Notice of Pre-AIA  or AIA  Status
Claims 1-20 remain for examination.  The amendment filed 12/30/21 amended claim 18. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed 12/30/21 have been fully considered but they are not persuasive. Regarding claim 1, Applicant argues:
The Office Action asserts that the event data (that is included in the activity data) allegedly corresponds to the “plurality of events,” and that the actions of the event correlation system (e.g., correlating data to detect anomalies and potentially malicious activity) allegedly corresponds to the feature “determining, by a processing device, an issue based on a correlation of a portion of the plurality of events, wherein the issue represents an incident associated with the portion of the plurality of events, and wherein the correlation of the portion of the plurality of events is based on network specific information.” (Office Action, 10/28/21, pages 2-3). Applicant respectfully disagrees. Although Hassanzadeh teaches that the event correlation system can “standardize, filter, aggregate, and correlate” data to detect anomalies or malicious activity, Hassanzadeh fail to disclose determining an issue based on a correlation of a portion of the event data. Hassanzadeh further fails to disclose that the issue represents an incident. In particular, Hassanzadeh lacks any disclosure of determining an issue that represents an incident. Instead, Hassanzadeh discloses that a graph is analyzed in order to detect anomalies or malicious activity. (Hassanzadeh, Figures 5B, 5C, 5D, and 5E).

	This is incorrect.  First, the instant specification defines “issue” as “a collection of related events” (page 10 of the specification as originally filed, paragraph 0036).  Although the issue may contain other optional information, nevertheless all that is required read on the claimed “issue” according to the broadest reasonable interpretation of the term in view of the instant specification is that it collects a set of event data; as Applicant acknowledges above, Hassanzadeh clearly meets at least this bar.  Second,  the Hassanzadeh invention is designed to detect threat scenarios by analyzing collections of event data, in order to discern the broader overall strategy employed by an attacker from a collection of disparate alerts, including alerts pertaining to inter alia 
	Applicant’s remaining arguments are rebutted for substantially similar reasons as discussed supra regarding claim 1.

Claim Rejections - 35 USC § 102
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 1-20 are rejected under 35 U.S.C. 102(a)(1) and 35 U.S.C. 102(a)(1) as being anticipated by Hassanzadeh (U.S. Patent Publication 2017/0318050).

Regarding claims 1, 11, & 18:
Hassanzadeh discloses a method, system, and non-transitory computer readable medium comprising: accessing network traffic from a network (communications monitored by the various sensors and devices as per paragraph 0020); accessing a plurality of events associated with the network traffic (Ibid, and paragraph 0021); determining, by a processing device, an issue based on a correlation of a portion of the plurality of events, wherein the issue represents an incident associated with the portion of the plurality of events (a “threat scenario”: e.g. paragraphs 0040-0041, 0044, 0068, 

Regarding claims 2, 12, & 19:	Hassanzadeh further discloses wherein the network specific information comprises at least one of information of communications of entities on the network, information of a relationship of entities of the network, or information of entity types of entities on the network (relationship of entities of the network [targets & attackers] as network specific information at paragraph 0040). 

Regarding claims 3, 13, & 20:	Hassanzadeh further discloses wherein the correlation of the portion of the plurality of events is based on at least one of an aggregation, clustering, pattern matching, event chaining, risk posture, or vulnerabilities (aggregation: paragraph 0021). 

Regarding claims 4 and 14:	Hassanzadeh further discloses determining a category associated with the issue (labeling the issue: paragraph 0040), wherein the category associated with the issue comprises at least one of security or operational (the latter at paragraph 0040). 


Regarding claims 6 and 16:	Hassanzadeh further discloses accessing information associated with the network, wherein the information associated with the network comprises a model comprising one or more relationships of entities of the network (paragraph 0040, with the model illustrated as Figure 4B). 

Regarding claim 7:	Hassanzadeh further discloses wherein at least one of the events is determined by an intrusion detection system (paragraph 0020). 

Regarding claims 8 and 17:	Hassanzadeh further discloses wherein the correlation is based on at least one of an event type, a source of a communication, or a destination of the communication (source and destination IP addresses of the communication at paragraph 0040). 

Regarding claim 9:	Hassanzadeh further discloses wherein at least one of the events is associated with an operational technology (OT) entity (e.g. paragraphs 0020 & 0025). 
. 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: “Event Correlation: Why, What, and How” (Worthington).
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THOMAS A GYORFI whose telephone number is (571)272-3849. The examiner can normally be reached 10:00am - 6:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

THOMAS A. GYORFI
Examiner
Art Unit 2435



/THOMAS A GYORFI/Examiner, Art Unit 2435                                                                                                                                                                                                        3/17/2022


/FATOUMATA TRAORE/Primary Examiner, Art Unit 2436