DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Double Patenting
1. The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claim 1 is rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 10,091,217. Although the claims at issue are not identical, they are not patentably distinct from each other because claim 1 is generic to all that is recited in claim 1 of U.S. Patent No. 10,091,217. That is, claim 1 of U.S. Patent No. 10,091,217 falls entirely within the scope of claim 1 or, in other words, claim 1 is anticipated by claim 1 of U.S. Patent No. 10,091,217.

Claim 1 of the Instant Application
Claim 1 of U.S. Patent No. 10,091,217
A method for use in monitoring data generated by one or more data systems, the method comprising:
A method for use in monitoring data generated by one or more data systems, the method comprising:
receiving, at a processor over at least one communications network, data generated by one or more data systems;
receiving, at a processor over at least one communications network, data generated by one or more data systems;
operating the processor to parse from a data field of the data at least one of an origin host identifier associated with an origin host component responsible for initiating an occurrence on the one or more data systems and an impacted host identifier associated with an impacted host component that is affected by an occurrence on the one or more data systems;
operating the processor to parse from a data field of the data at least one of an origin host identifier associated with an origin host component responsible for initiating an occurrence on the one or more data systems and an impacted host identifier associated with an impacted host component that is affected by an occurrence on the one or more data systems;
determining, by the processor, that the at least one of the origin host identifier and impacted host identifier cannot be used to obtain a previously-configured relative risk or threat level for the origin host component or impacted host component from a database of known hosts and corresponding previously-configured relative risk or threat levels;
determining, by the processor, that the at least one of the origin host identifier and impacted host identifier cannot be used to obtain a previously-configured relative risk or threat level for the origin host component or impacted host component from a database of known hosts and corresponding previously-configured relative risk or threat levels;
Claim 1 of the Instant Application
Claim 1 of U.S. Patent No. 10,091,217
obtaining, by the processor, a substitute relative risk or threat level for the origin host component or impacted host component using the at least one of the origin host identifier and impacted host identifier, wherein the obtaining includes using the at least one of the origin host identifier and impacted host identifier to obtain at least one default threat level for the origin host component or impacted host component, wherein the substitute relative risk or threat level is the at least one default risk or threat level, wherein the at least one default risk or threat level is one or more first default threat levels when the at least one of the origin host identifier and impacted host identifier is the origin host identifier, and wherein the at least one default risk or threat level is one or more second default risk levels when the at least one of the origin host identifier and impacted host identifier is the impacted host identifier;
obtaining, by the processor, a substitute relative risk or threat level for the origin host component or impacted host component using the at least one of the origin host identifier and impacted host identifier, wherein the obtaining includes using the at least one of the origin host identifier and impacted host identifier to obtain at least one default threat level for the origin host component or impacted host component, wherein the substitute relative risk or threat level is the at least one default risk or threat level, wherein the at least one default risk or threat level is one or more first default threat levels when the at least one of the origin host identifier and impacted host identifier is the origin host identifier, and wherein the at least one default risk or threat level is one or more second default risk levels when the at least one of the origin host identifier and impacted host identifier is the impacted host identifier,
inferring, by the processor, whether the at least one of the origin host identifier and impacted host identifier identifies an internal host or an external host, wherein the inferring includes obtaining a heading of the data field and determining that the at least one of the origin host identifier and impacted host identifier identifies an internal host or an external host based on the obtained heading, wherein the at least one default risk or threat level is obtained based on a result of the inferring, wherein the one or more first default threat levels includes an external host default threat level for when the origin host component is inferred to be an external host and an internal host default threat level for when the origin host component is inferred to be an internal host, and wherein the one or more second default risk levels includes an external host default threat level for when the impacted host component is inferred to be an external host and an internal host default threat level for when the impacted host component is inferred to be an internal host; and
inferring, by the processor, whether the at least one of the origin host identifier and impacted host identifier identifies an internal host or an external host, wherein the inferring includes obtaining a heading of the data field and determining that the at least one of the origin host identifier and impacted host identifier identifies an internal host or an external host based on the obtained heading, wherein the at least one default risk or threat level is obtained based on a result of the inferring, wherein the one or more first default threat levels includes an external host default threat level for when the origin host component is inferred to be an external host and an internal host default threat level for when the origin host component is inferred to be an internal host, and wherein the one or more second default risk levels includes an external host default threat level for when the impacted host component is inferred to be an external host and an internal host default threat level for when the impacted host component is inferred to be an internal host; and
generating, with the processor, a risk based priority score for the data with the substitute relative risk or threat level.
generating, with the processor, a risk based priority score for the data with the substitute relative risk or threat level.


Similarly, the following claims are rejected on the ground of nonstatutory double patenting as being unpatentable over the following corresponding claims of U.S. Patent No. 10,091,217.
Claims of the Instant Application
Claims of U.S. Patent No. 10,091,217
Claims of the Instant Application
Claims of U.S. Patent No. 10,091,217
1
1
6
5
2
2
7
6
4
3
11
7
5
4
12
8


	
2. A rejection based on double patenting of the “same invention” type finds its support in the language of 35 U.S.C. 101 which states that “whoever invents or discovers any new and useful process... may obtain a patent therefor...” (Emphasis added). Thus, the term “same invention,” in this context, means an invention drawn to identical subject matter. See Miller v. Eagle Mfg. Co., 151 U.S. 186 (1894); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Ockert, 245 F.2d 467, 114 USPQ 330 (CCPA 1957).
A statutory type (35 U.S.C. 101) double patenting rejection can be overcome by canceling or amending the claims that are directed to the same invention so they are no longer coextensive in scope. The filing of a terminal disclaimer cannot overcome a double patenting rejection based upon 35 U.S.C. 101.
Claim 1 is rejected under 35 U.S.C. 101 as claiming the same invention as that of claim 1 of prior U.S. Patent No. 10,673,868. This is a statutory double patenting rejection.

