Notice of Pre-AIA  or AIA  Status
	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
	Claims 1-20 are pending.
Information Disclosure Statement PTO-1449 
	The Information Disclosure Statement submitted by applicant on 11-05-2021, 07-01-2021, 04-02-2021 and 01-21-2021 have been considered. Please see attached PTO-1449. 
Objections
	Claim 10 is objected to for the following informality:
	Each claim should end with a period. Claim 10 recite a semicolon (;) at the end of the claim. Applicant is required to replace the semicolon with a period. Appropriate correction required.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


	Claims 1-5 and 15-20 are rejected under 35 U.S.C. §101 because the claimed invention is directed to non-statutory subject matter.  
Claim 1 recites “A system: one or more processor; and program instruction...”. Claim does not recite at least one hardware element within the body of the claim. Although the claim recites “one or more 
	Dependent claims 2-5 do not cure the deficiency of the independent claim and are rejected under 35 U.S.C. §101 for being directed to non-statutory subject matter.
	Claim 15 is directed to “computer readable media”, which when interpreted in the light of the specification (i.e., par 50), may embody a carrier wave and other form of communication media. As such, the claim does not fall within a statuary class as defined under 35 U.S.C. 101.
 	Dependent claims 16-20 do not cure the deficiency of the independent claim and are rejected under 35 U.S.C. §101 for being directed to non-statutory subject matter.

Claim Rejections - 35 USC § 103
		The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

	Claims 1, 3-5, 6, 8, 12-5 are rejected under 35 U.S.C. 103 as being unpatentable over Bartos et al. (US Publication No.2016/0226904) in view of Luo et al. (US Patent No.10,992,693).
	As per claim 1, Bartos teaches a system comprising:  one or more processors; and programming instructions configured to be executed by the one or more processors (par [0226]) to perform operations comprising: receiving, from one or more host devices, data associated with events detected at the one or more host devices, wherein the events are produced by at least one process or at least one thread (par [0024], [0042], [0059],[0182] “a plurality of input incident data records are received at a security system” ); determining a plurality of the events from the data for a time interval; identifying at least one malicious event within the plurality of the events based at least in part on the data indicating malicious activity (par [0059] “plurality of input incident data records containing characteristics of a plurality of detected network incidents, and identify two or more first incident data records that have a particular behavioral characteristic value …security system 110 may determine that the particular behavioral characteristic value is known to indicated a malicious attack”; par [0106], “incident that occurred within a certain period of time…incident that has been detected and identified with a certain period of time;  and par [0183], plurality of input incident data records are scanned to identify two or more first incident data records that contain the origin characteristic value corresponding to an identifier of a particular attacker node”); determining an incident score for an incident including the at least one malicious event (para [0188], “creating truthfulness cluster record includes generating an initial severity level value and an initial confidence score”), the incident score being based at least in part on the at least one malicious event (par [0185]-[0186], and figure 9, “950 indicate A Malware Origin”).
	Bartos does not explicitly disclose but in an analogous art, Lue  discloses determining, based at least in part on incident scores, an aggregate score in accordance to an aggregation scheme (column 2, line 63-column3 line 3,  [n]etwork trace information and process event information related to the outbound communication are provide to a detection model 120, which scores the outbound communication...the scores are combined and aggregated for use as aggregated abnormality scores (stored in an aggregated abnormality scores cache 130)”).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Bartos to include determining, based at least in part on incident scores, an aggregate score in accordance to an aggregation scheme as disclosed by Luo. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to detect emergent abnormal behavior in a computer network faster and more accurately and improve the security of the network against malicious parties. 
