DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the Amendment filed on 12/14/2021.
In the instant Amendment, claims 1, 9-11 and 15 have been amended; and claims 1, 9 and 15 are independent claims.  Claims 1-20 have been examined and are pending.  This Action is made FINAL.

Response to Arguments
In attempt to promote compact prosecution, the Examiner has contacted the Applicants for possible amendments to move the case forward. However, the Applicants and the Examiner could not come up with an agreement.
Applicants’ arguments in the instant Amendment, filed on 03/01/2017, with respect to limitations listed below, have been fully considered but they are not persuasive.
Applicant’s arguments: “conduct, at the central instance, threat association comprising identifying a network security threat actor associated with the alert based at least in part on the search result that reflects the occurrences of the one or more observables in the second customer network are patentably distinct from Reybok and Baikalov.” 
The Examiner disagrees with the Applicants. The Examiner respectfully submits that Reybok does disclose conduct, at the central instance, threat association comprising identifying a network security threat actor associated with the alert based at least in part on the search result that reflects the occurrences of the one or more observables in the second customer network (Reybok: ¶0042 lines 31-33 the central service can notify network NET1, network NETn, or both, as to the severity of the threat; ¶0028 a notifications procedure can also vary depending on the type of threat; ¶0055 lines 46-52 the first network can be notified of query results, e.g., in the form of a summary or other data[ ...] query results represent respective, diverse networks (filtered as appropriate) and the first network is informed of the number of "hits," a ranked threat level provided by the central service, and a comparison with any local search results; ¶0028 if a first client (a securities firm) experiences a threat, which is then determined to be correlated with a second client (also a securities firm) reporting a similar event, then one or more other clients sharing a characteristic associated with these networks (e.g., other securities firms) can also be alerted to expect such a threat).  More specifically, Reybok discloses such a services provider can structure its services to provide cross-client alerts or reporting of common threats (or potential threats) [0057] and If the IDS detects such a threat, for example, concentrated requests for access to a web page of a private network from a single source or small group of sources (representing a possible denial of service attack), the IDS typically generates an alarm, alert or other response to indicate this fact [0074]. Therefore, as the metes and bounds of the limitation of been met as noted above; the examiner finds this argument not persuasive.

Applicant’s arguments: “determine, at the plurality of customer instances, security threat remediation to block communication with the network security threat actor based at least in part on the incident analysis, the incident enrichment, and the threat association are patentably distinct from Reybok and Baikalov.” 
The Examiner disagrees with the Applicants. The Examiner respectfully submits that Reybok does disclose determine, at the plurality of customer instances, security threat remediation to block communication with the network security threat actor based at least in part on the incident analysis, the incident enrichment, and the threat association (Reybok: ¶0030 a central query routing and/or aggregation service also provides remedial measures to counteract a possible threat which has been determined to be correlated with historical (filtered) data. For example, antimalware (e.g., antivirus) definitions can be updated for the reporting network. Other versions of remedial measures can include (a) providing a template to a security system of the reporting client which then implements the template as an execution operand, i.e., to automatically block a suspicious IP address) [i.e., block communication]). More specifically, Reybok discloses per numeral 121, a remedial action can be taken, as introduced earlier; for example, the first network can be sent a security response template that causes an intrusion prevention system (IPS) or intrusion monitoring system (IMS) to automatically block traffic associated with a specific IP address [0037] and the potential threat being evaluated has a particular internet protocol address ("IP1") and that this particular address IP1 has been evaluated by network NET1 as potentially being a source of improper access attempts, SPAM, viruses, inappropriate content, or other activity that should be monitored and/or blocked [] It should be assumed that network NET1 wishes to share its evaluation with other networks or parties such that such other networks or parties can evaluate and potentially block access to or from site IP1 even though access to or communication with such other networks or parties may not yet exist [0061]. Therefore, as the metes and bounds of the limitation of been met as noted above; the examiner finds this argument not persuasive.
The amended claims 1, 9-10 and 15 have been addressed in rejection below.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person.


