DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to communication filed on 12/27/2021.
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 12/27/2021 has been entered.
Status of claims in the instant application:
Claims 1-21 are pending.
Claims 1, 12, 14 and 15 have been amended.
Claim 21 has been newly added.
No claim has been canceled.
Priority
The instant application is a “CON of 15/373,662 filed on 12/09/2016 now PAT 10686805 which claims benefit of 62/266,435 filed on 12/11/2015”.
Response to Arguments
Applicant’s arguments, page [11-12] of the remarks filed on 12/27/2021 regarding rejections of claims under 35 USC §103, have been considered in view of the amended claims, but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Furthermore, Applicant’s claim amendments render new grounds for rejection.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 5, 7-8, 10-12 and 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 2009/0178139 A1 to Stute et al. (hereinafter “Stute”) in view of Pub. No.: US 2016/0173521 A1 to Yampolskiy et al. (hereinafter “Yampolskiy”), and further in view of Pub. No.: US 2016/0366174 A1 to Chernin et al. (hereinafter “Chernin”) with priority of 04/17/2015 from provisional application 62149121.
Regarding Claim 1. Stute discloses A system (Stute, Abstract: The present disclosure generally provides systems and methods of network security and threat management …), comprising:
[a processor; and
a memory, wherein the memory includes instructions executable by the processor to cause the processor to]:
associate a subset of a plurality of client networks of respective companies of a plurality of companies into a group using an affiliation, wherein the affiliation associates each client network of the subset of the plurality of client networks into the group according to a commonality (Stute, Para [0021, 0043, 0063]: … System 100 could include enterprise network 102, firewall system or other similar device 104, and one or more connections 106 to Internet 108. Enterprise network 102 could include for example, a company, a group of companies, a department, a group of departments, a user, a group of users, database, group of databases, applications, group of applications, any suitable entity, or any combination thereof … These "global alerts" could be analyzed by each participating commercial network security system that could be vulnerable to the same type of attack technique. For example, these global alerts could be valuable to customers who are similarly situated, configured, or vulnerable … System 200 shown in FIG. 2 could be scaled to monitor additional networks or similar systems to service one or more entities such as, for example, one or more companies, group of companies, affiliates, departments, group of departments, users, group of users, databases, group of databases, applications, group of applications, any suitable entities, or any combinations thereof …; Examiner’s Interpretation: A group users or departments belonging to a department or company respectively have the department or the company as a commonality … Also, customers that are similarly situated discloses commonality. Also, group of similarly situated companies form an affiliate served by a network and that with multiple networks are served …), and wherein the commonality indicates that each client network of the group is operated by a respective client [that operates in an industry common to the group across the plurality of companies] (Stute, Para [0021, 0025, 0063-0064]: … System 100 could include enterprise network 102, firewall system or other similar device 104, and one or more connections 106 to Internet 108. Enterprise network 102 could include for example, a company, a group of companies, a department, a group of departments, a user, a group of users, database, group of databases, applications, group of applications, any suitable entity, or any combination thereof … System 200 shown in FIG. 2 could be scaled to monitor additional networks or similar systems to service one or more entities such as, for example, one or more companies, group of companies, affiliates, departments, group of departments, users, group of users, databases, group of databases, applications, group of applications, any suitable entities, or any combinations thereof by using SOC 302a, MSP 302b, and SDM 302c. The additional network architectural layers could be centrally located relative to each layer or geographically disperse relative to each layer …);
However, Stute does not explicitly teach, but Yampolskiy from same or similar field of endeavor teaches:
“a processor (Yampolskiy, Para [0006]: …  According to another embodiment, a computer program product includes a non-transitory computer-readable medium comprising instructions which, when executed by a processor of a computing system, cause the processor to perform the step of non-intrusively collecting one or more types of data associated with an entity …); and
a memory, wherein the memory includes instructions executable by the processor to cause the processor (Yampolskiy, Para [0006]: …  According to another embodiment, a computer program product includes a non-transitory computer-readable medium comprising instructions which, when executed by a processor of a computing system, cause the processor to perform the step of non-intrusively collecting one or more types of data associated with an entity …) to;
each client network of the group is operated by a respective client that operates in an industry common to the group across the plurality of companies (Yampolskiy, Abstract, Para [0010]: … Determining an entity's cybersecurity risk and benchmarking that risk includes non-intrusively collecting one or more types of data associated with an entity. Embodiments further include calculating a security score for at least one of the one or more types of data based, at least in part, on processing of security information extracted from the at least one type of data, wherein the security information is indicative of a level of cybersecurity. Some embodiments also comprise assigning a weight to the calculated security score based on a correlation between the extracted security information and an overall cybersecurity risk determined from analysis of one or more previously-breached entities in the same industry as the entity … FIG. 1 is a block diagram of a network that includes a scorecard server, data sources, and an entity with a cybersecurity risk according to an embodiment …).”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Yampolskiy into the teachings of Stute because it discloses that “A corporate entity may assess its cybersecurity risk by calculating and/or tracking its own cybersecurity performance, as well the cybersecurity performance of its competitors and current and potential business partners. Based on the assessment, the entity can make meaningful decisions to improve its cybersecurity performance. To improve its market standing, the entity can benchmark its cybersecurity performance against similar corporate entities, such as competitors, to make sure it's cybersecurity performance is not below an industry standard (written or unwritten). In doing so, the entity can reduce the likelihood of experiencing a security breach, and likewise, suffering from client loss, reputation loss, and exposure to liability (Yampolskiy, Para [0004])”.
Stute further discloses:
“determine that there is an increased risk to the group associated with an increased likelihood that an attack is going to occur based at least in part on the commonality (Stute, Para [0039, 0052-0055]: … with the performance of this first stage, BCM 216 could correlate information and perform behavioral correlation to provide advanced warning of potential security violations, threats, vulnerabilities, and attacks that could occur within a particular location of facility 202 … in one embodiment, SDM 218 could aid in assessing, ranking, prioritizing, reporting, and correlating potential threats and intelligently focus local IT resources on prevention and remediation activities. For example, SDM 218 could correlate each prioritized threat and provide access to forensic information, comprehensive lists of vulnerable assets, associated vulnerability reports, prevention/remediation instructions, other instructions, or any combination thereof. In addition, SDM 218 generally aids in providing a successful security event management system by generating alerts from multiple and complex sources by linking threats to the business assets they target … based on the class of attack being used, the vulnerability of the target (including the age of the vulnerability data) and the importance of the assets involved, SDM 218 dynamically prioritizes the attack details as the events are received. In one embodiment, SDM 218 adjusts the threat priority dynamically as a result of its continuous security event analysis and correlation processing. Accordingly, SDM 218 performs behavioral correlation algorithms that automatically identify threats before they become compromises … Facility 202 could also include vulnerability scanner module (VSM) 220. VSM 220 proactively identifies vulnerabilities to critical infrastructures at facility 202. For example, when VSM 220 detects a vulnerability in system 200, the detected vulnerability could be fed back into an intrusion detection algorithm. Here, the vulnerabilities could be correlated to provide context and possibly increase the priority of what would otherwise appear as a low-priority signature, group of low-priority signatures, behavioral alert, or groups of behavioral alerts …);
in response to determining the increased risk to the group, [modify] a message to be transmitted to a first client network of the group [to remove an identity of a second client network of the group from the message], wherein the message is configured to alert the first client network of the increased risk (Stute, Para [0055, 0056-0057]: … the vulnerabilities could be correlated to provide context and possibly increase the priority of what would otherwise appear as a low-priority signature … In one example, most intrusion detection algorithms could have the ability to detect the presence of protocol specific traffic such as, for example, SSH-1 traffic on a network and normally would identify such traffic as a low-priority event. However, when SSH-1 traffic is detected against a device that could potentially be vulnerable to an SSH-1 exploit, then, under this context, this event could be classified as a high-priority event in terms of incident response. Accordingly, in one embodiment, the present disclosure not only identifies known vulnerabilities, it also could detect suspicious traffic against such known vulnerabilities … In addition, VSM 220 provides visual context and correlation of suspicious network activity against vulnerable areas of the network associated with facility 202. For example, in one embodiment, VSM 220 could reclassify the alert priority and use different colors to display the alerts on a monitoring console to highlight the severity of the situation at hand. VSM 220 could be configured to communicate and report vulnerabilities to, for example, BCM 216, SDM 218, and MCU 214. Accordingly, VSM 220 attempts to discover and eliminate potential vulnerabilities and threats to system 200 before they are implemented …)”; and
[transmit the message to the first client network].
However, the combination of Stute-Yampolskiy does not explicitly teach, but Chernin from same or similar field of endeavor teaches:
“modify a message … to remove an identity of a second client network of the group from the message (Chernin, Para [0050]: … Once a local entity 104a, 104b, 104c, or 104d receives an item of threat information, if that local entity 104a, 104b, 104c, or 104d desires more information or context about the item of threat information, the local entity may contact the entity who provided the item of threat information for further information. In some embodiments of the invention, however, the identity of the original entity/repository 104a, 104b, 104c, or 104d who provided the item of threat information is kept secure and anonymous, as the fact that an entity suffered a threat or attack may itself be sensitive, damaging, or embarrassing to that entity and/or its members …); Examiner’s Note: Applicant is also referred to Para [008, 0051 and 52] of provisional application 62149121;
transmit the message to the first client network (Chernin, Para [0048-0051]: … In some embodiments of the present invention, the items of threat information can be distributed from central repository 102 to local entities 104a, 104b, 104c, and 104d at the same time that local entities 104a, 104b, 104c, and 104d provide detected items of threat information to central repository 102 in a scheduled synchronization … In these embodiments, where the source of the item of threat information is anonymous, the local entity 104a, 104b, 104c, or 104d may send out a "request for information" ("RFI"), a message that includes a code or identifier associated with the item of threat information that is sent to all entities and/or repositories in the system. Because only the entity or repository that is the source of the message will contain that particular code/identifier, the RFI allows a way for entities in the system to request additional context, detail, or other information about an item of threat information while still preserving the anonymity of the original source of that item of threat information. In some embodiments, the source of the RFI will also be anonymous, even to the original source of the item of threat information that receives the RFI …); Examiner’s Note: Applicant is also referred to Para [008, 0051 and 52] of provisional application 62149121.”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Chernin into the combined teachings of Stute-Yampolskiy because it “allows a way for entities in the system to request additional context, detail, or other information about an item of threat information while still preserving the anonymity of the original source of that item of threat information (Chernin, Para [0051])”.
