DETAILED ACTION 
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
This action is in response to the communications and remarks filed on 02/28/2022. Claim 6 has been cancelled. Claims 1-5, 7-8, and 10-11 have been amended. Claims 1-5 and 7-11 have been examined and are pending.
Response to Arguments
Applicant's amendments and arguments see pages 15-16 of remarks have been fully considered and are persuasive. In response to applicant’s arguments regarding the claims 1-5 and 7-11 after a complete search of the entire relevant prior art the examiner has determined the claims are in condition for allowance. The previous 103 rejections of claims 1-5 and 7-11 have been withdrawn.
Applicant’s arguments see page 8-14 of remarks, filed 02/28/2022, with respect to claims 1-5 and 7-11 rejection under U.S.C. 101, have been fully considered and are persuasive. Per the 2019 Revised Patent Subject Matter Eligibility Guidance (2019 PEG), the Step 1: meets the statutory category of a mental process; Step 2A/Prong 1: recited claims meet a method(s) of organizing human activity, thus an abstract idea; and Step 2B/Prong 2: applies a practical application of a learning by replacing the first alert in the generation pattern of the first alert when the anomaly occurs due to a cause other than the cyber-attack with the second alert associated with the first alert based on the association information. Therefore, the invention is subject matter eligible. Claims 1, 10, and 11 have been rejected under Alice 35 US 101. Examiner withdraws the 101 Alice rejection for claims 1-5 and 7-11.  
Acknowledgement to applicant’s amendment to claims 6-8 has been noted. The claim has been reviewed, entered and found obviating to previously raised objection for minor informalities. Objection to the claims 6-8 has hereby withdrawn.
Acknowledgement to applicant's amendment to claims 1-8 have been noted. The claim has been reviewed, entered and found obviating to previously raised rejection under 35 USC 112 2nd. Rejection under 35 USC 112 2nd to claims 1-8 is hereby withdrawn.
Examiner’s Comments
Claims 1-5 and 7-11 are now in the condition for allowance.
Allowable Subject Matter
Applicant's arguments have been considered and are determined to be persuasive. Accordingly, the previously presented rejections are withdrawn.
Claims1-5 and 7-11 are allowed.
The following is an examiner's statement of reasons for allowance:
The closest prior art, as previously recited, Valdes (20030093514 A1) and NEC Corporation (WO2016092834 A1), and newly recited Porras (6704874 B1) are also generally directed to an extraction apparatus capable of obtaining a first alert and a second alert that are generated, when an anomaly occurs in a control 5system, in order to provide notification of the anomaly, wherein the extraction apparatus comprises: at FIG. 1 and ¶¶0006 and 0018: Bayesian techniques to prioritize generated alerts or alert groups received from an intrusion detection system or other information security device 101 in response to hacker attackers, hardware failures, operator error, or other potentially harmful events, etc.]; generate association information associating the first alert with the second alert; [Valdes, ¶¶0019-0020: alert prioritization device 103 may receive groups of alerts related to a common attack or event; alerts may be grouped by devices that generated them. Also assigns relevance scores to received groups of alerts]; learn a generation pattern of the 10second alert when the anomaly occurs due to a cause other than a cyber-attack based on the association information generated by the at least one processor and a generation pattern of the first alert when the anomaly occurs due to a cause other than a cyber-attack; [Valdes, ¶¶0020-0021: alerts and relevance scores provided to a network manager’s console 105, where relevance scores can be revised and used to train the Bayes network... ¶0024: Received alerts or alert groups are examined, relevant features or attributes are identified where features are grouped into those referring to attack priority, attack outcome, and asset relevance] and extract, from among the second 15alerts, the second alert generated due to a cyber-attack based on the generation pattern of the second alert that is learned by the at least one processor learning unit and output the extracted second alert, [NEC, p. 2, ¶¶3 and 5: A communication monitoring system including IDS, where in an alert classification operation further support can be performed where operation analyzes routine items included in the alert (i.e. irregular structure like payload). An importance calculating apparatus when a first alert is notified in response to detection of an abnormality in monitoring communication network on the basis of the feature included in the communication information causing alert 1. The basis also determine features not included in the communication information on one or a plurality of second alert notified before the first alert in the past. The importance degree calculation obtains an importance degree for the alert. P. 3, ¶4: the degree-of-importance calculating unit 2 calculates the degree of importance based on the characteristic not included in the communication information on one or more alerts (second alerts) included in the communication information]; wherein the at least one processor is further configured to perform the learning replacing the first alert in the generation pattern of the first alert when the anomaly occurs due to a cause other than the cyber-attack [Porras, Col 7, lines 56-67: alert processing engine 34 can dynamically establish/suspend connections through alert manager 24 where connection alert streams from sensors 22 that are removed]
 teach or suggests, alone or in combination, the particular combination of steps or elements as recited in the independent claims, claims 1 and 10-11.  For example, none of the cited prior art teaches or suggest wherein the at least one processor is further configured to perform the learning by replacing the first alert in the generation pattern of the first alert when the anomaly occurs due to a cause other than the cyber-attack with the second alert associated with the first alert based on the association information, in view of other limitations of claims 1 and 10-11.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance."
