Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Claims 1-20 remain for examination.  Claims 1, 8 and 15 have been amended. Applicant's arguments filed on 01/10/2022 have been fully considered but they are moot in view of the new ground(s) of rejection necessitated by the amendments. Accordingly, this action has been made final.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not 


Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Hassanzadeh U.S Pub. No. 20190141058 A1, in view of KRAUS U.S Pub. No. 20160080335 A1, in further view of DEAN US 20170230392 A1.
As to claim 1, Hassanzadeh discloses a computing device, comprising: one or more processors; and one or more memory devices that store executable computer program logic for execution by the one or more processors, the executable computer program logic comprising (Hassanzadeh Fig. 1): an alert association determiner configured to receive alerts generated with respect to a set of entities by a first alert generator (Hassanzadeh Pa. [0072]) [Domain activity data is received from a first network domain (e.g., an IT network domain) including multiple alerts (802)], and calculate association scores for pairs of the alerts (Hassanzadeh Pa. [0076]) [dependency is determined for each of one or more pairs of alerts (808). Each alert includes at least one dependency on one other alert, where a dependency can include a prerequisite dependency (e.g., a preceding alert) between a pair of alerts, or a consequence dependency (e.g., a following alert) between a pair of alerts]; and a security incident model generator configured to form a security incident model, based on the clusters, that defines sequences of alerts corresponding to security incidents (Hassanzadeh Pa. [0078]) [A graphical visualization (e.g., correlation graph 600) is generated for the multiple alerts (e.g., alerts 602) (810). The graphical visualization may arrange the multiple classified alerts according to the sequence of steps of the cyber kill chain, where each alert is a node and each dependency between the alerts is an edge]
It is noted that Hassanzadeh does not appear explicitly disclose a community identifier configured to cluster the alerts into clusters based on the association scores.
However, KRAUS discloses a community identifier configured to cluster the alerts into clusters based on the association scores (KRAUS PA. [0004]) [Some alert confidence scoring embodiments include a processor, and a memory in operable communication with the processor, and other computational components such as an aggregator, a vectorizer, and a classifier. The aggregator receives insight instances. Each insight instance of interest has an insight value and an insight type, and is associated with an alert identifier which identifies an alert. The alert was generated from monitoring a monitored system. The aggregator aggregates insight values of received instances which have the same insight type. The vectorizer creates a feature vector containing feature values, with the feature values corresponding to insight types. The feature vector contains a feature value which is an aggregated insight value produced by the aggregator from multiple insight values. The feature vector is also associated with the alert. The classifier accepts the feature vector and assigns a confidence score to the alert based at least partially upon the feature vector. The confidence score indicates a degree of confidence that the alert represents a threat to one or more operations of the monitored system. An output device may be configured to report the confidence score]
Thus, it would have been recognized by one of ordinary skill in the art that applying the known technique taught by KRAUS to the intrusion detection system of  (KRAUS Pa. [0003]) 
It is further noted that the combination of Hassanzadeh and KRAUS does not appear explicitly disclose each association score indicating a strength of association between a pair of alerts.
However, DEAN discloses each association score indicating a strength of association between a pair of alerts (DEAN Pa. [0222]) [would not be practical for the user of a system to have to compare every pair of alerts. Instead what one could do would be to compare the strength of each alert to some reference strength. Since a user is likely to only be interested in alerts that exceed the reference strength one can then choose the reference strength to achieve a desired false positive rate. In order to formalize this, the following assumption will be made]
Thus, it would have been recognized by one of ordinary skill in the art that applying the known technique taught by DEAN to the intrusion detection system of Hassanzadeh and KRAUS would have yield predictable results and resulted in an improved system, namely, a system that would calculate the probability that a device is behaving anomalously (DEAN Pa. [0002]) 