Regarding Claim 2. The combination of Stute-Yampolskiy-Chernin discloses the system of claim 1, Stute further discloses, “wherein the memory includes instructions executable by the processor to cause the processor to:
receive threat data from the plurality of client networks (Stute, Para [0029-0031]: … External DPM 208, internal DPM 212, and TCB DPM 222 could perform, for example, signature intrusion detection from known and potential threats, intrusion prevention, data packet collection, and behavioral packet analysis. External DPM 208, internal DPM 212, and TCB DPM 222 could generally be installed as a passive device to receive mirrored traffic from monitored network segments … external DPM 208 could be configured to receive mirrored traffic coming in from Internet 108 and leaving from enterprise 202 … internal DPM 212 could be configured to receive mirrored traffic coming in and from entities within facility 202. In one embodiment, internal DPM 212 could be installed inside the firewall to monitor internal network traffic, outbound traffic to Internet 108, and correlate with inbound network traffic that makes it through the firewall …);
identify the group at least in part by detecting a correlation between the group and a network threat represented by the threat data (Stute, Para [0042, 0043, 0046]: … after performing the second stage of this analysis, BCM 216 could correlate information and perform behavioral correlation to provide advanced warning of potential security violations, threats, vulnerabilities, and attacks that could occur within facility 202 … Finally, in a third stage, BCM 216 or other similar device or module, could perform behavioral correlation on the data collected across all DPMs in facility 202 (e.g., each of external DPM 208, internal DPM 212, and TCB DPM 222) and other facilities, including other client sites, not shown in FIG. 1. These "global alerts" could be analyzed by each participating commercial network security system that could be vulnerable to the same type of attack technique. For example, these global alerts could be valuable to customers who are similarly situated, configured, or vulnerable.);
identify at least one indicator associated with the network threat (Stute, Para [0046]: Accordingly, after performing the third stage of this analysis, BCM 216 could correlate information and perform behavioral correlation to provide advanced warning of potential security violations, threats, vulnerabilities, and attacks that could occur within facility 202 and at other facilities …);
in response to transmitting the message to the client network, receive a report from the client network, wherein the report comprises a detected correlation between the at least one indicator and security event data maintained by the client network (Stute, Para [0045]: … In one embodiment, BCM 216 could determine network statistical values for network traffic using external sensors or external DPMs on, for example, the Internet, a public network, a semi-public network, or any other network external to facility 202. These external sensors could collect and detect information based on, for example, source address, destination address, source port, destination port, alert name, other suitable discernable traffic information, or any combination thereof to determine patterns on the Internet, public network, or semi-public network. BCM 216 could then compare the statistical and traffic related information with those collected by each external DPMs. After collecting such information related to traffic external to facility 202, BCP 216 could generate a master list of hostile source address, destination address, source port, destination port, alert name, other discernable traffic information, or any combination thereof to compare to empirically recorded historical normal values …); and
update data stored in a security event database in response to the report (Stute, Para [0048]: … Security dashboard module (SDM) 218 could include a fully integrated threat management system designed to generally collect, correlate, and prioritize threats to provide, for example, global network alerts, local network alerts, posted vendor alerts, scanning alerts, detected network vulnerabilities with enterprise assets, other behaviorally traced threats, other suitable alerts or vulnerabilities, or any combination thereof. SDM 218 continuously monitors and updates its repository of all known alerts, threats, vulnerabilities and signature intrusion detection signatures that are collected, integrated, correlated, and normalized by a central resource from external sources …).”
Regarding Claim 5. The combination of Stute-Yampolskiy-Chernin discloses the system of claim 2, Stute further discloses, “wherein the memory includes instructions executable by the processor to cause the processor to:
include, in the message, a firewall rule configured to mitigate the network threat, wherein the firewall rule is configured to be instantiated on at least one of the plurality of client networks (Stute, Para [0021-0022]: … System 100 could include enterprise network 102, firewall system or other similar device 104 … Firewall system 104 could include any suitable module, group of modules, applications, group of applications, any suitable software/hardware, or any combination thereof that examines aids in preventing unauthorized entities from accessing enterprise network 102 by following a set of predetermined rules after inspecting network traffic passing through it. In general, conventional enterprise system 100 uses firewall system 104 to protect enterprise network 102 from unauthorized access or misuse …).”
Regarding Claim 7. The combination of Stute-Yampolskiy-Chernin discloses the system of claim 1, Stute further discloses, “wherein the memory includes instructions executable by the processor to cause the processor to:
receive threat data from a respective client network of the plurality of client networks (Stute, Para [0078], FIG. 5: … In step 502, method 500 could include receiving data associated with vulnerabilities in a network sent to a security dashboard module or similar device such as, for example, SDM 218 shown in FIG. 2 …);
identify the group from a plurality of groups based at least in part on a correlation between the group and a network threat represented by the threat data (Stute, Para [0079], FIG. 5: … In step 504, SDM 218 could generally find all systems identified by the data received in step 502 and, in turn, upgrade each identified system with the appropriate threat points associated with such data …)”; and
Yampolskiy further discloses:
“in response to detecting the correlation, update a threat score corresponding to the network threat (Yampolskiy, Para [0088]: … In some embodiments, the scorecard system 200 can also receive, for example via cybersecurity risk assessment portal 160, an indication that the one or more objectives have been achieved. After the scorecard system 200 receives the indication that the one or more objectives have been achieved, the scorecard system 200 can calculate an updated cybersecurity risk score for the entity based on data collected from the one or more data sources and the achieved one or more objectives. The scorecard system 200 may also transmit, via the cybersecurity risk assessment portal, the updated calculated risk score …)”
The motivation to further combine Yampolskiy remains same as in claim 1.
Regarding Claim 8. The combination of Stute-Yampolskiy-Chernin discloses the system of claim 7, Stute further discloses, “wherein the memory includes instructions executable by the processor to cause the processor to determine to transmit the message to the client network of the subset of the plurality of client networks of the group based at least in part on a match between a first cryptographic hash corresponding to the respective client network and between a second cryptographic hash corresponding to the client network (Stute, Para [0073], FIG. 4: … In step 406, method 400 could include performing behavioral correlation: (1) within each DPM, (2) across all DPMs installed on a corporate network, and (3) across all DPMs installed on all corporate networks using BCM 216. BCM 216 could automatically learn the network and continuously adjust over time as the network evolves. In step 408, the results of the behavioral correlation are sent to a security dashboard module (SDM) such as SDM 218 shown in FIG. 2 …).”
Regarding Claim 10. The combination of Stute-Yampolskiy-Chernin discloses the system of claim 1, Yampolskiy further discloses, “wherein determining that there is an increased risk to the group comprises determining a static correlation of threat data with other data stored in a database (Yampolskiy, Para [0075, 0103], Claim 1: … contextualization also includes weighing the calculated scores to improve the accuracy of the calculated score. For example, the scorecard system 200 may use weighting module 226 to weigh one or more of the calculated security scores. For example, calculated security scores can be assigned weights based on a correlation between the extracted security information and its impact on the overall cybersecurity risk of an entity. The correlation used to determine the weights can be identified from analysis of one or more previously-breached entities in the same industry as the entity for which a security score is being evaluated. For example, from analysis of the one or more previously-breached entities, a model can be developed which identifies which factors, such as which types of data, were more likely the cause of the breach than others. Based on the determination of which factors cause a greater cybersecurity risk, weights can be assigned to each of the factors. Therefore, the scorecard system 200 may assign similar weights to calculated security scores for different types of data to improve the accuracy of a calculated overall total cybersecurity risk score …   At block 604, method 600 includes calculating, by the processor, a security score for at least one of the one or more types of data based, at least in part, on processing of security information extracted from the at least one type of data, wherein the security information is indicative of a level of cybersecurity. At block 606, method 600 includes assigning, by the processor, a weight to the calculated security score based on a correlation between the extracted security information and an overall cybersecurity risk determined from analysis of one or more previously-breached entities in the same industry as the entity. The method can also comprise normalizing the calculated security score for the at least one type of data based, at least in part, on the type of the data and the size of the entity …), determining an increasing threat trend associated with the group, determining a decreasing threat trend associated with the group, or any combination thereof (Yampolskiy, Para 0070, 0086, 0090]: … a common factor that influences a preliminary security score is the amount of information identified as harmful to security. For example, in one embodiment, an increase in the amount of leaked credentials may result in a worsening (or rising) of the security score for the leaked credentials information. Similar logic can be applied to each of the different types of data to determine a preliminary security score for the different types of data. In another embodiment, the scorecard system 200 may analyze the number of malware infections to predict breaches. For example, when then number of malware infections detected by the scorecard system 200 has increased, the scorecard system 200 may associate a worse security score with extracted malware infection data because an increase in the number of the malware infections can be a precursor to a security breach …  FIG. 3 is a block diagram of alerts generated by a scorecard system according to an embodiment. At block 302, the scorecard system 200 obtains a previous score for an entity. The score can be a preliminary security score, a normalized and/or weighted score, or an overall cybersecurity risk score. At block 304, the scorecard system 200 obtains a new score for the entity. At block 306, the scorecard system 200 compares the new score and the previous score to determine a difference 308. For example, the scorecard system 200 may utilize benchmarking module 230 to compare an entity's calculated cybersecurity risk score to at least one historical cybersecurity score previously calculated for the entity. In some embodiments, the scorecard system 200 may transmit, for example via the cybersecurity risk assessment portal 160, trend information based on the comparison  …).”