As per claim 6, Bartos teaches a method comprising: receiving events data associated with events detected at one or more host devices associated with an organization  (par [0024], [0042], [0059],[0182] “a plurality of input incident data records are received at a security system” ); detecting incidents from the events based at least in part on the events data indicating malicious activity (par [0059] “plurality of input incident data records containing characteristics of a plurality of detected network incidents, and identify two or more first incident data records that have a particular behavioral characteristic value …security system 110 may determine that the particular behavioral characteristic value is known to indicated a malicious attack”; and par [0183], plurality of input incident data records are scanned to identify two or more first incident data records that contain the origin characteristic value corresponding to an identifier of a particular attacker node”); determining incident scores associated with the incidents (par [0188], “creating truthfulness cluster record includes generating an initial severity level value and an initial confidence score”), 
	Bartos does not explicitly disclose but in an analogous art Luo discloses, wherein an incident score of the incident scores is based at least in part on a base score and a surprisal value associated with the events (column 7, lines 6-26, previously observed abnormality scores and associated event data are stored in a rolling time window. These scores and the populations of various event are fed into detection model to update and develop a view of the behavior in online service that is frequent so abnormal behavior can be identified. the incident scores is calculated based off of the previously aggregated abnormality scores and prior event data such that the highest aggregated abnormality score is used as a baseline and modified by various spreadness features of the behavior related to the outbound communication); and determining, based at least in part on the incident scores, an aggregate score in accordance to an aggregation scheme (column 2, line 63-column3 line 3,  [n]etwork trace information and process event information related to the outbound communication are provide to a detection model 120, which scores the outbound communication...the scores are combined and aggregated for use as aggregated abnormality scores (stored in an aggregated abnormality scores cache 130)”).

	As per claim 15, Bartos teaches one or more computer-readable media having computer executable instructions that, when executed by one or more processors, cause the one or more processors to perform operations (par [0229]) comprising: receiving, from a monitored computing device, data associated with events detected at the monitored computing device during a time interval  (par [0024], [0042], [0059],[0182] “a plurality of input incident data records are received at a security system” ); 
determining malicious events from the events; determining incidents from the malicious events (par [0059] “plurality of input incident data records containing characteristics of a plurality of detected network incidents, and identify two or more first incident data records that have a particular behavioral characteristic value …security system 110 may determine that the particular behavioral characteristic value is known to indicated a malicious attack”; par [0106], “incident that occurred within a certain period of time…incident that has been detected and identified with a certain period of time; and par [0183], plurality of input incident data records are scanned to identify two or more first incident data records that contain the origin characteristic value corresponding to an identifier of a particular attacker node”); determining incident scores associated with the incidents (par [0188], “creating truthfulness cluster record includes generating an initial severity level value and an initial confidence score”); and generating a time series graph to present the aggregate score (par [0144]-[0149], “two-dimensional graph depicting that a particular incident was repeated several times within a certain period of time, and severity of the incident varied within a certain range”).
column 4, lines 21-24, “produce an abnormality score for each event type based on its frequency of being observed”); determining an aggregate score based at least in part on the incident scores (column 2, line 63-column3 line 3,  [n]etwork trace information and process event information related to the outbound communication are provide to a detection model 120, which scores the outbound communication...the scores are combined and aggregated for use as aggregated abnormality scores (stored in an aggregated abnormality scores cache 130)”).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Bartos to include determining incident scores based at least in part on respective relative frequencies of occurrence of the malicious events, and determining an aggregate score based at least in part on the incident scores, as disclosed by Luo.	This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to detect emergent abnormal behavior in a computer network faster and more accurately and improve the security of the network against malicious parties. 
	As per claim 3, Luo furthermore discloses, wherein the operations further include: determining the incident scores associated with incidents based at least in part on base scores and surprisal values associated with the incidents (column 7, lines 19-26, the incident scores is calculated based off of the previously aggregated abnormality scores and prior event data such that the highest aggregated abnormality score is used as a baseline and modified by various spreadness features of the behavior related to the outbound communication), wherein the surprisal values are based at least in part on respective relative frequencies of occurrence of the incidents (column 4, lines 21-24, “produce an abnormality score for each event type based on its frequency of being observed”). The motivation to combine is similar to the motivation provided in claim 1.