This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1-3 and 7-14 are rejected under 35 U.S.C. 103 as being unpatentable over Reybok et al. (“Reybok,” US 2015/0207813), published on July 23, 2015, in view of Iyer et al. (“Iyer,” US 2016/0306965), published on October 20, 2016.

Regarding claim 1: Reybok discloses a system, comprising:
a memory (Reybok: fig. 7B); and
one or more processors (Reybok: ¶0041 the one or more general purpose machines (e.g., a server, processor, computer, etc.)), wherein the memory includes instructions that, when executed, are configured to cause the one or more processors to:
implement a plurality of customer instances within a datacenter, wherein each customer instance of the plurality of customer instances is associated with a respective customer network of a plurality of customer networks outside of the datacenter (Reybok: fig. 2; ¶0025a system can be implemented as a client device [...], a central security and/or query routing service; ¶0058 network can optionally be designed using a virtual machine (VM) architecture; ¶0039 a number of clients represented by networks "NET1," "NET2" ... "NETn." [...] each client can be connected to one of networks 206; ¶0041 lines 18-22 the central service can be formed to have one or more servers or other computers or network equipment 223, for example, including [...] data centers; fig. 8A data center);
implement a central instance within the datacenter, wherein the central instance is communicatively coupled to the plurality of customer instances (Reybok: ¶0039 FIG. 2 shows an illustrative diagram 201 that features an example configuration for central query routing and/or aggregating service, represented by box 203. More specifically, this service is seen to be connected to a wide area network (WAN) 205, in this case the Internet, and in turn to have a number of clients represented by networks "NET1," "NET2" ... "NETn.");
receive, at a first customer instance of the plurality of customer instances, an alert from a first customer network of the plurality of customer networks, wherein the alert is associated with a network security threat (Reybok: ¶0047 2nd col. lines 36-38 when a threat is detected, any desired subset of group members can receive a notification, filtered if desired for the preferences of the specific network);
generate, at the central instance, a search query based on one or more observables associated with the alert (Reybok: fig. 1; ¶0053 the first network can also be configured to send a query related to the received security event, either immediately, or upon a desired condition);
invoke, at a second customer instance of the plurality of customer instances, a search of data of a second customer network associated with the second customer instance based on the search query (Reybok: ¶0054 the central service also optionally routes the query (567) to one or more third party networks (e.g., networks optionally selected based on one or more characteristics (or profile information) in common with similar characteristics (or profile information) of the first network));
receive, at the second customer instance, a search result based on the search of data of the second customer network, wherein the search result reflects occurrences of the one or more observables in the second customer network (Reybok: fig. 5B; ¶0055 lines 39-44 the central service locally searches and/or optionally routes the query as indicated by numerals 565 and 567. Other clients, as appropriate, receive a query or event which has been sent out and search their own local databases, per numerals 575 and 577. The central service receives query results per numeral 579 [] notifying other clients of query results or the results of correlation or detected threat (587));
conduct, at the central instance, incident analysis (Reybok: ¶0042 the central service 203 could then automatically identify that network NET1 had also experienced "ThreatA SRC,");
conduct, at the plurality of customer instances, incident enrichment comprising determining running processes and network statistics associated with the plurality of customer networks (Reybok: fig. 5B step 587; ¶0028 one or more other clients sharing a characteristic associated with these networks [...] can also be alerted to expect such a threat; ¶0055 lines 13-17 a "red" group can imply automated sharing of queries and/or response data with every other member of the group (or other client sharing the same characteristic, depending on how queries and/or events are routed for the specific embodiment));
conduct, at the central instance, threat association comprising identifying a network security threat actor associated with the alert based at least in part on the search result that reflects the occurrences of the one or more observables in the second customer network (Reybok: ¶0042 lines 31-33 the central service can notify network NET1, network NETn, or both, as to the severity of the threat; ¶0028 a notifications procedure can also vary depending on the type of threat; ¶0055 lines 46-52 the first network can be notified of query results, e.g., in the form of a summary or other data[ ...] query results represent respective, diverse networks (filtered as appropriate) and the first network is informed of the number of "hits," a ranked threat level provided by the central service, and a comparison with any local search results; ¶0028 if a first client (a securities firm) experiences a threat, which is then determined to be correlated with a second client (also a securities firm) reporting a similar event, then one or more other clients sharing a characteristic associated with these networks (e.g., other securities firms) can also be alerted to expect such a threat); and 
determine, at the plurality of customer instances, security threat remediation to block communication with the network security threat actor based at least in part on the incident analysis, the incident enrichment, and the threat association (Reybok: ¶0030 a central query routing and/or aggregation service also provides remedial measures to counteract a possible threat which has been determined to be correlated with historical (filtered) data. For example, antimalware (e.g., antivirus) definitions can be updated for the reporting network. Other versions of remedial measures can include (a) providing a template to a security system of the reporting client which then implements the template as an execution operand, i.e., to automatically block a suspicious IP address) [i.e., block communication]).
Reybok does discloses search/query result but does not explicitly disclose determining a risk score associated with the network security threat based on the occurrences of the one or more observables associated with the search result.
However, Iyer discloses determining a risk score associated with the network security threat based on the occurrences of the one or more observables associated with the search result (Iyer: ¶0113 at block 530, the processing device may determine whether the search results meet a triggering condition corresponding to the statistical baseline; ¶0115 at block 540, the processing device may update (e.g., assign) a risk score for the particular entity in response to determining the triggering condition is met. The risk score may indicate a risk of a security threat associated with the activity of the particular entity).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Iyer with the system/method of Reybok to include determining a risk score associated with the network security threat based on occurrences of the one or more observables associated with the search result.
One would have been motivated to assigning risk scores to entities based on evaluating triggering conditions applied to search results (Iyer: ¶0001).