The motivation to further combine Yampolskiy remains same as in claim 1.
Regarding Claim 11. The combination of Stute-Yampolskiy-Chernin discloses the system of claim 1, Yampolskiy further discloses, “wherein the processor transmits the message in response to determining the increased risk to the group (Yampolskiy, Para [0089, 0099]: … The scorecard system 200 can also generate alerts to trigger further attention to by a security administrator. For example, the scorecard system 200 may monitor the one or more data associated with an entity in real time. In addition, the scorecard system 200 may have a cybersecurity threshold set for the entity. The cybersecurity threshold can be set by a user of the scorecard system 200 or can be dynamically calculated based on processing performed by the scorecard system. When the scorecard system 200 detects that the overall cybersecurity risk score exceeds the cybersecurity threshold, the scorecard system 200 may generate an alert which can be transmitted to a representative of the entity or simply displayed an output, for example on a user interface or output display, such as the output displays illustrated in FIGS. 7-11 … the scorecard system 200 can transmit an indication of relative cybersecurity risk score of one or more entities, the relative cybersecurity risk score based on a comparison of the individual cybersecurity risk score of the one or more entities to the composite cybersecurity risk score of the group. In another embodiment, the scorecard system 200 can transmit, to one or more entities in the group, an identification of one or more objectives to complete to improve the entity's relative cybersecurity risk score. The scorecard system 200 can also receive an indication that the objective has been achieved, calculate an updated relative cybersecurity risk score for the one or more entities based on the stored attributes and the achieved objective, and transmit an indication of the updated relative cybersecurity risk score of one or more entities …), and in response to accessing a client specific rule that indicates the client network requested to be alerted for scores greater than a threshold value (Yampolskiy, Para [0089]: … The scorecard system 200 can also generate alerts to trigger further attention to by a security administrator. For example, the scorecard system 200 may monitor the one or more data associated with an entity in real time. In addition, the scorecard system 200 may have a cybersecurity threshold set for the entity. The cybersecurity threshold can be set by a user of the scorecard system 200 or can be dynamically calculated based on processing performed by the scorecard system. When the scorecard system 200 detects that the overall cybersecurity risk score exceeds the cybersecurity threshold, the scorecard system 200 may generate an alert which can be transmitted to a representative of the entity or simply displayed an output, for example on a user interface or output display, such as the output displays illustrated in FIGS. 7-11 …), and wherein the increased risk is quantified using a first score, and wherein the first score is greater than the threshold value (Yampolskiy, Para [0105]: … The method can also comprises generating an alert when the overall cybersecurity risk score exceeds a cybersecurity threshold. In another embodiment, the method can also comprises monitoring the one or more data in real time, wherein the alert is generated based, at least in part, on the real-time monitoring …).”
The motivation to further combine Yampolskiy remains same as in claim 1.
Regarding Claim 12. Stute discloses A method, comprising:
maintaining affiliations for groups, wherein each group associates a respective subset of a plurality of client networks of respective companies of a plurality of companies using a respective affiliation, wherein the affiliations are generated to affiliate each client network of the respective subset of the plurality of client networks to one of the groups according to a respective commonality between client networks in each respective group (Stute, Para [0021, 0043, 0061-0065]: … System 100 could include enterprise network 102, firewall system or other similar device 104, and one or more connections 106 to Internet 108. Enterprise network 102 could include for example, a company, a group of companies, a department, a group of departments, a user, a group of users, database, group of databases, applications, group of applications, any suitable entity, or any combination thereof … These "global alerts" could be analyzed by each participating commercial network security system that could be vulnerable to the same type of attack technique. For example, these global alerts could be valuable to customers who are similarly situated, configured, or vulnerable … System 200 shown in FIG. 2 is generally scalable and could include additional tiers in the architectural deployment of the threat management system as shown in FIG. 3 … System 200 shown in FIG. 2 could be scaled to monitor additional networks or similar systems to service one or more entities such as, for example, one or more companies, group of companies, affiliates, departments, group of departments, users, group of users, databases, group of databases, applications, group of applications, any suitable entities, or any combinations thereof by using SOC 302a, MSP 302b, and SDM 302c. The additional network architectural layers could be centrally located relative to each layer or geographically disperse relative to each layer … MSP 302b could also generally facilitate service creation, real-time monitoring, and holistic view of the security posture of multiple discrete customer networks using SDM 302c. In one embodiment, SDM 302c could collect, aggregate, and correlate information from SDM 318a, SDM 318b, and any other SDM modules associated with system 300 …; Examiner’s Interpretation: A group of users or group of departments belonging to a department or company respectively have the department or the company as a commonality … Also, customers that are similarly situated discloses commonality …), and wherein the respective commonality indicates that each client network affiliated with the respective group is operated by a respective client [that operates in an industry common to the respective group] (Stute, Para [0021, 0025, 0063-0064]: … System 100 could include enterprise network 102, firewall system or other similar device 104, and one or more connections 106 to Internet 108. Enterprise network 102 could include for example, a company, a group of companies, a department, a group of departments, a user, a group of users, database, group of databases, applications, group of applications, any suitable entity, or any combination thereof … System 200 shown in FIG. 2 could be scaled to monitor additional networks or similar systems to service one or more entities such as, for example, one or more companies, group of companies, affiliates, departments, group of departments, users, group of users, databases, group of databases, applications, group of applications, any suitable entities, or any combinations thereof by using SOC 302a, MSP 302b, and SDM 302c. The additional network architectural layers could be centrally located relative to each layer or geographically disperse relative to each layer …);
However, Stute does not explicitly teach, but Yampolskiy from same or similar field of endeavor teaches:
“each client network affiliated with the respective group is operated by a respective client that operates in an industry common to the respective group (Yampolskiy, Abstract, Para [0010]: … Determining an entity's cybersecurity risk and benchmarking that risk includes non-intrusively collecting one or more types of data associated with an entity. Embodiments further include calculating a security score for at least one of the one or more types of data based, at least in part, on processing of security information extracted from the at least one type of data, wherein the security information is indicative of a level of cybersecurity. Some embodiments also comprise assigning a weight to the calculated security score based on a correlation between the extracted security information and an overall cybersecurity risk determined from analysis of one or more previously-breached entities in the same industry as the entity … FIG. 1 is a block diagram of a network that includes a scorecard server, data sources, and an entity with a cybersecurity risk according to an embodiment …).”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Yampolskiy into the teachings of Stute because it discloses that “A corporate entity may assess its cybersecurity risk by calculating and/or tracking its own cybersecurity performance, as well the cybersecurity performance of its competitors and current and potential business partners. Based on the assessment, the entity can make meaningful decisions to improve its cybersecurity performance. To improve its market standing, the entity can benchmark its cybersecurity performance against similar corporate entities, such as competitors, to make sure it's cybersecurity performance is not below an industry standard (written or unwritten). In doing so, the entity can reduce the likelihood of experiencing a security breach, and likewise, suffering from client loss, reputation loss, and exposure to liability (Yampolskiy, Para [0004])”.