	As per claim 4, Luo furthermore discloses, wherein the aggregation scheme includes: determining the aggregate score based at least in part on determining a predetermined number of top (column 6, lines 67-column 7, line 5, “abnormality score for the outbound communication is aggregated with the abnormality scores for other outbound communication directed to the same destination device”). The motivation to combine is similar to the motivation provided in claim 1.
	As per claim 5, Luo furthermore discloses, wherein the aggregation scheme includes: determining the aggregate score based at least in part on aggregating incidents scores from the one or more host devices on an entity network over a time interval (column 6, lines 67-column 7, line 15, “abnormality score for the outbound communication is aggregated with the abnormality scores for other outbound communication directed to the same destination device 115. The previously observed abnormality scores and associated event data are stored, in some aspects, in a rolling time window...[a] rolling window allows the detection model 120 to use events occurring within a set time period from the current time”). The motivation to combine is similar to the motivation provided in claim 1.
	As per claim 8, Luo furthermore discloses, wherein the aggregation scheme is organization based and the aggregate score is determined by aggregating incidents scores from the one or more host devices associated with the organization over a time interval (column 6, lines 67-column 7, line 15, “abnormality score for the outbound communication is aggregated with the abnormality scores for other outbound communication directed to the same destination device 115. The previously observed abnormality scores and associated event data are stored, in some aspects, in a rolling time window...[a] rolling window allows the detection model 120 to use events occurring within a set time period from the current time”). The motivation to combine is similar to the motivation provided in claim 6.
	As per claim 12, Luo furthermore discloses, wherein the aggregation scheme is [industry based] and the aggregate score is determined based at least in part on aggregating events from host devices associated with organizations [associated with an industry], and wherein the surprisal value associated with the events are determined [for the industry] (column 2, line63-column3 line 3,  [n]etwork trace information and process event information related to the outbound communication are provide to a detection model 120, which scores the outbound communication...the scores are combined and aggregated for use as aggregated abnormality scores (stored in an aggregated abnormality scores cache 130)”. The motivation to combine is similar to the motivation provided in claim 6.
	Although Luo does not explicitly disclose the aggregation scheme is industry based, the same method of aggregation scheme for aggregating score as shown above could be implemented to aggregate score in industry based. One of ordinary skill in the art recognizes that the process of aggregating score does not depend on for example, being industry based or organizational based, aggregating score could be computed and performed the same regardless of being based on industry or based on organization. 
	As per claim 13, Luo furthermore discloses, wherein the aggregation scheme is [global based] and the aggregate score is determined based at least in part on aggregating events from all host devices [globally], and wherein the surprisal value associated with the events are determined [globally] (column 2, line63-column3 line 3,  [n]etwork trace information and process event information related to the outbound communication are provide to a detection model 120, which scores the outbound communication...the scores are combined and aggregated for use as aggregated abnormality scores (stored in an aggregated abnormality scores cache 130)”. The motivation to combine is similar to the motivation provided in claim 6. Although Lue does not explicitly disclose the aggregation scheme is global based, the same method for aggregation scheme to aggregate score, as shown above, could be implemented to aggregate score globally. One of ordinary skill in the art recognizes that the process of aggregating score does not depend on being global based or organizational based, aggregating score could be computed and performed the same regardless of being global based or organization based.
	As per claim 14, Luo furthermore discloses, wherein the aggregation scheme is organization based and the aggregate score is determined based at least in part on a predetermined number of top incident scores from the one or more host devices associated with an organization (column 6, lines 67-column 7, line 5, “abnormality score for the outbound communication is aggregated with the abnormality scores for other outbound communication directed to the same destination device”) and further comprising: determining a likelihood that the organization is under attack based at least in the part on the aggregate score (column 12, lines 53-63, comparing incident score which is based on the aggregated score to incident threshold , wherein satisfaction of the incident threshold indicates a likelihood that source device is accessed by malicious party). The motivation is similar to the motivation provided for claim 6.
	Claims 2 and 7are rejected under 35 U.S.C. 103 as being unpatentable over Bartos in view of Luo, further in view of Kesin et al. (US Patent No. 9,047,652).