The closest prior art made of record are:
Mulchandani et al (20170171235 A1) teaches systems, methods, and apparatus, including computer programs encoded on computer storage media, for obtaining, processing, and presenting data related to security events, and for implementing courses of action to protect assets in response to the security events. An event management module identifies malicious activity present on a first network domain and/or a second network domain based on received network domain activity. A threat intelligence module receives data identifying the malicious activity in first data constructs of a predefined data structure. The threat intelligence module obtains additional data related to the identified malicious activity and generates second data 
Galula et al (20170013005 A1) teaches a system and method for providing security to a network may include monitoring, by a processor, traffic on a first and second network portions of an in-vehicle communication network; determining whether or not a first message detected on the first network portion is anomalous based on at least one of: an attribute of a second message detected on the second network portion and an absence of a second message from the second network portion over a predefined time period; and, if it is determined the first message is anomalous then performing at least one action. (¶¶0047, 0073-0076, 0274, and 0298).
Joll et al (20140157405 A1) teaches a scalable cyber-security system, method and architecture for the identification of malware and malicious behavior in a computer network. Host flow, host port usage, host information and network data at the application, transport and network layers are aggregated from within the network and correlated to identify a network behavior such as the presence of malicious code. (¶¶0051-0055, 0108, 0121).
Williams et al (20070266435 A1) teaches a computer system for intrusion detection includes a production processor and a security processor. The 
Shulman et al (20070214503 A1) teaches a method for detecting network attacks is provided. In one implementation, the method receives a plurality of attack indications based on data transmitted on the network and applies rules to the plurality of attack indications. Also, the method generates an alert if an application of at least a subset of the rules on the plurality of attack indications indicates a potential attack. In addition, a network device that performs the method and a computer program corresponding to the method are provided. (¶¶0008-0010, 0019, 0022, 0025-0034, 0037-0041, and 0047-0052).
Porras et al (6704874 B1) teaches a method of managing alerts in a network including receiving alerts from network sensors, consolidating the alerts that are indicative of a common incident and generating output reflecting the 
Powers et al (20170034198 A1) teaches a network node includes enhanced functionality to fight through cyber-attacks. A plurality of virtual machines run at the network node. The network node receives a plurality of transaction requests and distributes a copy of each of the transaction requests to the plurality of virtual machines over a plurality of time steps. Based on the first virtual machine having executed (n) transaction requests in the plurality of transaction requests, the node detects whether any of the virtual machines has been compromised. In response to detecting the plurality of virtual machines includes a compromised virtual machine, the network node isolates the compromised virtual machine. Furthermore, after isolating the compromised virtual machine, the network node may receive a subsequent transaction request and dispatch the subsequent transaction request to the compromised virtual machine. The compromised virtual machine may execute the subsequent transaction request. (¶¶0088, 0108-0109, 0119-0128, 0207, 0245, and 0254).
Kapoor et al (20120017262 A1) teaches a flow processing facility, which uses a set of artificial neurons for pattern recognition, such as a self-organizing map, in order to provide security and protection to a computer or computer system supports unified threat management based at least in part on patterns relevant to a variety of types of threats that relate to computer systems, including computer networks. Flow processing for switching, security, and 
Yue et al (8307433 B2) teaches method of protecting username/password (U/P) credentials operates on a client computer that cooperates with an anti-phishing scheme that generates a client warning at the client computer when a suspected phishing website issues a U/P request. At the client computer, a set of S fake U/P credentials is generated when the client warning is heeded, or a set of (S−1) fake U/P credentials are derived from a client-supplied U/P credential provided after the client warning is ignored. The client computer then transmits to the suspected phishing website one of (i) the set of S fake 
Manadhata et al (11240263 B2) teaches  an alert relating to an issue in a computing arrangement is received. It is determined that the received alert is similar to a given alert in an information repository containing information of past processes performed to address respective issues, the determining comprising comparing a property associated with the received alert to a property of alerts associated with the past processes, and the information contained in the information repository comprising actions taken in the past processes to address the respective issues. Performance of a remediation action is triggered that comprises an action, identified by the information in the information repository, taken to respond to the given alert. ().
Conclusion                                                                                                                                                                                                   	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAKINAH W TAYLOR whose telephone number is (571)270-0682.  The examiner can normally be reached on Monday-Friday, 9:45-5:45.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ELENI SHIFERAW can be reached on 571-272-3867.  The fax phone 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Sakinah White Taylor/Primary Examiner, Art Unit 2497