Stute further discloses:
“identifying a group of the groups (Stute, Para [0025, 0042, 0043, 0046]: … system 200 could be implemented, customized, applied, or otherwise used by any suitable facility 202 with existing technologies or could be upgraded with emerging or future technologies. In one embodiment, facility 202 could include, for example, a company, a group of companies, a department, a group of departments, a user, a group of users, a database, a group of databases, applications, a group of applications, any suitable entity, or any combination thereof … after performing the second stage of this analysis, BCM 216 could correlate information and perform behavioral correlation to provide advanced warning of potential security violations, threats, vulnerabilities, and attacks that could occur within facility 202 … Finally, in a third stage, BCM 216 or other similar device or module, could perform behavioral correlation on the data collected across all DPMs in facility 202 (e.g., each of external DPM 208, internal DPM 212, and TCB DPM 222) and other facilities, including other client sites, not shown in FIG. 1. These "global alerts" could be analyzed by each participating commercial network security system that could be vulnerable to the same type of attack technique. For example, these global alerts could be valuable to customers who are similarly situated, configured, or vulnerable.);
generating a message that conveys an alert to a first client network of the identified group, wherein the alert is generated in response to a determined increased risk to the identified group (Stute, Para [0056-0057]: … In one example, most intrusion detection algorithms could have the ability to detect the presence of protocol specific traffic such as, for example, SSH-1 traffic on a network and normally would identify such traffic as a low-priority event. However, when SSH-1 traffic is detected against a device that could potentially be vulnerable to an SSH-1 exploit, then, under this context, this event could be classified as a high-priority event in terms of incident response. Accordingly, in one embodiment, the present disclosure not only identifies known vulnerabilities, it also could detect suspicious traffic against such known vulnerabilities … In addition, VSM 220 provides visual context and correlation of suspicious network activity against vulnerable areas of the network associated with facility 202. For example, in one embodiment, VSM 220 could reclassify the alert priority and use different colors to display the alerts on a monitoring console to highlight the severity of the situation at hand. VSM 220 could be configured to communicate and report vulnerabilities to, for example, BCM 216, SDM 218, and MCU 214. Accordingly, VSM 220 attempts to discover and eliminate potential vulnerabilities and threats to system 200 before they are implemented …), and wherein the determined increased risk is associated with an increased likelihood that an attack is going to occur based at least in part on the respective commonality (Stute, Para [0039, 0049-0050, 0052-0055]: … with the performance of this first stage, BCM 216 could correlate information and perform behavioral correlation to provide advanced warning of potential security violations, threats, vulnerabilities, and attacks that could occur within a particular location of facility 202… SDM 218 automatically allocates every identified signature, behavioral alert, vendor alert, scanning alert, and known exploits into a user-extendable taxonomy, representing the intrinsic risk of each attack. The risks can be modified according to a user's security posture, and custom correlation rules can be added to tune pre-exploit threats. In addition, SDM 218 could generally reduce false positives and enhances alert relevance by matching inbound event data from intrusion detection or prevention sensors with results from VSM 220. In one embodiment, this process escalates attacks that have the highest potential to be successful and modifies the risk associated with other attacks based on correlation of VSM 220 scan results and age of the alert … SDM 218 could automatically and continuously correlate, consolidate, and prioritize all threats and vulnerabilities to the networks associated with facility 202 into a single, simple screen display, database, report, terminal, or other device …)”; and
However, the combination of  Stute-Yampolskiy does not explicitly teach, but Chernin from same or similar field of endeavor teaches:
“modifying the message to remove an identity of a second client network of the identified group from the message (Chernin, Para [0048-0051]: … Once a local entity 104a, 104b, 104c, or 104d receives an item of threat information, if that local entity 104a, 104b, 104c, or 104d desires more information or context about the item of threat information, the local entity may contact the entity who provided the item of threat information for further information. In some embodiments of the invention, however, the identity of the original entity/repository 104a, 104b, 104c, or 104d who provided the item of threat information is kept secure and anonymous, as the fact that an entity suffered a threat or attack may itself be sensitive, damaging, or embarrassing to that entity and/or its members…); Examiner’s Note: Applicant is also referred to Para [008, 0051 and 52] of provisional application 62149121.”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Chernin into the combined teachings of Stute-Yampolskiy because it “allows a way for entities in the system to request additional context, detail, or other information about an item of threat information while still preserving the anonymity of the original source of that item of threat information (Chernin, Para [0051])”.
Regarding Claim 15. Stute discloses [A non-transitory, tangible, computer-readable storage medium storing instructions that, when executed by a processor], facilitate performance of operations for aggregating computer network threat information from multiple networks to enhance computer network security (Stute, Para [0054, 0099]: … SDM 218 could provide a two-way communication system that truly integrates the collection, aggregation, and correlation of information and feeds such information to any suitable underlying systems or subsystems associated with facility 202 or other facilities for robust data sharing and feedback. Unlike traditional SIM/SEM technologies, which only generally collect and aggregate static log report information, SDM 218 could provide a smart, integrated system in which log information and other information could be shared, correlated, prioritized, aggregated, and analyzed with other related systems and subsystems to provide feedback and enhanced protection schemes … a computer  …), the operations comprising:
receiving, at a receiving network of the multiple networks from a hub configured to [modify messages to remove an identity of a respective client network of the multiple networks before] transmitting the messages, a [modified] message configured to convey an alert (Stute, Para [0064-0069]: … System 300 shown in FIG. 3 could be implemented, customized, applied, or otherwise used by any suitable additional network architectural layer such as by having two enterprise facilities 304a and 304b (collectively referred to herein as facilities 304). Facilities 304 could include one or more companies, group of companies, departments, group of departments, users, group of users, databases, group of databases, applications, group of applications, any suitable entities, or any combinations thereof … SOC 302a, MSP 302b, and SDM 302c could provide transparent access to all security risk management reports, DPM monitoring communications, signature and behavioral alerts … ), wherein the [modified] message comprises an indicator associated with a network threat (Stute, Para [0046]: Accordingly, after performing the third stage of this analysis, BCM 216 could correlate information and perform behavioral correlation to provide advanced warning of potential security violations, threats, vulnerabilities, and attacks that could occur within facility 202 and at other facilities …), [wherein the modified message is received based at least in part on an affiliation of the receiving network with one or more of the multiple networks indicating that the receiving network and the one or more of the multiple networks are associated with a same industry, wherein each of the multiple networks correspond to respective companies of a plurality of companies associated with a same industry], wherein the alert is generated in response to a determination of increased risk to the one or more of the multiple networks (Stute, Para [0056-0057]: … In one example, most intrusion detection algorithms could have the ability to detect the presence of protocol specific traffic such as, for example, SSH-1 traffic on a network and normally would identify such traffic as a low-priority event. However, when SSH-1 traffic is detected against a device that could potentially be vulnerable to an SSH-1 exploit, then, under this context, this event could be classified as a high-priority event in terms of incident response. Accordingly, in one embodiment, the present disclosure not only identifies known vulnerabilities, it also could detect suspicious traffic against such known vulnerabilities … In addition, VSM 220 provides visual context and correlation of suspicious network activity against vulnerable areas of the network associated with facility 202. For example, in one embodiment, VSM 220 could reclassify the alert priority and use different colors to display the alerts on a monitoring console to highlight the severity of the situation at hand. VSM 220 could be configured to communicate and report vulnerabilities to, for example, BCM 216, SDM 218, and MCU 214. Accordingly, VSM 220 attempts to discover and eliminate potential vulnerabilities and threats to system 200 before they are implemented …), and wherein the increased risk is associated with an increased likelihood that an attack is going to occur based at least in part on the affiliation (Stute, Para [0049-0050]: … SDM 218 automatically allocates every identified signature, behavioral alert, vendor alert, scanning alert, and known exploits into a user-extendable taxonomy, representing the intrinsic risk of each attack. The risks can be modified according to a user's security posture, and custom correlation rules can be added to tune pre-exploit threats. In addition, SDM 218 could generally reduce false positives and enhances alert relevance by matching inbound event data from intrusion detection or prevention sensors with results from VSM 220. In one embodiment, this process escalates attacks that have the highest potential to be successful and modifies the risk associated with other attacks based on correlation of VSM 220 scan results and age of the alert … SDM 218 could automatically and continuously correlate, consolidate, and prioritize all threats and vulnerabilities to the networks associated with facility 202 into a single, simple screen display, database, report, terminal, or other device …); and
in response to the alert, initiating a search of the receiving network to detect a correlation between the indicator and security event data maintained by the receiving network (Stute, Para [0036, 0065]: … BCM 216 could correlate suspicious activity within an individual DPM, while in a second exemplary stage, BCM 216 could correlate behaviorally detected suspicious traffic across multiple DPMs within a customer network. Unlike conventional systems, BCM 216 could include the ability to detect whether a single hostile source is employing various techniques on different parts of system 200, or if multiple hostile sources are employing various techniques on a common target destination … SOC 302a, MSP 302b, and SDM 302c could provide transparent access to all security risk management reports, DPM monitoring communications, signature and behavioral alerts, MCUs 314, BCMs 316, VSMs 320, SDMs 318, or TCBs 224, critical on-site servers 326, or any other device associated with facility 304, while leaving system administration functions and controls at each respective local secure facilities 304a and 304b. MSP 302b could also generally facilitate service creation, real-time monitoring, and holistic view of the security posture of multiple discrete customer networks using SDM 302c. In one embodiment, SDM 302c could collect, aggregate, and correlate information from SDM 318a, SDM 318b, and any other SDM modules associated with system 300 …).