	As per claim 2 and 7, Bartos in view of Luo discloses all limitations of claim as applied to claims 1 and 6 above.  Bartos in view of Luo does not explicitly disclose, but in an analogous art, Kesin discloses, outputting a visualization in a user interface that represents a change in the aggregate score over a time interval (column 26, lines 9-10, “an aggregate score can be displayed in the user interface; and figure16A, 1660 (aggregate score) and 1608 (timestamps)).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Bartos and Luo to include outputting a visualization in a user interface that represents a change in the aggregate score over a time interval, as disclosed by Kesin. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to provide information to user in an understandable and coherent way.
	Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Bartos in view of Luo, further in view of Morlock et al. (US Publication No. 2013/0021382)
	As per claim 9, Bartos discloses, tagging an incident of the incidents with a timestamp (par [0044],  “two-dimensional graph plotting a severity of an incident against a time axis…two-dimensional graph depicting that a particular incident was repeated several times within a certain period of time, and severity of the incident varied with a certain range”); decreasing a weighted contribution of the incident over time based at least in part on [applying a decay function with the] timestamp (par [0146]-[0147],“severity of incident was relatively high in the first period time, but it decreased in the second period of time”).
	 While Bartos in view of Luo discloses determining a change in the aggregate score over time based at least in part on the weighted contribution of the incident decreasing over time (Luo, column 7, lines 19-26, “incident score is calculated based off of the previously aggregated abnormality scores and prior event data such that the highest aggregated abnormality score for communication with given destination device 115 is used as a baseline and modified by various spreadness features to the behavior related to the outbound communication…the value of spreadness factor increases (indicating more widespread behavior), its effect on the incident score decreases”), Bartos in view of Luo does not explicitly disclose decreasing a weighted contribution by applying a decay function with the timestamp. However, applying a decay function with time is old and well known as illustrated by Morlock (par [0073], use of any decay function to reduce the weight depending on the timestamp”).
	It would have been obvious and predictable to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Bartos and Luo to apply the well known method of decay function, as disclosed by Morlock, in order to determine abnormality and malicious activities.
	Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Bartos in view of Luo, in view of Lopez et al. (US Publication No. 2017/0171389), further in view of Jou et al. (US Publication No. 2016/0344762).
	As per claim 10, Bartos in view of Luo teaches all limitation of claim as applied to claim 6 above. Bartos in view of Luo does not explicitly disclose receiving a user input indicating an incident has been resolved, wherein the user input is associated with a user from the organization; and determining, based at least in part on the incident score, to decrease the aggregate score. However, in an analogous art, Lopez discloses receiving a user input indicating an incident has been resolved, wherein the user input is associated with a user from the organization (par [0093], a user input mechanism 352 that allows the user to indicate whether the issue was resolved). 
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Bartos and Luo to include receiving a user input indicating an incident has been resolved, wherein the user input is associated with a user from the organization, as disclosed by Lopez. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to provide feedback when the problem resolves.
par [0041], lowering the sensitivity parameter decreases the aggregate scores). 
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Bartos, Luo and Lopez to include determining, based at least in part on the incident score, to decrease the aggregate score, as disclosed by Jou. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to update aggregated score.
	Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Bartos in view of Luo, in view of Lopez, in view of Jou, further in view of Muddu et al. (US Patent No. 9,516,053).
	As per claim 11, Bartos as modified does not explicitly disclose but in an analogous art Muddu discloses, receiving a second user input indicating the incident detect was a false positive (column 12, lines 14-22, a decision by the user indicating that the discovered anomalies and threats are false positive can be provided as a feedback data); tagging the incident as a false positive (par 78, lines 46-49, tag the threat with false positive); and storing data associated with the incident to train models to detect malicious activity (column 12, lines 14-22, update and improve the models).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to further modify Bartos to include receiving a second user input indicating the incident detect was a false positive; tagging the incident as a false positive; and storing data associated with the incident to train models to detect malicious activity, as disclosed by Mudd. This would have been obvious because one of ordinary skill in the art would have been motivated to update the model with the false positive incident to improve future evaluation.