Regarding claim 2: Reybok in view of Iyer discloses the system of claim 1.
Reybok further discloses wherein invoking the search of data comprises communicating with an agent device to conduct a search within the second customer network (Reybok: ¶0025 lines 46-48 each client system (e.g., an automated client portal or "ACP") [an agent device] can be equipped with APIs to search local security event databases in whatever form event data is stored).

Regarding claim 3: Reybok in view of Iyer discloses the system of claim 1.
Reybok further discloses wherein invoking the search of data comprises querying a security information and event management database of the second customer network (Reybok: ¶0039 each ACP 207a-207c [agent device] can be configured to instead or in addition locally log event data and to search its own database(s) prior to or in instead of reporting information or sending a query to the central service 203).

Regarding claim 7: Reybok in view of Iyer discloses the system of claim 1.
Reybok further discloses wherein the instructions, when executed, are configured to cause the one or more processors to cause the central instance to relay a message comprising the search query to the second customer instance based on the alert (Reybok: ¶0031 a central query routing and/or aggregating service sends a query to nationwide chain store C to determine whether it has also seen the same possible threat).

Regarding claim 8: Reybok in view of Iyer discloses the system of claim 1.
Reybok further discloses wherein the instructions, when executed, are configured to cause the one or more processors to transmit a recommendation to the second customer instance based on the security threat remediation (Reybok: ¶0030 a specific vulnerability assessment or damage assessment operation can be recommended to the reporting client or another entity which previously reported a similar threat).