However, Stute does not explicitly teach, but Yampolskiy from same or similar field of endeavor teaches:
“A non-transitory, tangible, computer-readable storage medium storing instructions that, when executed by a processor (Yampolskiy, Para [0006]: …  According to another embodiment, a computer program product includes a non-transitory computer-readable medium comprising instructions which, when executed by a processor of a computing system, cause the processor to perform the step of non-intrusively collecting one or more types of data associated with an entity …);
wherein the modified message is received based at least in part on an affiliation of the receiving network with one or more of the multiple networks indicating that the receiving network and the one or more of the multiple networks are associated with a same industry, wherein each of the multiple networks correspond to respective companies of a plurality of companies associated with a same industry (Yampolskiy, Abstract, Para [0010, 0099-0100, 0103]: … Determining an entity's cybersecurity risk and benchmarking that risk includes non-intrusively collecting one or more types of data associated with an entity. Embodiments further include calculating a security score for at least one of the one or more types of data based, at least in part, on processing of security information extracted from the at least one type of data, wherein the security information is indicative of a level of cybersecurity. Some embodiments also comprise assigning a weight to the calculated security score based on a correlation between the extracted security information and an overall cybersecurity risk determined from analysis of one or more previously-breached entities in the same industry as the entity … FIG. 1 is a block diagram of a network that includes a scorecard server, data sources, and an entity with a cybersecurity risk according to an embodiment … the scorecard system 200 can transmit an indication of relative cybersecurity risk score of one or more entities, the relative cybersecurity risk score based on a comparison of the individual cybersecurity risk score of the one or more entities to the composite cybersecurity risk score of the group. In another embodiment, the scorecard system 200 can transmit, to one or more entities in the group, an identification of one or more objectives to complete to improve the entity's relative cybersecurity risk score. The scorecard system 200 can also receive an indication that the objective has been achieved, calculate an updated relative cybersecurity risk score for the one or more entities based on the stored attributes and the achieved objective, and transmit an indication of the updated relative cybersecurity risk score of one or more entities …  the scorecard system 200 can also monitor the relative cybersecurity risk performance for each entity in the group. When the relative cybersecurity risk score for one or more entities in the group decreases, the scorecard system 200 may transmit an alert to the one or more entities whose relative cybersecurity risk score decreased. In another embodiment, when the relative cybersecurity risk score for one or more entities in the group decreases, the scorecard system 200 can transmit an identification of one or more updated objectives to complete to improve the entity's relative cybersecurity risk score to the one or more entities whose relative cybersecurity risk score decreased … method 600 includes calculating, by the processor, a security score for at least one of the one or more types of data based, at least in part, on processing of security information extracted from the at least one type of data, wherein the security information is indicative of a level of cybersecurity. At block 606, method 600 includes assigning, by the processor, a weight to the calculated security score based on a correlation between the extracted security information and an overall cybersecurity risk determined from analysis of one or more previously-breached entities in the same industry as the entity …).”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Yampolskiy into the teachings of Stute because it discloses that “A corporate entity may assess its cybersecurity risk by calculating and/or tracking its own cybersecurity performance, as well the cybersecurity performance of its competitors and current and potential business partners. Based on the assessment, the entity can make meaningful decisions to improve its cybersecurity performance. To improve its market standing, the entity can benchmark its cybersecurity performance against similar corporate entities, such as competitors, to make sure it's cybersecurity performance is not below an industry standard (written or unwritten). In doing so, the entity can reduce the likelihood of experiencing a security breach, and likewise, suffering from client loss, reputation loss, and exposure to liability (Yampolskiy, Para [0004]).”
However, the combination of Stute-Yampolskiy does not explicitly teach, but Chernin from same or similar field of endeavor teaches:
“modify messages to remove an identity of a respective client network of the multiple networks before transmitting the messages (Chernin, Para [0048-0051]: … Once a local entity 104a, 104b, 104c, or 104d receives an item of threat information, if that local entity 104a, 104b, 104c, or 104d desires more information or context about the item of threat information, the local entity may contact the entity who provided the item of threat information for further information. In some embodiments of the invention, however, the identity of the original entity/repository 104a, 104b, 104c, or 104d who provided the item of threat information is kept secure and anonymous, as the fact that an entity suffered a threat or attack may itself be sensitive, damaging, or embarrassing to that entity and/or its members … the items of threat information can be distributed from central repository 102 to local entities 104a, 104b, 104c, and 104d at the same time that local entities 104a, 104b, 104c, and 104d provide detected items of threat information to central repository 102 in a scheduled synchronization …); Examiner’s Note: Applicant is also referred to Para [008, 0051 and 52] of provisional application 62149121”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Chernin into the combined teachings of Stute-Yampolskiy because it “allows a way for entities in the system to request additional context, detail, or other information about an item of threat information while still preserving the anonymity of the original source of that item of threat information (Chernin, Para [0051])”.
Regarding Claim 16. The combination of Stute-Yampolskiy-Chernin discloses the non-transitory, tangible, computer-readable storage medium of claim 15, Stute further discloses, “wherein the operations comprise:
generating a report configured to indicate the correlation between the indicator and the receiving network (Stute, Para [0052]: … SDM 218 could aid in assessing, ranking, prioritizing, reporting, and correlating potential threats and intelligently focus local IT resources on prevention and remediation activities. For example, SDM 218 could correlate each prioritized threat and provide access to forensic information, comprehensive lists of vulnerable assets, associated vulnerability reports, prevention/remediation instructions, other instructions, or any combination thereof. In addition, SDM 218 generally aids in providing a successful security event management system by generating alerts from multiple and complex sources by linking threats to the business assets they target …);”
Chernin further discloses”
“anonymizing the report at least in part by removing information identifying the receiving network from the report (Chernin, Para [0050]: … Once a local entity 104a, 104b, 104c, or 104d receives an item of threat information, if that local entity 104a, 104b, 104c, or 104d desires more information or context about the item of threat information, the local entity may contact the entity who provided the item of threat information for further information. In some embodiments of the invention, however, the identity of the original entity/repository 104a, 104b, 104c, or 104d who provided the item of threat information is kept secure and anonymous, as the fact that an entity suffered a threat or attack may itself be sensitive, damaging, or embarrassing to that entity and/or its members…); and
transmitting the report to the hub after the report is anonymized (Chernin, Para [0048-0051]: … In some embodiments of the present invention, the items of threat information can be distributed from central repository 102 to local entities 104a, 104b, 104c, and 104d at the same time that local entities 104a, 104b, 104c, and 104d provide detected items of threat information to central repository 102 in a scheduled synchronization … In these embodiments, where the source of the item of threat information is anonymous, the local entity 104a, 104b, 104c, or 104d may send out a "request for information" ("RFI"), a message that includes a code or identifier associated with the item of threat information that is sent to all entities and/or repositories in the system. Because only the entity or repository that is the source of the message will contain that particular code/identifier, the RFI allows a way for entities in the system to request additional context, detail, or other information about an item of threat information while still preserving the anonymity of the original source of that item of threat information. In some embodiments, the source of the RFI will also be anonymous, even to the original source of the item of threat information that receives the RFI …).”
The motivation to further combine Chernin remains same as in claim 15.
Claims 3, 9, 13, 14 and 17-21 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 2009/0178139 A1 to Stute et al. (hereinafter “Stute”) and Pub. No.: US 2016/0173521 A1 to Yampolskiy et al. (hereinafter “Yampolskiy”) in view of Pub. No.: US “20160366174 A1 to Chernin et al. (hereinafter “Chernin”) with priority of 04/17/2015 from provisional application 62149121” as applied to claim 2 above, and further in view of Pub. No.: US 2017/0061132 A1 to Hovor et al. (hereinafter “Hovor”).
Regarding Claim 3. The combination of Stute-Yampolskiy-Chernin discloses the system of claim 2, wherein the memory includes instructions executable by the processor to cause the processor to:
However, it does not explicitly teach, but Hovor from same or similar field of endeavor teaches:
“-62-in response to receiving the threat data (Hovor, FIG. 1, Para [0026: … contextualization system 102 receives threat data from a network 104 and ranks vulnerabilities identified in the threat data …), generate a current numerical score associated with the network threat (Hovor, Para [0019, 0058]: … The system analyzes the threat data to determine the assets identified in the threat data. The system may use the identified assets to determine trends in the threat data, such as a number of occurrences that a particular asset or attribute of an asset is mentioned in the threat data. The number of occurrences may be representative of a severity of a vulnerability, a frequency with which a vulnerability is compromised, or both … The system may use the string criticality values to determine numerical ratings 210 for each of the assets …);
determine that the current numerical score is greater than a previous numerical score, wherein the previous numerical score is associated with the network threat and the group (Hovor, Para [0062, 0065-0066]: … In some examples, the system determines trends in the threat data in response to receipt of a request for presentation of a list of vulnerabilities that may affect an entity … The system updates the numerical ratings 210 and the criticalities 208 of the assets in the asset inventory. For instance, the system adds a boost value to the corresponding numerical rating 210 and determines whether the corresponding criticality 208 should be updated. When the system determines that the numerical rating 210 has changed and represents a new criticality value, e.g., by increasing from eighty to one hundred, the system updates the corresponding criticality 208, e.g., by changing the criticality from "high" to "critical." … The system, at time T.sub.5, determines business imperative scores for each of the entity's business imperatives using the attributes affected by the vulnerabilities, e.g., the exploit targets. The business imperative scores are not specific to a particular vulnerability. The business imperative scores are general scores for assets and the asset attributes …); and
in response to determining that the current numerical score is greater than the previous numerical score, determine the increased risk to the group (Hovor, FIG. 2D, Para [0081]: … the user interface 216, at time T.sub.9, may cause the presentation of a second user interface 226 with information about the selected exploit target. The second user interface 226 may include information from one or more documents with details about a vulnerability for the exploit target, the assets, asset attributes, or both, affected by the vulnerability, and potential solutions to remove the vulnerability …).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Hovor into the combined teachings of Stute-Yampolskiy-Chernin because it discloses that “the system may automatically, without user input, determine a solution to the vulnerability, such as installing a software update or changing an Internet Protocol address, and cause the solution to be implemented. For instance, the system may communicate with one of the affected assets to provide the affected asset with instructions to update a software application (Hovor, Para [0084])”.
Regarding Claim 9. The combination of Stute-Yampolskiy-Chernin discloses the system of claim 8, however, it does not explicitly teach, but Hovor from same or similar field of endeavor teaches:
“wherein the client network is associated with a client specific rule indicating a threshold value, and wherein an additional client network is associated with an additional client specific rule configured to indicate a different threshold value than the threshold value (Hovor, Para [0063-0064]: … At time T.sub.4, the system uses information about the trends to update the asset relevance scores. For instance, the system uses the quantity of documents in which the attributes 206 are mentioned to determine a boost to a relevance score for the corresponding attribute … the system may boost a relevance score by five for an attribute that is mentioned a small number of times, e.g., greater than zero and less than a first threshold amount. The system may boost a relevance score by ten for an attribute that is mentioned a median number of times, e.g., greater than or equal to the first threshold amount and less than a second threshold amount. The system may boost an attribute's relevance score by twenty when the attribute is mentioned many times in the documents of the threat data, e.g., when the attribute is mentioned at least the second threshold amount of times).”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Hovor into the combined teachings of Stute-Yampolskiy-Chernin, because it discloses that “the system may automatically, without user input, determine a solution to the vulnerability, such as installing a software update or changing an Internet Protocol address, and cause the solution to be implemented. For instance, the system may communicate with one of the affected assets to provide the affected asset with instructions to update a software application (Hovor, Para [0084])”.