	Claims 18 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Bartos in view of Luo, further in view of Saurabh (US Patent No. 10,735,272).
As per claim 18, Bartos in view of Luo teaches all limitation of claim as applied to claim 15 above. Bartos in view of Luo does not explicitly teach ranking the incidents based on associated incident scores; and determining a predetermined number of the incidents to present based at least in part on the ranking. However, in an analogous art, Saurabh discloses ranking the incidents based on associated incident scores (column 3, lines 57-58, “A ranking of each of the events may be generated based at least in part on the scoring of the event data); and determining a predetermined number of the incidents to present based at least in part on the ranking (column 7, lines 1-2, “those events above a threshold ranking are prioritized further analysis).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Bartos and Luo to include ranking the incidents based on associated incident scores; and determining a predetermined number of the incidents to present based at least in part on the ranking, as disclosed by Saurabh. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to analyze security threats based on their severity levels. 
	As per claim 19, Saurabh furthermore discloses, wherein the operations further comprise generating a second time series graph to present the predetermined number of the incidents (column 8, lines 58-59, “feedback about the scored event data (204) may be provided via a graph).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Bartos and Luo to present a second time series graph to present the predetermined number of the incidents, as disclosed by Saurabh, in order to report events to user in an understandable and coherent way.
	Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Bartos in view of Luo, in view of Saurabh, further in view of Jackson et al. (US Publication No. 2018/0288060).
	As per claim 20, Bartos in view of Luo and Saurabh teaches all limitation of claim as applied to claim 18 above. Bartos in view of Luo and Saurabh furthermore teaches determining a likelihood that the monitored computing device in under attack based at least in part on the aggregate score (Luo, column 12, lines 53-63, comparing incident score which is based on the aggregated score to incident threshold, wherein satisfaction of the incident threshold indicates a likelihood that source device is accessed by malicious party).
	 Bartos in view of Luo and Saurabh does not explicitly teach but in an analogous art, Jackson discloses  determining an average incident score based at least in part on the predetermined number of the incidents (par [0046], “;multiplying each score by a corresponding weight); determining the aggregate score based at least in part on the average incident score (par [0046], “and summing the weighted values to determine an aggregate correspondence score”).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Bartos, Luo and Saurabh to include determining an average incident score based at least in part on the predetermined number of the incidents; and determining the aggregate score based at least in part on the average incident score, as disclosed by Jackson. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to achieve the predictable result of determining security risk levels more accurately. 

Allowable Subject Matter
Claims 16 and 17 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims and overcome the 101 rejections of claims.

References Cited, Not Used
	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
	Pandian et al., (US Publication No. 2020/0076853), discloses attribute values associated with a target device are determined based on data packets detected from a network. A subset of a set of classifiers associated with the available attribute values are selected. The attribute values are applied to the selected classifiers to determine a respective candidate device profile. A current device profile is determined for the target device based on the candidate device profiles. The current device profile 
	Jain, et al., (US patent No.9,594,904), discloses the computerized method comprises receiving, by a network device, an object for analysis. Thereafter, the network device conducts a first analysis. The first analysis determines whether the object is configured to utilize reflection. According to one embodiment, the first analysis involves analysis of the content of the object by a static analysis engine. Alternatively, or in addition to this analysis, the behavior of the object by an attempt to access a reflection API may determine that the object is utilizing reflection. Responsive to the network device determining that the object utilizes reflection, a second analysis is conducted to determine whether the object is malicious.

Conclusion
	 Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ali Abyaneh whose telephone number is (571) 272-7961. The examiner can normally be reached on Monday-Friday from (8:00-5:00). If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on (571) 272-4063. The fax phone numbers for the organization where this application or proceeding is assigned as (571) 273-8300 Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/ALI S ABYANEH/Primary Examiner, Art Unit 2437