Regarding claim 9: Reybok discloses a method, comprising:
receiving, at a first customer instance of a plurality of customer instances, an alert from a first customer network of a plurality of customer networks, wherein the alert is associated with a network security threat (Reybok: ¶0039 a number of clients represented by networks "NET1," "NET2" ... "NETn." [...] each client can be connected to one of networks 206; ¶0047 2nd col. lines 36-38 when a threat is detected, any desired subset of group members can receive a notification, filtered if desired for the preferences of the specific network);
generating, at a central instance communicatively coupled to the first customer instance, a search query based on one or more observables associated with the alert (Reybok: fig. 1; ¶0053 the first network can also be configured to send a query related to the received security event, either immediately, or upon a desired condition);
invoking, at a second customer instance of the plurality of customer instances, a search of data of a second customer network associated with the second customer instance based on the search query (Reybok: ¶0054 the central service also optionally routes the query (567) to one or more third party networks (e.g., networks optionally selected based on one or more characteristics (or profile information) in common with similar characteristics (or profile information) of the first network));
receiving, at the second customer instance, a search result based on the search of data of the second customer network, wherein the search result reflects occurrences of the one or more observables in the second customer network (Reybok: fig. 5B; ¶0055 lines 39-44 the central service locally searches and/or optionally routes the query as indicated by numerals 565 and 567. Other clients, as appropriate, receive a query or event which has been sent out and search their own local databases, per numerals 575 and 577. The central service receives query results per numeral 579 [] notifying other clients of query results or the results of correlation or detected threat (587));
performing, at the central instance, incident analysis (Reybok: ¶0042 the central service 203 could then automatically identify that network NET1 had also experienced "ThreatA SRC,");
performing, at the plurality of customer instances, incident enrichment comprising determining running processes and network statistics associated with the plurality of customer networks (Reybok: fig. 5B step 587; ¶0028 one or more other clients sharing a characteristic associated with these networks [...] can also be alerted to expect such a threat; ¶0055 lines 13-17 a "red" group can imply automated sharing of queries and/or response data with every other member of the group (or other client sharing the same characteristic, depending on how queries and/or events are routed for the specific embodiment));
conducting, at the central instance, threat association comprising identifying a network security threat actor associated with the alert based at least in part on the search result that reflects the occurrences of the one or more observables in the second customer network (Reybok: ¶0042 lines 31-33 the central service can notify network NET1, network NETn, or both, as to the severity of the threat; ¶0028 a notifications procedure can also vary depending on the type of threat; ¶0055 lines 46-52 the first network can be notified of query results, e.g., in the form of a summary or other data[ ...] query results represent respective, diverse networks (filtered as appropriate) and the first network is informed of the number of "hits," a ranked threat level provided by the central service, and a comparison with any local search results; ¶0028 if a first client (a securities firm) experiences a threat, which is then determined to be correlated with a second client (also a securities firm) reporting a similar event, then one or more other clients sharing a characteristic associated with these networks (e.g., other securities firms) can also be alerted to expect such a threat); and
determining, at the plurality of customer instances, security threat remediation to block communication with the network security threat actor based at least in part on the incident analysis, the incident enrichment, and the threat association (Reybok: ¶0030 a central query routing and/or aggregation service also provides remedial measures to counteract a possible threat which has been determined to be correlated with historical (filtered) data. For example, antimalware (e.g., antivirus) definitions can be updated for the reporting network. Other versions of remedial measures can include (a) providing a template to a security system of the reporting client which then implements the template as an execution operand, i.e., to automatically block a suspicious IP address) [i.e., block communication]).
Reybok does discloses search/query result but does not explicitly disclose determine network security threat information comprising a risk score associated with the network security threat based on occurrences of the one or more observables associated with the search result.
However, Iyer discloses determine network security threat information comprising a risk score associated with the network security threat based on occurrences of the one or more observables associated with the search result (Iyer: ¶0113 at block 530, the processing device may determine whether the search results meet a triggering condition corresponding to the statistical baseline; ¶0115 at block 540, the processing device may update (e.g., assign) a risk score for the particular entity in response to determining the triggering condition is met. The risk score may indicate a risk of a security threat associated with the activity of the particular entity).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Iyer with the system/method of Reybok to include determining a risk score associated with the network security threat based on occurrences of the one or more observables associated with the search result.
One would have been motivated to assigning risk scores to entities based on evaluating triggering conditions applied to search results (Iyer: ¶0001).