Regarding Claim 13. The combination of Stute-Yampolskiy-Chernin discloses the method of claim 12, Stute further discloses, “comprising:
receiving threat data from the plurality of client networks (Stute, Para [0029-0031]: … External DPM 208, internal DPM 212, and TCB DPM 222 could perform, for example, signature intrusion detection from known and potential threats, intrusion prevention, data packet collection, and behavioral packet analysis. External DPM 208, internal DPM 212, and TCB DPM 222 could generally be installed as a passive device to receive mirrored traffic from monitored network segments … external DPM 208 could be configured to receive mirrored traffic coming in from Internet 108 and leaving from enterprise 202 … internal DPM 212 could be configured to receive mirrored traffic coming in and from entities within facility 202. In one embodiment, internal DPM 212 could be installed inside the firewall to monitor internal network traffic, outbound traffic to Internet 108, and correlate with inbound network traffic that makes it through the firewall …);
storing the threat data in a security event database (Stute, Para [0053]: … SDM 218 dynamically prioritizes the attack details as the events are received. In one embodiment, SDM 218 adjusts the threat priority dynamically as a result of its continuous security event analysis and correlation processing. Accordingly, SDM 218 performs behavioral correlation algorithms that automatically identify threats before they become compromises, and require nothing more than limited access to the facility's network to keep the internal asset and threat database updated …);
processing content in the security event database to identify the identified group by detecting a correlation between the threat data and the identified group (Stute, Para [0055, 0058]: … Facility 202 could also include vulnerability scanner module (VSM) 220. VSM 220 proactively identifies vulnerabilities to critical infrastructures at facility 202. For example, when VSM 220 detects a vulnerability in system 200, the detected vulnerability could be fed back into an intrusion detection algorithm. Here, the vulnerabilities could be correlated to provide context … 228 could also identify and correlate any violations of the network's access policy associated with the network's vulnerable assets and system resources. For example, NSZ 228 could identify and correlate access policies associated with vulnerable assets and resources with behavioral and signature alerts that may be required. In cases where the network assets in violation is identified or associated with a particular detected vulnerability, infection, or compromise, NSZ could prioritize such vulnerabilities within the context of the measured hostility …);
However, the combination of Stute-Yampolskiy-Chernin does not explicitly teach, but Hovor from same or similar field of endeavor teaches:
“receiving a report from the client network in response to the message, wherein the report comprises the correlation between the threat data and security event data maintained by the client network in local storage of the client network (Hovor, Para [0072-0078]: … In some examples, the system may determine that threat document n mentions the particular vulnerability A and attributes B, C, and D. The system may combine, e.g., add, the relevance scores for the attributes A, B, C, and D to determine the total asset relevance score for the particular vulnerability A based on the attributes mentioned for the particular vulnerability A in the threat document m and the threat document n … The system generates instructions for presentation of a user interface 216 and, at time T.sub.8, causes presentation of the user interface 216, shown in FIG. 2D. The user interface 216 includes a list of exploit targets 218, e.g., vulnerabilities, affected assets 220, and asset relevance scores 222 and business imperative scores 224 for the corresponding exploit targets 218 …)”; and
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Hovor into the combined teachings of Stute-Yampolskiy-Chernin because it discloses that “the user interface 216 may help an administrator determine which vulnerabilities are most important to a particular entity, e.g., the entity that employs the administrator, and should be acted on first. For instance, the user interface 216 may help an administrator to allocate resources to determine solutions for vulnerabilities that affect an entity's assets, e.g., to allocate resources to the most important vulnerabilities first (Hovor, Para [0078])”.
Stute further discloses:
“updating the security event database in response to the report (Stute, Para [0074]: … The behavioral correlation algorithms applied by SDM 218 automatically identify threats before they become compromises, and require nothing more than limited access to the corporate network to keep internal assets of SDM 218 and any threat databases updated in step 412 …).”
Regarding Claim 14. The combination of Stute-Yampolskiy-Chernin-Hovor discloses the method of claim 13, Hovor further discloses, “comprising:
maintaining a threat score associated with a network threat corresponding to the threat data (Hovor, Para [0013, 0020]: … FIG. 1 is an example of an environment in which a contextualization system receives threat data from a network and ranks vulnerabilities identified in the threat data … The system generates scores for the assets and the attributes of the assets using the priority information and the threat data trends. The system may take corrective action on the threat data using the generated scores. For instance, the system takes action to correct vulnerabilities identified in a particular subset of threat data, e.g., a document, with a higher score, e.g., that identifies higher priority attributes, attributes that are trending more than other attributes, or both, before eliminating other potential vulnerabilities that have a lower score, are trending less, or both …);
receiving a local score that is based on a search at the client network to detect the correlation between the threat data and the security event data (Hovor, Para [0002], Claim 1: … determining the particular attributes affected by the vulnerability, and determining a score for the vulnerability using the respective relevance ratings for the particular attributes affected by the vulnerability, generating a ranking of the two or more vulnerabilities using the corresponding scores, generating instructions for presentation of a user interface that identifies each of the two or more vulnerabilities according to the ranking, providing the instructions to a device to cause the device to present the user interface to a user to allow the user to change the entity's computer assets or the attributes of the entity's computer assets based on the vulnerabilities, and receiving an indication of a change to the entity's computer assets or the attributes of the entity's computer assets …); and
updating the threat score based at least in part on the local score (Hovor, Para [0033, 0062-0065]: … scoring engine 112 uses the quantity of times the asset or an asset attribute is mentioned in the threat data 110 and the priority of the asset to determine a score for the asset … the scoring engine 112 adjusts the score for that asset or asset attribute, or both, potentially using the quantity of times, the threshold value, or both, to determine the boost to the score … the system adds a boost value to the corresponding numerical rating 210 and determines whether the corresponding criticality 208 should be updated. When the system determines that the numerical rating 210 has changed and represents a new criticality value, e.g., by increasing from eighty to one hundred, the system updates the corresponding criticality 208, e.g., by changing the criticality from "high" to "critical" …).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to further combine the teachings of Hovor because it discloses that “the system may automatically, without user input, determine a solution to the vulnerability, such as installing a software update or changing an Internet Protocol address, and cause the solution to be implemented. For instance, the system may communicate with one of the affected assets to provide the affected asset with instructions to update a software application (Hovor, Para [0084])”.
Stute further discloses:
“receiving [a local score that is based on] a search at the client network to detect the correlation between the threat data and the security event data (Stute, Para [0052-0053]: … in one embodiment, SDM 218 could aid in assessing, ranking, prioritizing, reporting, and correlating potential threats and intelligently focus local IT resources on prevention and remediation activities … based on the class of attack being used, the vulnerability of the target (including the age of the vulnerability data) and the importance of the assets involved, SDM 218 dynamically prioritizes the attack details as the events are received. In one embodiment, SDM 218 adjusts the threat priority dynamically as a result of its continuous security event analysis and correlation processing. Accordingly, SDM 218 performs behavioral correlation algorithms that automatically identify threats before they become compromises, and require nothing more than limited access to the facility's network to keep the internal asset and threat database updated …)”
Regarding Claim 17. The combination of Stute-Yampolskiy-Chernin discloses the non-transitory, tangible, computer-readable storage medium of claim 15, however it does not explicitly teach, but Hovor from same or similar field of endeavor teaches, “wherein the operations comprise:
in response to the search of the receiving network, identifying a local score for the network threat based on the correlation between the indicator and the security event data (Hovor, Para [0004]:  In some implementations, receiving the data that identifies the entity's computer assets, the attributes for each of the entity's computer assets, and the respective relevance ratings for each of the entity's computer assets may include receiving data that identifies an entity's computer assets, attributes for each of the entity's computer assets, which of the entity's computer assets and corresponding attributes are used for each of the entity's business imperatives, and respective relevance ratings for each of the entity's computer assets, and determining the score for the vulnerability using the respective relevance ratings for the particular attributes affected by the vulnerability may include determining a score for the vulnerability using the business imperatives that use the computer assets with the particular attributes affected by the vulnerability); and
transmitting the local score to the hub (Hovor, Para [0075-0078]: … The system generates instructions for presentation of a user interface 216 and, at time T.sub.8, causes presentation of the user interface 216, shown in FIG. 2D. The user interface 216 includes a list of exploit targets 218, e.g., vulnerabilities, affected assets 220, and asset relevance scores 222 and business imperative scores 224 for the corresponding exploit targets 218 … The user interface 216 may allow selection of each of the affected assets 220 and, in response to receipt of data indicating selection of an affected asset, may cause the presentation of information about the selected asset …).”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Hovor into the combined teachings of Stute-Yampolskiy-Chernin, because it discloses that “the system may automatically, without user input, determine a solution to the vulnerability, such as installing a software update or changing an Internet Protocol address, and cause the solution to be implemented. For instance, the system may communicate with one of the affected assets to provide the affected asset with instructions to update a software application (Hovor, Para [0084])”.
