DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
1.The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

                             Claim Interpretation - 35 USC § 112
2. The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. - An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked.

As explained in MPEP §2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:

(A)    the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function;



(C)    the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function.

Use of the word “means” (or “step for”) in a claim with functional language creates a rebuttable presumption that the claim element is to be treated in accordance with 35 U.S.C. 112(f) (pre-AIA  35 U.S.C. 112, sixth paragraph). The presumption that 35 U.S.C. 112(f) (pre-AIA  35 U.S.C. 112, sixth paragraph) is invoked is rebutted when the function is recited with sufficient structure, material, or acts within the claim itself to entirely perform the recited function.

Absence of the word “means” (or “step for”) in a claim creates a rebuttable presumption that the claim element is not to be treated in accordance with 35 U.S.C112 (f) (pre-AIA  35 U.S.C. 112, sixth paragraph). The presumption that 35 U.S.C. 112(f) (pre-AIA  35 U.S.C. 112, sixth paragraph) is not invoked is rebutted when the claim element recites function but fails to recite sufficiently definite structure, material or acts to perform that function.

Claim elements in this application that use the word “means” (or “step for”) are presumed to invoke 35 U.S.C. 112(f) except as otherwise indicated in an Office action. Similarly, claim elements that do not use the word “means” (or “step for”) are presumed not to invoke 35 U.S.C.112 (f) except as otherwise indicated in an Office action.




Since these claim limitations invoke 35 U.S.C. 112, sixth paragraph, claims are interpreted to cover the corresponding structure described in the specification that achieves the claimed function, and equivalents thereof.

A review of the specification shows that the following appears to be the corresponding structure described in the specification for the 35 U.S.C. 112, sixth paragraph limitation: See fig. 7 and associated paragraphs 0076,0085-0086 (the cited paragraphs state that the term “unit” is understood to encompass a tangible entity...physically constructed).

If applicant wishes to provide further explanation or dispute the examiner’s interpretation of the corresponding structure, applicant must identify the corresponding structure with reference to the specification by page and line number, and to the drawing, if any, by reference characters in response to this Office action.

If applicant does not wish to have the claim limitation treated under 35 U.S.C. 112, sixth paragraph, applicant may amend the claim so that it will clearly not invoke 35 U.S.C. 112, sixth paragraph, or present a sufficient showing that the claim recites sufficient structure, material, or acts for performing the claimed function to preclude application of 35 U.S.C. 112, sixth paragraph.



Claim Rejections - 35 USC § 103
4.The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

5. Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu (US Pub.No.2017/0063900) in view of Lowry (US Pub.No.2018/0293533). 

6.Regarding claims 1, 9 and 17 Muddu teaches a system, a method comprising: one or more processing units; and a computer-readable storage medium having computer-executable instructions stored thereupon, which, when executed by the one or more processing units, cause the one or more processing units to: receive data associated with a threat detected based on a first operation that occurs in a data plane of a shared resource (Para:0139-040 teaches the environment 10 may represent a networked computing environment of one or multiple companies or organizations, and can be implemented across multiple geographic regions. One or more elements in the environment 10 are communicatively coupled to each other through a computer communications network. The security platform within the environment 10 can detect anomalies and threats produced by a user, a device, or an application, for example, regardless of whether the entity that causes the anomalies or threats is from outside or inside the organization's network. The security analytics techniques that can be adopted by the security 

access an activity log that includes a plurality of previous operations that occur in a control plane of the shared resource, the plurality of previous operations performed by a plurality of different users authorized to configure the shared resource via the control plane (Fig.6 and Para: 0184- 0186 and Para:0189 teaches the security platform 300 can create a behavior baseline for any type of entity (for example, a user, a group of users, a device, a group of devices, an application, and/or a group of applications). The activities of server 606 are monitored and a baseline profile 616 specific for the server 606 is generated over time, based on event data indicative of network activities of server 606. Baseline profiles can be continuously updated (whether in real-time as event data streams in, or in batch according to a predefined schedule) in response to received event data, i.e., they can be updated dynamically and/or adaptively based on event data. If the human user 604 begins to access source code server 610 more frequently in support of his work, for example, and his accessing of source code server 610 has been judged to be legitimate by the security platform 300 or a network security administrator (i.e., the anomalies/threats detected upon behavior change have been resolved and deemed to be legitimate activities), his baseline profile 614 is updated to reflect the updated "normal" behavior for the human user 604. The anomalies and threats are detected by comparing incoming event data (e.g., a series of events) against the baseline profile for an 

for each previous operation of the plurality of previous operations, calculate an operation relevance score using a significance rating and an age rating, wherein: the significance rating is determined based on an association between a type of the previous operation that occurs in the control plane of the shared resource and a type of the threat detected based on the first operation that occurs in the data plane of the shared resource; and the age rating represents an amount of time between a time when the previous operation occurs and a time when the first operation occurs; identify a subset of the plurality of previous operations performed by each user of the plurality of different users (Para:0337 teaches the security platform can include at least two event processing engines—one event processing engine operating in a real-time mode to process unbounded, streaming data that enters the security platform, and the other event processing engine operating in a batch mode to process batches of historical event data. Because the batch event processing engine tends to have more time to process data but also tends to handle a larger amount of data, it is desirable for an event processing engine implemented on the batch path be able to interact with the distributed data cluster that stores the data, instead of moving or copying the data into the platform; and utilize 
 Para:0359-0360 teaches processing the event data 2302 through an anomaly model. The  anomaly model includes at least model processing logic defining a process for assigning an anomaly score to the event data 2302 and a model state defining a set of parameters for applying the model processing logic. A plurality of anomaly models instances may be instantiated for each entity associated with the computer network. Each model instance may be of a particular model type configured to detect a particular category of anomalies based on incoming event data. For example, in an embodiment, a computer on computer network is associated with various anomaly models, with one of the anomaly models configured to detect an anomaly indicative of a machine generated beacon communication to an entity outside the computer network. The security platform includes anomaly models configured to detect a number of different kinds of anomalous activity, such as lateral movement, blacklisted entities, malware communications, rare events, and beacon activity. Each of these anomaly models would include unique processing logic and parameters for applying the processing logic. Similarly, each model instance (i.e. for a particular entity) may include unique processing logic and parameters for applying the processing logic. Assigning an anomaly score based on the processing of the event data 2302 through the anomaly model. Calculation of the anomaly score is done by the processing logic contained within the anomaly model and represents a quantification of a degree to which the processed event data is associated with anomalous activity on the network. The anomaly score is a value in a specified range. For example, the resulting anomaly score may be a value between 0 and 10, with 0 being the least anomalous and 10 being the most anomalous);