Regarding claim 10: Reybok in view of Iyer discloses the method of claim 9.
Reybok further discloses invoking, at a third customer instance of the plurality of customer instances, an additional search of data of a third customer network associated with the second customer instance based on the search query (Reybok: ¶0063 this query can be run in a distributed manner, e.g., forwarded to multiple nodes (e.g., as an asynchronous query request). This information is received and processed by query logic 619, and is run against the (central or distributed) information repository 609); and
receiving, at the third customer instance, an additional search result based on the search of data of the third customer network, wherein the additional search result reflects occurrences of the one or more observables in the third customer network (Reybok: ¶0069 if a query is valid, as represented by numeral 671, the query is executed, returning a result 673; ¶0055 the central service receives query results per numeral 579 [] notifying other clients of query results or the results of correlation or detected threat (587))).

Regarding claim 11: Reybok in view of Iyer discloses the method of claim 10.
Iyer further discloses wherein performing the incident analysis comprises determining the risk score associated with the network security threat based on the occurrences of the one or more observables associated with the search result and the additional search result (Iyer: ¶0031 the data aggregation and analysis system may adjust, by a certain score modifier value, a risk score assigned to a certain object responsive to determining that at least a portion of a dataset produced by executing a search query satisfies a certain triggering condition).
The motivation is the same that of claim 9 above.

Regarding claim 12: Reybok in view of Iyer discloses the method of claim 9.
Reybok further discloses invoking a threat mitigation measure using a framework configured to interface to a plurality of network security products provided by a plurality of software publishers, wherein determining the security threat remediation is based on the threat mitigation measure (Reybok: ¶0031 upon receiving a confirmatory response, the ranking of the possible threat is increased in severity and nationwide chain stores A and/or B are notified that the particular event is correlated with an upgraded threat level).

Regarding claim 13: Reybok in view of Iyer discloses the method of claim 9.
Reybok further discloses transmitting, via the central instance, an alert message to a third customer instance of the plurality of customer instances, wherein the alert message comprises the network security threat information (Reybok: ¶0050 2nd col. lines 24-29 workers 513, 515 and 517 represent the various APIs necessary to interface with client security systems and associated databases. For example, as indicated by numeral 513, one of these workers can utilize software available from Splunk for searching associated database data).

Regarding claim 14: Reybok in view of Iyer discloses the method of claim 9.
Reybok further discloses wherein invoking the search of data comprises communicating with an agent device of the second customer network to query a security information and event management database of the second customer network (Reybok: ¶0039 each ACP 207a-207c [agent device] can be configured to instead or in addition locally log event data and to search its own database(s) prior to or in instead of reporting information or sending a query to the central service 203).


Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Reybok et al. (“Reybok,” US 2015/0207813), published on July 23, 2015, in view of Iyer et al. (“Iyer,” US 2016/0306965), published on October 20, 2016 and Fujisawa et al. (“Fujisawa,” US 2017/0251007), published on August 31, 2017.

Regarding claim 4: Reybok in view of Iyer discloses the system of claim 1.
Reybok in view of Iyer does not explicitly disclose input, via the second customer instance, data pertaining to the occurrences of the one or more observables to a neural network or a support vector machine and determine the risk score based on a resulting output of the neural network or a support vector machine.
However, Fujisawa discloses input, via the second customer instance, data pertaining to the occurrences of the one or more observables to a neural network or a support vector machine (Fujisawa: ¶0039 the analytics tool 118 may be configured to utilize machine learning techniques to train a computer processor (e.g., neural network) to determine associations between security risk score inputs [] and output security risk scores); and
determine the risk score based on a resulting output of the neural network or a support vector machine (Fujisawa: ¶0075 training data sets may be generated with example inputs and an associated result (e.g., high risk or low risk), and used to train a neural network to determine relationships between the inputs and outputs of the scoring engine 116). 
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Fujisawa with the system/method of Reybok and Iyer to include determine the risk score based on a resulting output of the neural network or a support vector machine.
One would have been motivated to apply automated detection engines that consider and recognize patterns using a weighting system that computes risk and probability (Fujisawa: ¶0006).

Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Reybok et al. (“Reybok,” US 2015/0207813), published on July 23, 2015, in view of Iyer et al. (“Iyer,” US 2016/0306965), published on October 20, 2016 and Jayanthi et al. (“Jayanthi,” US 2013/0097708) published on April 18, 2013.