Regarding Claim 18. The combination of Stute-Yampolskiy-Chernin discloses the non-transitory, tangible, computer-readable storage medium of claim 15, however it does not explicitly teach, but Hovor from same or similar field of endeavor teaches, “wherein the operations comprise:
-66-in response to the search of the receiving network, generating a local score based on the correlation between the indicator and the security event data (Hovor, Para [0004]:  In some implementations, receiving the data that identifies the entity's computer assets, the attributes for each of the entity's computer assets, and the respective relevance ratings for each of the entity's computer assets may include receiving data that identifies an entity's computer assets, attributes for each of the entity's computer assets, which of the entity's computer assets and corresponding attributes are used for each of the entity's business imperatives, and respective relevance ratings for each of the entity's computer assets, and determining the score for the vulnerability using the respective relevance ratings for the particular attributes affected by the vulnerability may include determining a score for the vulnerability using the business imperatives that use the computer assets with the particular attributes affected by the vulnerability);
performing a trend analysis to determine whether the local score indicates the increased risk to the receiving network (Hovor, Para [0065]: The system updates the numerical ratings 210 and the criticalities 208 of the assets in the asset inventory. For instance, the system adds a boost value to the corresponding numerical rating 210 and determines whether the corresponding criticality 208 should be updated. When the system determines that the numerical rating 210 has changed and represents a new criticality value, e.g., by increasing from eighty to one hundred, the system updates the corresponding criticality 208, e.g., by changing the criticality from "high" to "critical.")”; and
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Hovor into the combined teachings of Stute-Yampolskiy-Chernin, because it discloses that “the system may automatically, without user input, determine a solution to the vulnerability, such as installing a software update or changing an Internet Protocol address, and cause the solution to be implemented. For instance, the system may communicate with one of the affected assets to provide the affected asset with instructions to update a software application (Hovor, Para [0084])”.
Stute further discloses:
“in response to determining that the local score indicates the increased risk to the receiving network, transmitting the local score to the hub. (Stute, Para [0056-0057]: … In one example, most intrusion detection algorithms could have the ability to detect the presence of protocol specific traffic such as, for example, SSH-1 traffic on a network and normally would identify such traffic as a low-priority event. However, when SSH-1 traffic is detected against a device that could potentially be vulnerable to an SSH-1 exploit, then, under this context, this event could be classified as a high-priority event in terms of incident response. Accordingly, in one embodiment, the present disclosure not only identifies known vulnerabilities, it also could detect suspicious traffic against such known vulnerabilities … In addition, VSM 220 provides visual context and correlation of suspicious network activity against vulnerable areas of the network associated with facility 202. For example, in one embodiment, VSM 220 could reclassify the alert priority and use different colors to display the alerts on a monitoring console to highlight the severity of the situation at hand. VSM 220 could be configured to communicate and report vulnerabilities to, for example, BCM 216, SDM 218, and MCU 214. Accordingly, VSM 220 attempts to discover and eliminate potential vulnerabilities and threats to system 200 before they are implemented …).”
Regarding Claim 19. The combination of Stute-Yampolskiy-Chernin discloses the non-transitory, tangible, computer-readable storage medium of claim 15, however it does not explicitly teach, but Hovor from same or similar field of endeavor teaches, “wherein the operations comprise:
in response to the search of the receiving network, generating a local score based on the correlation between the indicator and the security event data (Hovor, Para [0004]:  In some implementations, receiving the data that identifies the entity's computer assets, the attributes for each of the entity's computer assets, and the respective relevance ratings for each of the entity's computer assets may include receiving data that identifies an entity's computer assets, attributes for each of the entity's computer assets, which of the entity's computer assets and corresponding attributes are used for each of the entity's business imperatives, and respective relevance ratings for each of the entity's computer assets, and determining the score for the vulnerability using the respective relevance ratings for the particular attributes affected by the vulnerability may include determining a score for the vulnerability using the business imperatives that use the computer assets with the particular attributes affected by the vulnerability);
determining that the local score satisfies a condition (Hovor, Para [0004]: Determining the score for the vulnerability using the business imperatives that use the computer assets with the particular attributes affected by the vulnerability may include determining, for a highest priority business imperative included in the entity's business imperatives that uses at least one of the particular attributes affected by the vulnerability, a score for each of the particular attributes for the computer assets used by the highest priority business imperative using a total quantity of attributes used by the highest priority business imperative, and determining, for the highest priority business imperative that uses at least one of the particular attributes affected by the vulnerability, a total score for the highest priority business imperative using the scores for each of the particular attributes for the computer assets used by the highest priority business imperative); and
in response to determining that the local score satisfies the condition, transmitting the local score as the local score to the hub, wherein the hub is configured to reconcile the local score with a score maintained by the hub corresponding to the receiving network and the network threat (Hovor, Para [0003]: The foregoing and other embodiments can each optionally include one or more of the following features, alone or in combination. The method may include receiving, from a device, a request for presentation of threat information to a user, wherein determining, by analyzing the threat data, the vulnerability trends for the particular attributes comprises determining, by analyzing the threat data, the vulnerability trends for the particular attributes in response to receiving the request for presentation of the threat information to a user. The method may include updating, for the entity's computer asset that includes the changed attribute, the updated relevance rating in response to receiving the indication of the change to the attributes of the entity's computer assets …).”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Hovor into the combined teachings of Stute-Yampolskiy-Chernin, because it discloses that “the system may automatically, without user input, determine a solution to the vulnerability, such as installing a software update or changing an Internet Protocol address, and cause the solution to be implemented. For instance, the system may communicate with one of the affected assets to provide the affected asset with instructions to update a software application (Hovor, Para [0084])”.
Regarding Claim 20. The combination of Stute-Yampolskiy discloses the non-transitory, tangible, computer-readable storage medium of claim 19, however it does not explicitly teach, but Hovor from same or similar field of endeavor teaches, “wherein the operations comprise: using one or more of the following as the condition:
determining that the local score is greater than a threshold (Hovor, Para [0034, 0049]: When a frequency of occurrences with which an asset or asset attribute is mentioned in the threat data 110 does not satisfy a threshold value, the scoring engine 112 might not adjust the score for that asset, e.g., depending on the particular threshold when multiple thresholds are used. When a frequency of occurrences with which an asset or asset attribute is mentioned in the threat data 110 satisfies a threshold value, the scoring engine 112 adjusts the score for that asset or asset attribute, or both, potentially using the quantity of times, the threshold value, or both, to determine the boost to the score); or
determining that the local score is to be processed by the hub based at least in part on a hysteresis function (Hovor, Para [0034]: The scoring engine 112 may use a portion of the threat data 110 associated with a particular period of time, e.g., a week or a day, when determining the boosts for the assets' scores. For example, when the scoring engine 112 analyzes threat data every day, the scoring engine may use the portion of the threat data 110 received since the previous analysis of the threat data 110, e.g., the day before. The scoring engine 112 may use the threat data 110 received in the most recent twenty-four hour time period …).”
The motivation to further combine Hovor remains same as in claim 19.
Regarding Claim 21. The combination of Stute-Yampolskiy-Chernin-Hovor discloses the method of claim 14, Yampolskiy further discloses, “comprising:
receiving an indication from the first client network of an attack occurring on the first client network that corresponds to the alert (Yampolskiy, Para [0049, 0067]: As noted with respect to security signal collection module 210, one type of data associated with an entity that can be collected includes social engineering information, which can be obtained via social engineering collection module 201. Social engineering information includes any information which may indicate a level of awareness of, or susceptibility to, a social engineering attack, such as a phishing attack. As such, social engineering information can also be collected by reviewing how employees respond to phishing and spam campaigns. Such information can also be collected from vendors that collect spam responses and identify individuals that click on phishing e-mail links …  The scorecard system 200 can also utilize data breach detection and chatter analysis technologies, in which crawlers are used to continuously monitor websites, chat rooms, and social networks for discussions relating to the disclosure of a data breach archive …);
increasing the threat score (Yampolskiy, Para [0070]: … in one embodiment, an increase in the amount of leaked credentials may result in a worsening (or rising) of the security score for the leaked credentials information. Similar logic can be applied to each of the different types of data to determine a preliminary security score for the different types of data. In another embodiment, the scorecard system 200 may analyze the number of malware infections to predict breaches. For example, when then number of malware infections detected by the scorecard system 200 has increased, the scorecard system 200 may associate a worse security score with extracted malware infection data because an increase in the number of the malware infections can be a precursor to a security breach. Accordingly, the scorecard system 200 is able to provide more detailed security information for an entity by providing individual security scores for different types of data (drill-down capability) in addition to an overall cybersecurity risk score …); and
sending a message with the updated threat score to other client networks of the identified group (Yampolskiy, Para [0020, 0088-0091]:  In some embodiments, the scorecard system 200 can also receive, for example via cybersecurity risk assessment portal 160, an indication that the one or more objectives have been achieved. After the scorecard system 200 receives the indication that the one or more objectives have been achieved, the scorecard system 200 can calculate an updated cybersecurity risk score for the entity based on data collected from the one or more data sources and the achieved one or more objectives. The scorecard system 200 may also transmit, via the cybersecurity risk assessment portal, the updated calculated risk score … The scorecard system 200 can also generate alerts to trigger further attention to by a security administrator …).”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to further combine the teachings of Yampolskiy, because it discloses that “A corporate entity may assess its cybersecurity risk by calculating and/or tracking its own cybersecurity performance, as well the cybersecurity performance of its competitors and current and potential business partners. Based on the assessment, the entity can make meaningful decisions to improve its cybersecurity performance. To improve its market standing, the entity can benchmark its cybersecurity performance against similar corporate entities, such as competitors, to make sure it's cybersecurity performance is not below an industry standard (written or unwritten). In doing so, the entity can reduce the likelihood of experiencing a security breach, and likewise, suffering from client loss, reputation loss, and exposure to liability (Yampolskiy, Para [0004]).”
