Notice of Pre-AIA  or AIA  Status
Claims 1-18 are presented for examination.  The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-18 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu (U.S. Patent 9,516,053) in view of Abu-Nimeh (U.S. Patent Publication 2017/0026391).

Regarding claim 1:
Muddu discloses a method comprising: maintaining, by a User Entity Behavior Analytics (UEBA)-based security event service of a cloud-based security platform, information regarding historical user behavior of a plurality of users of an enterprise network (Abstract, and col. 18, lines 28-35); responsive to an event associated with a process of an endpoint device that is part of the enterprise network, performing, by an endpoint protection platform running on the endpoint device, an initial classification of the event; based on the initial classification (col. 94, lines 33-62), blocking, by the endpoint protection platform, activity by the process (col. 50, lines 2-7); responsive to the initial classification, requesting, by the endpoint protection platform, input from the cloud-based security platform by transmitting to the cloud-based security platform contextual information regarding to the process and the event (col. 39, lines 20-45); performing, by the cloud-based security platform, a reclassification of the event (the operator of the UEBA system can override the recommendation of the system by declaring it a false positive: e.g. col. 12, lines 15-22 and col. 50, lines 7-15); causing, by the cloud-based security platform, the endpoint protection platform to allow the process to proceed by providing a resulting security event classification of the reclassification to the endpoint protection platform (ignoring an anomaly that doesn’t meet the threshold for action: col. 123, lines 48-51).
To the extent that Muddu teaches reclassifying an event, this is achieved manually by direct user intervention.  However, Abu-Nimeh teaches in a related computer security invention, the ability to train and reclassify an event [i.e. detect false positives, or events that were classified as malicious when in fact they are not] based on the contextual information, multiple data feeds internal or external to the cloud-based security platform and the UEBA-based security event classification service (Abu-Nimeh, paragraphs 0107-0113).  It would have been obvious prior to the filing date of the instant application to train to the machine-learning models already known to be employed by Muddu, to additionally incorporate the training techniques used by Abu-Nimeh to further correct initial erroneous classifications and detect false positives, as this would be a known option within the grasp of a person of ordinary skill in the art, in order to better identify, detect, and predict online attacks (Abu-Nimeh, paragraph 0110). 

Regarding claim 10:
	The rejection of claim 1 applies mutatis mutandis to claim 10.

Regarding claims 2 and 11:	The combination further discloses wherein the contextual information includes any or a combination of information indicative of an application with which the process is associated, information identifying the user, information indicating a command line used to execute the process, information identifying execution chain associated with the process, information indicating memory dump associated with the process, information identifying the user that executes the command line and information regarding environment variables associated with the process (Muddu: information identifying users and applications at column 76, and Figures 40A & 40D).

Regarding claims 3 and 12:	The combination further discloses wherein the information regarding historical user behavior for each user of the plurality of users includes historical data regarding a number of events initiated at each computing device of the plurality of computing devices and a type of the events initiated at each computing device (Muddu, col. 11, lines 10-35).

Regarding claims 4 and 13:	The combination further discloses wherein the information regarding historical user behavior for each user of the plurality of users is stored for a pre-defined time period (Muddu: col. 55, lines 1-5).

Regarding claims 5 and 14:	The combination further discloses wherein the cloud-based security platform extracts commonality user behavior information associated with the event from the information regarding historical user behavior of the plurality of users using a machine-learning based approach (Muddu: col. 11, line 59 – col. 12, line 7).

Regarding claims 6 and 15:	The combination further discloses wherein the resulting security event classification includes malicious, suspicious, potentially unwanted program (PUP), inconclusive, likely safe and safe (malicious/malware [PUP] at Muddu, col. 107, lines 19-21; safe/suspicious at Muddu, col. 108, line 62 – col. 109, line 5; see also Abu-Nimeh at paragraph 0032).

Regarding claims 7 and 16:	The combination further discloses wherein said performing, by the cloud-based security platform, a reclassification of the event comprises when the event is reclassified based on the contextual information and the multiple data feeds as suspicious or inconclusive, then further evaluating the event with reference to the UEBA-based security event classification service (Abu-Nimeh, paragraphs 0107-0112).

Regarding claims 8 and 17:	The combination further discloses wherein when the event is ultimately classified as malicious, the cloud-based security platform, causes the endpoint protection platform to deny further execution of the process (Muddu: col. 50, lines 2-7).

Regarding claims 9 and 18:	The combination further discloses wherein when the event is ultimately classified as likely safe or safe, the cloud-based security platform, causes the endpoint protection platform to permit execution of the process (ignoring the “anomaly” when it fails to meet a threshold: Muddu, col. 123, lines 48-51).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
U.S. Patents 10,747,606 (Shemer) and 10,320,813 (Ahmed)
U.S. Patent Publications 2020/0293944 (Furukawa), 2019/0188390 (Gunn)
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THOMAS A GYORFI whose telephone number is (571)272-3849. The examiner can normally be reached 10:00am - 6:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

THOMAS A. GYORFI
Examiner
Art Unit 2435



/THOMAS A GYORFI/Examiner, Art Unit 2435                                                                                                                                                                                                        4/9/2022