Regarding claim 5: Reybok in view of Iyer discloses the system of claim 1.
Reybok in view of Iyer does not explicitly disclose wherein conducting incident enrichment comprises updating a white list, a black list, a firewall rule, or any combination thereof.
However, Jayanthi discloses wherein conducting incident enrichment comprises updating a white list, a black list, a firewall rule, or any combination thereof (Jayanthi: ¶0031 local whitelist 44 and blacklist 42 can be updated (e.g., dynamically, scheduled regularly, on demand) to reflect newly approved software objects and newly discovered threats, respectively. These updates can be coordinated via policy server 50 accessing one or more global or third party whitelists).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Jayanthi with the system/method of Reybok and Iyer to include updating a white list, a black list.
One would have been motivated to providing network security and transitioning to a whitelist mode during a malware attack in a network environment (Jayanthi: ¶0001).

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Reybok et al. (“Reybok,” US 2015/0207813), published on July 23, 2015, in view of Iyer et al. (“Iyer,” US 2016/0306965), published on October 20, 2016 and Baikalov et al. (“Baikalov,” US 2016/0226905), published on August 4, 2016.

Regarding claim 6: Reybok in view of Iyer discloses the system of claim 1.
Reybok in view of Iyer does not explicitly disclose wherein conducting incident analysis comprises identifying a kill chain based on the search result, wherein the kill chain comprises a combination of related security vulnerabilities that leads to possible network security compromise, and wherein the security threat remediation is based at least in part on the risk score and the kill chain associated with the incident analysis.
However, Baikalov discloses wherein conducting incident analysis comprises identifying a kill chain based on the search result, wherein the kill chain comprises a combination of related security vulnerabilities that leads to possible network security compromise (Baikalov: ¶0029 for creating a kill chain comprising a sequence of events that reflects the order in which the events would occur in an attack, and for amplifying the risk along the kill chain of known attacks to afford earlier prediction and detection; ¶0031 in FIG. 4, a kill chain 410 comprising a plurality of singular threats such as phishing 412, malicious content 414, malware infection 416, account compromise 418, system compromise 420, data consumption 422 and data egress 424 may be formed), and wherein the security threat remediation is based at least in part on the risk score and the kill chain associated with the incident analysis (Baikalov: ¶0039 classification of risk scores by levels is useful for reporting and remediation within an entity class; ¶0041 normalization [remediation] is a way of quantifying risks to enable comparison of risks not only between different users, but also with other entity classes such as systems and applications. Moreover, normalization enables entity risk scores for different entities to be combined to form a composite risk score for an enterprise, as well as enabling entity risks of different enterprises to be compared).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Baikalov with the system/method of Reybok and Iyer to include the kill chain comprises a combination of related security vulnerabilities that leads to possible network security compromise, and wherein the security threat remediation is based at least in part on the risk score.
One would have been motivated to detecting and assessing threat risks to organizations through a multi-tiered hierarchical process that aggregates threats across multiple domains (Baikalov: ¶0008).

Claims 15 and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Reybok et al. (“Reybok,” US 2015/0207813), published on July 23, 2015, in view of Baikalov et al. (“Baikalov,” US 2016/0226905), published on August 4, 2016.