Figs.47B, 48-49A and Para:0503-0509 teaches the GUI generates an user anomaly review table and an apps review table that includes the user name, application name, the number of associated anomalies, the number of associated threats, the date and/or time of the most recent update, the score associated with the user and the score associated with the application);

Muddu teaches all the above claimed limitations but does not expressly teach identify one or more most relevant persons to mitigate the threat; and cause an alert for the threat to be displayed, the alert indicating the most relevant person to contact.

Lowery teaches identify one or more most relevant persons to mitigate the threat; and cause an alert for the threat to be displayed, the alert indicating the most relevant person to contact 

Therefore, it would have been obvious to one of the ordinary skill in the art before the invention was filed to modify Muttu to include identify one or more most relevant persons to mitigate the threat; and cause an alert for the threat to be displayed, the alert indicating the most relevant person to contact as taught by Lowry, since such as setup will result in a predictable result of fast and accurate decisions based on the collected  data.

7. Regarding claim 2 Lowry teaches the system, wherein the alert includes contact information for the one or more most relevant persons (Para:007 teaches contact information of the relevant person).

8. Regarding claim 3 Muddu teaches the system, wherein each user of the plurality of different users is defined as an owner or an administrator of the shared resource in accordance with a policy established for a client organization (Para:0183-0184 teaches the plurality of user includes an admin).

9. Regarding claim 4 Lowry teaches the system, wherein each of the one or more most relevant persons is equipped to investigate the alert and to mitigate the threat (Para:0157 and Para:0160 teaches investigate the alert and mitigate it).

10. Regarding claim 5 Muddu teaches the system, wherein each of the plurality of previous operations occurs in a predefined time window established based on the time when the first operation occurs (Para:0381-0382 teaches the time window when the anomaly occurred).



12. Regarding claim 7 Muddu teaches the system, wherein the computer-executable instructions further cause the one or more processing units to: identify a connection between the first operation that occurs in the data plane of the shared resource and a related previous operation that occurs in the control plane of the shared resource; and add a description of the connection to the alert (Para:0370-0372 teaches determining a measure (e.g., a count) of entities of the computer network associated with a particular anomaly, a particular category of anomaly, or a set of anomalies with substantially matching profiles or footprints).

13. Regarding claim 8 Muddu teaches the system, wherein the connection is identified from a plurality of predefined connections or a plurality of learned connections (Para:0370-0372 and Para:0401-0404 teaches the connection is identified from a plurality of predefined connections).

14. Regarding claim 10 Muddu teaches the method, wherein each user of the plurality of different users is authorized to configure the shared resource in accordance with a policy established for a client organization (Para:0175-0177 teaches plurality of users sharing resources based on established rules).

15. Regarding claim 11 Muddu teaches the method, wherein the at least one most relevant person comprises one or more users with one or more highest user relevance scores (Fig.47 A, Para:0456-0458 and Para:0502 calculating the user score).

16. Regarding claim 12 Muddu teaches the method, wherein the at least one most relevant person comprises users that have user relevance scores that exceed a threshold user relevance score (Para:0578-0580 teaches user score exceeding the threshold).

17. Regarding claim 13 Lowry teaches the method, wherein the notification of the event includes contact information for the at least one most relevant person (Para:007, Para:0157 and Para:0160 teaches contact information of the relevant person).

18. Regarding claim 14 Muddu teaches the method, wherein each of the plurality of previous operations is performed in a predefined time window established based on the time when the event is triggered (Para:0381-0382 teaches the time window when the anomaly occurred).

19. Regarding claim 15 Muddu teaches the method, further comprising mapping the previous operation to a corresponding significance rating stored in a significance rating table established for the type of the event (Para:0402-0404 teaches mapping the previous operation that occurred and its score).

20. Regarding claim 16 Muddu teaches the method, further comprising: identifying a connection between the first operation and a related previous operation; and adding a description of the connection to the notification of the event (Para:0370-0372 teaches determining a measure (e.g., a count) of entities of the computer network associated with a particular anomaly, a particular category of anomaly, or a set of anomalies with substantially matching profiles or footprints).




22. Regarding claim 19 Muddu teaches the system, wherein the at least one most relevant person comprises (1) one or more users with one or more highest user relevance scores or (ii) users that have user relevance scores that exceed a threshold user relevance score (Fig.47 A, Para:0456-0458 and Para:0502 calculating the user score).

23. Regarding claim 20 Lowry teaches the system, wherein the notification of the event includes contact information for the at least one most relevant person (Para:007, Para:0157 and Para:0160 teaches contact information of the relevant person).
. 
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEREENA T CATTUNGAL whose telephone number is (571)270-0506. The examiner can normally be reached Mon-Fri: 7:30 AM-5 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.






/DEREENA T CATTUNGAL/Primary Examiner, Art Unit 2431