in further view of US Pub No. US 2015/0334034 A1 to Smedley, (hereinafter, “Smedley”).
As per claim 10, the combination of Hamdi and Wagner teach the apparatus of claim 1, however fail to explicitly teach but Smedley teaches: wherein the network comprises an Omni-Path compatible fabric (Smedley, para. [0088] “As illustrated in FIG. 3, logical LAN interfaces 160, physical fabric interfaces 150, and LAN fabric virtual LAN ports 162 on the LAN fabric side of the fabric extension function 110 are mapped to a pseudo-port 166 or pseudo-ports on the WAN side of the fabric extension function… parameters of pseudo-ports and fabric interface-to-pseudo-port the mappings are programmed into registers of the components of the corresponding network device, e.g., into classification module and/or system encapsulation module.” And [0011] “the pseudo-port packets comprise a Flow Control Transmit Blocks Sent (FCTBS) field. In an embodiment, the FCTBS field of the pseudo-port packets carries a running count of blocks sent. In an embodiment, the pseudo-port packets comprise a Flow Control Credit Limit (FCCL) field…the LAN switching fabric physical interface is configured to communicate according to one of INFINIBAND, Fibre channel, IEEE 802.3x pause fames, Data Center Bridging (DCB), IEEE 802.1Qbb (Priority-based Flow Control), IEEE 802.1 Qaz (Enhanced Transmission Selection), IEEE 802.1Qau (Congestion Notification), OpenFabrics RDMA over Converged Ethernet (RoCE), and Omni-Path and wherein the WAN physical interface is configured to interface with SONET, SDH, OTN, dark fiber, Ethernet, or satellite.” And para. [0045] “Low-loss and lossless low-latency network technologies currently include, for example…INTEL Omni-Path”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Smedley’s data access into Wagner’s security node remediation and Hamdi’s situational awareness environment, with a motivation for low-loss and lossless low-latency network technologies (Smedley, para. [0005]). 
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US 20170163669 A1 – Detect behavior-based anomalies on log-file sampling. 
US 20160359914 A1 – Determining chronology and causality of events.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZOHA P TAFAGHODI whose telephone number is (571)272-5199.  The examiner can normally be reached on 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s acting supervisor, Kristine Kincaid can be reached on (571) 272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

/ZOHA PIYADEHGHIBI TAFAGHODI/Examiner, Art Unit 2437