Regarding claim 15: Reybok discloses a system, comprising:
a memory (Reybok: fig. 7B); and
one or more processors (Reybok: ¶0041 the one or more general purpose machines (e.g., a server, processor, computer, etc.)), wherein the memory includes instructions that, when executed, are configured to cause the one or more processors to:
implement a plurality of customer instances within a network, wherein the plurality of customer instances is associated with respective private networks of a plurality of private networks that are outside of the network (Reybok: ¶0025a system can be implemented as a client device [...], a central security and/or query routing service; ¶0058 network can optionally be designed using a virtual machine (VM) architecture; ¶0039 a number of clients represented by networks "NET1," "NET2" ... "NETn." [...] each client can be connected to one of networks 206; ¶0041 lines 18-22 the central service can be formed to have one or more servers or other computers or network equipment 223, for example, including [...] data centers);
implement a central instance within the network, wherein the central instance is communicatively coupled to the plurality of customer instances (Reybok: ¶0039 FIG. 2 shows an illustrative diagram 201 that features an example configuration for central query routing and/or aggregating service, represented by box 203. More specifically, this service is seen to be connected to a wide area network (WAN) 205, in this case the Internet, and in turn to have a number of clients represented by networks "NET1," "NET2" ... "NETn.");
receive, at a first customer instance of the plurality of customer instances, an alert from a first private network of the plurality of private networks, wherein the alert is associated with a network security threat (Reybok: ¶0047 2nd col. lines 36-38 when a threat is detected, any desired subset of group members can receive a notification, filtered if desired for the preferences of the specific network);
generate, at the central instance, a search query based on one or more observables associated with the alert (Reybok: fig. 1; ¶0053 the first network can also be configured to send a query related to the received security event, either immediately, or upon a desired condition);
invoke, at a second customer instance of the plurality of customer instances, a search of data of a second private network associated with the second customer instance based on the search query (Reybok: ¶0054 the central service also optionally routes the query (567) to one or more third party networks (e.g., networks optionally selected based on one or more characteristics (or profile information) in common with similar characteristics (or profile information) of the first network));
receive, at the second customer instance, a search result based on the search of data of the second private network, wherein the search result reflects occurrences of the one or more observables in the second customer network (Reybok: fig. 5B; ¶0055 lines 39-44 the central service locally searches and/or optionally routes the query as indicated by numerals 565 and 567. Other clients, as appropriate, receive a query or event which has been sent out and search their own local databases, per numerals 575 and 577. The central service receives query results per numeral 579 [] notifying other clients of query results or the results of correlation or detected threat (587));
conduct, at the central instance, incident analysis (Baikalov: ¶0028 a kill chain comprising a sequence of events that represent composite threats in the order in which they would occur in an attack, risks along the kill chain are amplified which affords earlier prediction and detection of threats);
the alert based on the search result that reflects the occurrences of the one or more observables in the second private network (Reybok: ¶0028 if a first client (a securities firm) experiences a threat, which is then determined to be correlated with a second client (also a securities firm) reporting a similar event, then one or more other clients sharing a characteristic associated with these networks (e.g., other securities firms) can also be alerted to expect such a threat); and
determine, at the plurality of customer instances, security threat remediation to block communication with the network the network security threat actor based at least in part on the incident analysis, the incident enrichment, and the threat association (Reybok: ¶0030 a central query routing and/or aggregation service also provides remedial measures to counteract a possible threat which has been determined to be correlated with historical (filtered) data. For example, antimalware (e.g., antivirus) definitions can be updated for the reporting network. Other versions of remedial measures can include (a) providing a template to a security system of the reporting client which then implements the template as an execution operand, i.e., to automatically block a suspicious IP address) [i.e., block communication]).
Reybok does discloses search/query result but does not explicitly disclose identifying a kill chain based on the search results, conduct, at the plurality of customer instances, incident enrichment comprising determining an orchestration based on the kill chain, wherein the kill chain comprises a combination of related security vulnerabilities that leads to possible network security compromise, and conduct, at the central instance, threat association comprising identifying a network security threat actor associated with the alert based on the kill chain.
However, Baikalov discloses identifying a kill chain based on the search results (Baikalov: ¶0032 FIG. 5 illustrates the increasing risk posed by the sequence of singular threats of the kill chain of FIG. 4);
conduct, at the plurality of customer instances, incident enrichment comprising determining an orchestration based on the kill chain, wherein the kill chain comprises a combination of related security vulnerabilities that leads to possible network security compromise (Baikalov: ¶0029 for creating a kill chain comprising a sequence of events that reflects the order in which the events would occur in an attack, and for amplifying the risk along the kill chain of known attacks to afford earlier prediction and detection; ¶0031 in FIG. 4, a kill chain 410 comprising a plurality of singular threats such as phishing 412, malicious content 414, malware infection 416, account compromise 418, system compromise 420, data consumption 422 and data egress 424 may be formed);
conduct, at the central instance, threat association comprising identifying a network security threat actor associated with the alert based on the kill chain (Baikalov: ¶0032 FIG. 5 illustrates the increasing risk posed by the sequence of singular threats of the kill chain of FIG. 4, and shows how the risk of damage exponentially increases as successive events are observed. As indicated in FIG. 5, a phishing threat represents a low level of risk and is a threat that can be detected early. Phishing 412 is also the first threat in the kill chain 410 of FIG. 4).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Baikalov with the system/method of Reybok to include the kill chain comprises a combination of related security vulnerabilities that leads to possible network security.
One would have been motivated to detecting and assessing threat risks to organizations through a multi-tiered hierarchical process that aggregates threats across multiple domains (Baikalov: ¶0008).