As to claim 2, the combination of Hassanzadeh, KRAUS and DEAN discloses wherein the alert association determiner is configured to: generate an alert association graph indicating the alerts as nodes and the association scores as edges between Hassanzadeh Pa. [0078]) [A graphical visualization (e.g., correlation graph 600) is generated for the multiple alerts (e.g., alerts 602) (810). The graphical visualization may arrange the multiple classified alerts according to the sequence of steps of the cyber kill chain, where each alert is a node and each dependency between the alerts is an edge]; and filter the alert association graph by removing edges between corresponding pairs of alerts from the alert association graph (Hassanzadeh Pa. [0076]) [dependency is determined for each of one or more pairs of alerts (808). Each alert includes at least one dependency on one other alert, where a dependency can include a prerequisite dependency (e.g., a preceding alert) between a pair of alerts, or a consequence dependency (e.g., a following alert) between a pair of alerts having co-occurrence scores below a first threshold (KRAUS Pa. [0029]) [Confidence scoring may also enable filtering out alerts which have scores below a threshold parameter. Ranking a list of alerts may be crucial for efficiently utilizing a human analyst's limited time]; and wherein the community identifier is configured to cluster the alerts into the clusters based on the filtered alert association graph (KRAUS PA. [0004]) [Some alert confidence scoring embodiments include a processor, and a memory in operable communication with the processor, and other computational components such as an aggregator, a vectorizer, and a classifier. The aggregator receives insight instances. Each insight instance of interest has an insight value and an insight type, and is associated with an alert identifier which identifies an alert. The alert was generated from monitoring a monitored system. The aggregator aggregates insight values of received instances which have the same insight type. The vectorizer creates a feature vector containing feature values, with the feature values corresponding to insight types. The feature vector contains a feature value which is an aggregated insight value produced by the aggregator from multiple insight values. The feature vector is also associated with the alert. The classifier accepts the feature vector and assigns a confidence score to the alert based at least partially upon the feature vector. The confidence score indicates a degree of confidence that the alert represents a threat to one or more operations of the monitored system. An output device may be configured to report the confidence score]
Thus, it would have been recognized by one of ordinary skill in the art that applying the known technique taught by KRAUS to the intrusion detection system of Hassanzadeh would have yield predictable results and resulted in an improved system, namely, a system that would process raw event data of a monitored computing system into a form that is suitable for useful classification by machine learning mechanisms (KRAUS Pa. [0003]) 

As to claim 3, the combination of Hassanzadeh, KRAUS and DEAN discloses wherein the alert association determiner, to filter the alert association graph, is further configured to: unite first and second nodes in the alert association graph if an edge between the first (Hassanzadeh Pa. [0002]) [A dependency is then determined for each of one or more pairs of alerts and a graphical visualization of the multiple alerts is generated, where the graphical visualization includes multiple nodes and edges between the nodes, each node corresponding to the cyber kill chain and representing at least one alert, and each edge representing a dependency between alerts] and second nodes has a co-occurrence score above a second threshold (KRAUS Pa. [0027-0029]) [he number of security alerts or operational alerts per hour generated by monitoring even a relatively small computing system may be in the hundreds, or higher. Depending on security settings, alert thresholds]
Thus, it would have been recognized by one of ordinary skill in the art that applying the known technique taught by KRAUS to the intrusion detection system of Hassanzadeh would have yield predictable results and resulted in an improved system, namely, a system that would process raw event data of a monitored computing system into a form that is suitable for useful classification by machine learning mechanisms (KRAUS Pa. [0003]) 

As to claim 4, the combination of Hassanzadeh, KRAUS and DEAN discloses wherein the security incident model generator is configured to (KRAUS Pa. [0307]) [Based on the model, the virtual advisor assigns the feature vector a confidence score indicating the level of confidence that the feature vector is (or is not) indicative of a security incident. Thus, a hierarchy used in this example is event.  incident, with events being the least serious and incidents being the most serious], for each cluster of the clusters, determine dependencies between alerts of the cluster (Hassanzadeh Pa. [0076]) [dependency is determined for each of one or more pairs of alerts (808). Each alert includes at least one dependency on one other alert, where a dependency can include a prerequisite dependency (e.g., a preceding alert) between a pair of alerts, or a consequence dependency (e.g., a following alert) between a pair of alerts, and orient the alerts of the cluster based on the dependencies to generate a model portion corresponding to the cluster;  and wherein the security incident model generator is further configured to aggregate the model portions to form the security incident model (KRAUS PA. [0004]) [Some alert confidence scoring embodiments include a processor, and a memory in operable communication with the processor, and other computational components such as an aggregator, a vectorizer, and a classifier. The aggregator receives insight instances. Each insight instance of interest has an insight value and an insight type, and is associated with an alert identifier which identifies an alert. The alert was generated from monitoring a monitored system. The aggregator aggregates insight values of received instances which have the same insight type. The vectorizer creates a feature vector containing feature values, with the feature values corresponding to insight types. The feature vector contains a feature value which is an aggregated insight value produced by the aggregator from multiple insight values. The feature vector is also associated with the alert. The classifier accepts the feature vector and assigns a confidence score to the alert based at least partially upon the feature vector. The confidence score indicates a degree of confidence that the alert represents a threat to one or more operations of the monitored system. An output device may be configured to report the confidence score]
Thus, it would have been recognized by one of ordinary skill in the art that applying the known technique taught by KRAUS to the intrusion detection system of  (KRAUS Pa. [0003]) 