Claims 4 and 6 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 2009/0178139 A1 to Stute et al. (hereinafter “Stute”) and Pub. No.: US 2016/0173521 A1 to Yampolskiy et al. (hereinafter “Yampolskiy”) in view of Pub. No.: US “20160366174 A1 to Chernin et al. (hereinafter “Chernin”) with priority of 04/17/2015 from provisional application 62149121” as applied to claim 2 above and further in view of Pub. No.: US Pub. No.: US 2009/0013194 A1 to Mir et al. (hereinafter “Mir”).
Regarding Claim 4. The combination of Stute-Yampolskiy-Chernin discloses the system of claim 2, however it does not explicitly teach, but Mir from same or similar field of endeavor teaches:
“wherein the memory includes instructions executable by the processor to cause the processor (Examiner’s Note: combination of Stute-Yampolskiy-Chernin already discloses memory and processor) to:
decrypt and authenticate the threat data (Mir, FIG. 1, FIG. 5, Para [0007, 0029, 0067]: … the system selectively restricts access to one or more cryptographic keys for the database based on the threat-assessment condition … data to be stored in the database is encrypted and data being read from the database is decrypted … public-key/private-key decryption is used. In some embodiments, one or more cryptographic keys are stored separately (i.e., external to) the database, thereby providing an external control on access … decryption of requested encrypted information is selectively activated based on the threat-assessment condition …);
verify that a respective client network of the plurality of client networks reporting the threat data was previously registered in a client database, wherein the verification is a cryptographic verification based on the authentication of the threat data (Mir, FIG. 5, Para [0029]: … data to be stored in the database is encrypted and data being read from the database is decrypted … in an exemplary embodiment public-key/private-key decryption is used … one or more cryptographic keys are stored separately (i.e., external to) the database, thereby providing an external control on access to at least the portion of the information in the database …); and
in response to verifying that the respective client network was previously registered in the client database, store the threat data in the security event database (Mir, Para [0009, 0034]:  … the one or more cryptographic keys are stored separately from the database.… sensitive data that is to be stored in the database 108 may be encrypted using the one or more cryptographic keys 124 …).”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mir into the combined teachings of Stute-Yampolskiy-Chernin because it discloses that “that both the selective restriction of access to the one or more cryptographic keys and the selective activation of decryption can be used to stop the ongoing threat from accessing the encrypted information in the database (Mir, Para [0007])”.
Regarding Claim 6. The combination of Stute-Yampolskiy-Chernin discloses the system of claim 2, however it does not explicitly teach, but Mir from same or similar field of endeavor teaches:
“wherein the memory includes instructions executable by the processor to cause the processor (Examiner’s Note: combination of Stute-Yampolskiy-Chernin already discloses memory and processor) to:
decrypt data from the report using one or more cryptographic credentials in a list of cryptographic credentials corresponding to the group (Mir, Para [0033-0034]: … encrypted data is processed by cryptographic module 116 using one or more cryptographic keys 124, which are stored separately from the database 108. In some embodiments, the one or more cryptographic keys 124 are stored in a file (which is henceforth referred to as a wallet). Moreover, a system or security administrator may open the wallet using a token (such as a password) before data to be decrypted (and/or encrypted) is processed. In particular, when the wallet is opened one or more column keys (which are associated with the encryption of the data in columns 114) and/or a master key (which may be used to encrypt the column keys) may be extracted … once the wallet is opened, when a data request 118-2 is received, encrypted data 122-1 may be decrypted and unencrypted data 122-2 may be provided …); Examiner: Memory and processor are already disclosed previously in claim 1;
confirm correspondence of the data decrypted using one of the cryptographic credentials in the list of the cryptographic credentials ( Mir, Para [0036-0037]: … by selectively activating data decryption and storing the necessary cryptographic keys 124 in a separate wallet, computer systems that include the database 108 may be able to actively respond to an ongoing database attack (i.e., an attack that is in progress), thereby securing sensitive information in the database 108 and preventing further damage …);”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mir into the combined teachings of Stute-Yampolskiy-Chernin because it discloses that “both the selective restriction of access to the one or more cryptographic keys and the selective activation of decryption can be used to stop the ongoing threat from accessing the encrypted information in the database (Mir, Para [0007])”.
Stute further discloses:
“authenticate the report based on the confirmed correspondence (Stute, Para [0081]: In step 508, SDM 218 could verify the source of the data received in step 502. For example, SDM 218 could check the corresponding network data packets on a detection and prevention module (DPM) such as, for example, external DPM 208, internal DPM 212, and TCB DPM 222 shown in FIG. 2, to find if there is network traffic coming in or out from that source. If so, SDM 218 could upgrade each identified source or DPM with the appropriate threat points associated with the vulnerability data …); and
in response to the authentication of the report, update the security event database to associate the report with the identified group (Stute Para [0082-0084]: …  In step 510, method 500 could continue by having SDM 218 check sources of network data packets for any hostile activity. If so, SDM 218 could upgrade the source with the appropriate threat points associated with the vulnerability data … In step 512, method 500 could continue by having SDM 218 check system ports for any hostile activity. If so, SDM 218 could upgrade the system ports with the appropriate threat points associated with the vulnerability data … In step 514, method 500 could check if there are any vendor threats present. If so, SDM 218 could upgrade the system the appropriate threat points to reflect the vendor threats …).”
Pertinent Prior Arts: The following prior arts made of record and not relied upon are considered pertinent to applicant's disclosure:
PAT US 9825989 B1 (Mehra et al.): Mehra discloses an early warning system and method for generating an alert regarding a potential attack on a client device is provided for based on real-time analysis. The early warning system and method generally comprise receiving data associated with an attack alert, wherein the attack alert corresponds to an electrical signal that indicates detection of a malware attack from a remote source. The received data is analyzed using an attack-specific engine that is configured to generate an attack-specific result. An attack value is computed based on the attack-specific result and a consideration of potential attack targets, wherein the attack value is compared to a threshold value so as to determine whether or not to generate an early warning alert. An early warning alert is generated when the attack value matches or exceeds the threshold value.
According to one embodiment of the disclosure, network traffic is analyzed such that malicious network traffic is filtered and preferably prevented from executing, using a remote source. Herein, upon detection of potentially malicious network traffic, the remote source is configured to generate an “attack alert” that is communicated to the cyberattack early warning system, which comprises an input engine, an expert engine, a correlation engine, and a reporting engine. When the attack alert is received by the cyberattack early warning system, the attack alert is analyzed and classified. For example, the attack alert may correspond to any of various malware attack types, including without limitation Advanced Persistent Threats (APT), Point-Of-Sales attacks (POS), Crimeware attacks, and the like.
Once the attack alert is classified, an attack-specific engine is configured to provide further in-depth analysis of the attack alert, including the application of a plurality of analysis mechanisms, such as various algorithms and/or models specific to the type of malware attack. It is contemplated that the attack-specific engine may also analyze elements of past attacks and related data. The results of these various analyses are correlated to compute an “attack value” so that probable attack targets may be notified. For example, probable attack targets may include companies or individuals in the same industry, geographic region, and capacity, for example, without limitation. If the determined attack value matches or exceeds a predetermined threshold value, then an early warning alert is provided to probable targets of a malware attack. If the attack value is less than the predetermined threshold, then the early warning alert is not generated.
	PGPUB US 20160127407 A1 (Mankovskii et al.): Mankovskii discloses determining potential harm associated with a network endpoint external to an enterprise includes receiving information about a network-based communication by a resource of the enterprise directed to the network endpoint external to the enterprise, and calculating a plurality of individual scores related to a risk associated with the network-based communication, wherein each individual score corresponds to a different category of risk. The determination also includes receiving data specifying a policy related to rules defined by the enterprise regarding usage of cloud services; calculating a composite risk score related to the network-based communication, wherein the composite risk score is based on the individual scores and the policy; and notifying an entity of the enterprise about the composite risk score. The present disclosure relates to computer resource usage and, more specifically, to analyzing network traffic.
	PGPUB US 20170032130 A1 (JOSEPH DURAIRAJ et al.): This discloses trained classifiers to detect an anomaly in input events, and generating a predictive attack graph based on the detected anomaly in the input events. The predictive attack graph may provide an indication of different paths that can be taken from an asset that is related to the detected anomaly to compromise other selected assets in a network of the asset, and the other selected assets may be selected based on a ranking criterion and a complexity criterion. A rank list and a complexity list may be generated. The rank list, the complexity list, a depth of the predictive attack graph, and a weighted value may be used to generate a score that provides an indication of a number of assets that can be compromised and a difficulty of exploiting vulnerabilities related to services of the assets that can be compromised.
Typical IDSs that are employed by organizations to prevent network related attacks are reactive in nature and do not make predictions about the near future. The aspect of pre-cognition with respect to the apparatus and method disclosed herein may pertain to the prediction of an anomaly and the prediction of a number of assets that can be compromised in the future by the anomalous event, and a difficulty of exploiting vulnerabilities related to services of the assets that can be compromised in the future. Assets may include any network components that may be subject to unauthorized access (e.g., by an unauthorized user, a virus, etc.) or authorized access (e.g., by an authorized user, during normal activity, etc.). SIEM may generally represent software (i.e., machine readable instructions) and products services that combine security information management (SIM) and security event manager (SEM).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAHABUB S AHMED whose telephone number is (571)272-0364.  The examiner can normally be reached on 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/MAHABUB S AHMED/Examiner, Art Unit 2434

/DANT B SHAIFER HARRIMAN/Primary Examiner, Art Unit 2434