Regarding claim 17: Reybok in view of Baikalov discloses the system of claim 15.
Reybok further discloses wherein the instructions, when executed, are configured to cause the one or more processors to transmit a recommendation to the second customer instance to perform the security threat remediation to the second private network (Reybok: ¶0030 a specific vulnerability assessment or damage assessment operation can be recommended to the reporting client or another entity which previously reported a similar threat).

Regarding claim 18: Reybok in view of Baikalov discloses the system of claim 15.
Reybok further discloses wherein the instructions, when executed, are configured to cause the one or more processors to determine an additional security threat remediation based at least in part on an implementation of the security threat remediation (Reybok: ¶0030 a central query routing and/or aggregation service also provides remedial measures to counteract a possible threat which has been determined to be correlated with historical (filtered) data. For example, antimalware (e.g., antivirus) definitions can be updated for the reporting network).

Regarding claim 19: Reybok in view of Baikalov discloses the system of claim 15.
Reybok further discloses wherein conducting incident enrichment comprises determining running processes and network statistics associated with the first private network (Reybok: ¶0093 facilitates the pooling of security event related data among cooperating networks and effective, customized or automatic filtering of sanitized results. These techniques can be extended to any private network, a centralized service (e.g., operated as a service bureau), commercial software products, or another form of implementation).

Regarding claim 20: Reybok in view of Baikalov discloses the system of claim 15.
Reybok further discloses wherein determining the security threat remediation comprises selecting a remediation measure to break the kill chain (Baikalov: ¶0039 classification of risk scores by levels is useful for reporting and remediation within an entity class; ¶0041 normalization [remediation] enables entity risk scores for different entities to be combined to form a composite risk score for an enterprise, as well as enabling entity risks of different enterprises to be compared).

Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Reybok et al. (“Reybok,” US 2015/0207813), published on July 23, 2015, in view of Baikalov et al. (“Baikalov,” US 2016/0226905), published on August 4, 2016 and Jayanthi et al. (“Jayanthi,” US 2013/0097708) published on April 18, 2013.

Regarding claim 16: Reybok in view of Baikalov discloses the system of claim 15.
Reybok in view of Baikalov does not explicitly disclose wherein the orchestration comprises a software patch to be applied to a component associated with the kill chain.
However, Jayanthi discloses wherein the orchestration comprises a software patch to be applied to a component associated with the kill chain (Jayanthi: ¶0058 vulnerable software objects may also be patched. After remedial action has been taken, policy server 50 can send an all-clear signal back to hosts in the selected network segment at 414).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Jayanthi with the system/method of Reybok and Baikalov to include a software patch to be applied to a component associated with the kill chain.
One would have been motivated to providing network security and transitioning to a whitelist mode during a malware attack in a network environment (Jayanthi: ¶0001).







Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Fahimeh Mohammadi whose telephone number is (571)270-7857. The examiner can normally be reached Monday - Friday 9:00 - 5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 5712705002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/FAHIMEH MOHAMMADI/ Examiner, Art Unit 2439                                                                                                                                                                                         


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439