As to claim 5, the combination of Hassanzadeh, KRAUS and DEAN discloses wherein the security incident model generator is configured to: determine the dependency between alerts of a cluster based on a conditional independence property (Hassanzadeh Pa. [0002]) [A dependency is then determined for each of one or more pairs of alerts and a graphical visualization of the multiple alerts is generated, where the graphical visualization includes multiple nodes and edges between the nodes, each node corresponding to the cyber kill chain and representing at least one alert, and each edge representing a dependency between alerts] 

As to claim 6, the combination of Hassanzadeh, KRAUS and DEAN discloses wherein the security incident model generator, to orient the alerts of the cluster, is configured to: orient the alerts of the cluster based on at least one of kill-chain position information, temporal relation information between alerts, or a collider (Hassanzadeh Pa. [0002]) [each node corresponding to the cyber kill chain and representing at least one alert]

As to claim 7, the combination of Hassanzadeh, KRAUS and DEAN discloses further comprising an alert incident identifier configured to: receive a set of additional alerts from a second alert generator (Hassanzadeh Pa. [0004]) [determining the dependency for each of one or more pairs of alerts includes identifying at least one prerequisite step to the particular step of the cyber kill chain process corresponding to the one or more pairs of alerts]; determine a match between the additional alerts and a sequence of alerts in the security incident model; identify the additional alerts as a security incident corresponding to the sequence of alerts in the security incident model (Hassanzadeh Pa. [0064]) [the correlation graph generator 514 uses fuzzy-matching or other techniques including probabilistic correlation, attack graph matching, formal methods, state machine, and logic-based models to analyze the classified alert data 554 and build the correlation graph]; and provide a notification of the security incident to the second alert generator (KRAUS Pa. [0267]) [notifying 1602 a human administrator of at least a portion of the event data, displaying a list of alerts ranked according to respective confidence scores]
Thus, it would have been recognized by one of ordinary skill in the art that applying the known technique taught by KRAUS to the intrusion detection system of Hassanzadeh would have yield predictable results and resulted in an improved system, namely, a system that would process raw event data of a monitored computing system into a form that is suitable for useful classification by machine learning mechanisms (KRAUS Pa. [0003]) 
  
As to claim 8, the combination of Hassanzadeh, KRAUS and DEAN discloses receiving alerts generated with respect to a set of entities by a first alert generator; calculating association scores for pairs of the alerts (Hassanzadeh Pa. [0072]) [Domain activity data is received from a first network domain (e.g., an IT network domain) including multiple alerts (802)]; clustering the alerts into clusters based on the association scores (Hassanzadeh Pa. [0078]) [A graphical visualization (e.g., correlation graph 600) is generated for the multiple alerts (e.g., alerts 602) (810). The graphical visualization may arrange the multiple classified alerts according to the sequence of steps of the cyber kill chain, where each alert is a node and each dependency between the alerts is an edge]; and forming a security incident model, based on the clusters (KRAUS Pa. [0324]) [Visibility may also inform further training of a classifier model 702. Performance metrics 1106, 1108, 1636 are defined, and production level performance may be achieved 1634], that defines sequences of alerts corresponding to security incidents (Hassanzadeh Pa. [0025]) [events are atomic pieces of data associated with communications and system activity, whereas alerts may be triggered in response to an event or a sequence of events]  
Thus, it would have been recognized by one of ordinary skill in the art that applying the known technique taught by KRAUS to the intrusion detection system of Hassanzadeh would have yield predictable results and resulted in an improved system, namely, a system that would process raw event data of a monitored computing system  (KRAUS Pa. [0003]) 

As to claim 9, claim 9 recites the claimed that contain similar limitations as claim 2; therefore, it is rejected under the same rationale.

As to claim 10, claim 10 recites the claimed that contain similar limitations as claim 3; therefore, it is rejected under the same rationale.

As to claim 11, claim 11 recites the claimed that contain similar limitations as claim 4; therefore, it is rejected under the same rationale.

As to claim 12, claim 12 recites the claimed that contain similar limitations as claim 5; therefore, it is rejected under the same rationale.

As to claim 13, claim 13 recites the claimed that contain similar limitations as claim 6; therefore, it is rejected under the same rationale.

As to claim 14, claim 14 recites the claimed that contain similar limitations as claim 7; therefore, it is rejected under the same rationale.

As to claims 15-16, claims 15-16 recite the claimed that contain respectively similar limitations as claims 1-2; therefore, they are rejected under the same rationale.

As to claims 17-20, claims 17-120 recite the claimed that contain respectively similar limitations as claims 4-7; therefore, they are rejected under the same rationale.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to EVANS DESROSIERS whose telephone number is (571)270-5438. The examiner can normally be reached Monday -Thursday 7:00 am - 5:30 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok B. Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/EVANS DESROSIERS/Primary Examiner, Art Unit 2491