Claim 1 of the Instant Application
Claim 1 of U.S. Patent No. 10,673,868
A method for use in monitoring data generated by one or more data systems, the method comprising:
A method for use in monitoring data generated by one or more data systems, the method comprising:
receiving, at a processor over at least one communications network, data generated by one or more data systems;
receiving, at a processor over at least one communications network, data generated by one or more data systems;
Claim 1 of the Instant Application
Claim 1 of U.S. Patent No. 10,673,868
operating the processor to parse from a data field of the data at least one of an origin host identifier associated with an origin host component responsible for initiating an occurrence on the one or more data systems and an impacted host identifier associated with an impacted host component that is affected by an occurrence on the one or more data systems;
operating the processor to parse from a data field of the data at least one of an origin host identifier associated with an origin host component responsible for initiating an occurrence on the one or more data systems and an impacted host identifier associated with an impacted host component that is affected by an occurrence on the one or more data systems;
determining, by the processor, that the at least one of the origin host identifier and impacted host identifier cannot be used to obtain a previously-configured relative risk or threat level for the origin host component or impacted host component from a database of known hosts and corresponding previously-configured relative risk or threat levels;
determining, by the processor, that the at least one of the origin host identifier and impacted host identifier cannot be used to obtain a previously-configured relative risk or threat level for the origin host component or impacted host component from a database of known hosts and corresponding previously-configured relative risk or threat levels;
obtaining, by the processor, a substitute relative risk or threat level for the origin host component or impacted host component using the at least one of the origin host identifier and impacted host identifier, wherein the obtaining includes using the at least one of the origin host identifier and impacted host identifier to obtain at least one default threat level for the origin host component or impacted host component, wherein the substitute relative risk or threat level is the at least one default risk or threat level, wherein the at least one default risk or threat level is one or more first default threat levels when the at least one of the origin host identifier and impacted host identifier is the origin host identifier, and wherein the at least one default risk or threat level is one or more second default risk levels when the at least one of the origin host identifier and impacted host identifier is the impacted host identifier;
obtaining, by the processor, a substitute relative risk or threat level for the origin host component or impacted host component using the at least one of the origin host identifier and impacted host identifier, wherein the obtaining includes using the at least one of the origin host identifier and impacted host identifier to obtain at least one default threat level for the origin host component or impacted host component, wherein the substitute relative risk or threat level is the at least one default risk or threat level, wherein the at least one default risk or threat level is one or more first default threat levels when the at least one of the origin host identifier and impacted host identifier is the origin host identifier, and wherein the at least one default risk or threat level is one or more second default risk levels when the at least one of the origin host identifier and impacted host identifier is the impacted host identifier,
inferring, by the processor, whether the at least one of the origin host identifier and impacted host identifier identifies an internal host or an external host, wherein the inferring includes obtaining a heading of the data field and determining that the at least one of the origin host identifier and impacted host identifier identifies an internal host or an external host based on the obtained heading, wherein the at least one default risk or threat level is obtained based on a result of the inferring, wherein the one or more first default threat levels includes an external host default threat level for when the origin host component is inferred to be an external host and an internal host default threat level for when the origin host component is inferred to be an internal host, and wherein the one or more second default risk levels includes an external host default threat level for when the impacted host component is inferred to be an external host and an internal host default threat level for when the impacted host component is inferred to be an internal host; and
inferring, by the processor, whether the at least one of the origin host identifier and impacted host identifier identifies an internal host or an external host, wherein the inferring includes obtaining a heading of the data field and determining that the at least one of the origin host identifier and impacted host identifier identifies an internal host or an external host based on the obtained heading, wherein the at least one default risk or threat level is obtained based on a result of the inferring, wherein the one or more first default threat levels includes an external host default threat level for when the origin host component is inferred to be an external host and an internal host default threat level for when the origin host component is inferred to be an internal host, and wherein the one or more second default risk levels includes an external host default threat level for when the impacted host component is inferred to be an external host and an internal host default threat level for when the impacted host component is inferred to be an internal host; and
generating, with the processor, a risk based priority score for the data with the substitute relative risk or threat level.
generating, with the processor, a risk based priority score for the data with the substitute relative risk or threat level.


Similarly, the following claims are rejected on the ground of nonstatutory double patenting as being unpatentable over the following corresponding claims of U.S. Patent No. 10,673,868.
Claims of the Instant Application
Claims of U.S. Patent No. 10,673,868
Claims of the Instant Application
Claims of U.S. Patent No. 10,673,868
1
1
7
7
2
2
8
8
3
3
9
9
4
4
10
10
5
5
11
11
6
6
12
12


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 12 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claim 12 recites the limitation "the using". There is insufficient antecedent basis for this limitation in the claim.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 5, 6, 11 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Church (US Pub. No. 20070169194), further in view of Martin (US 9,300,679), and further in view of Farley (US Pub. No. 2006/0265746).

Regarding claim 1, Church teaches a method for use in monitoring data generated by one or more data systems, the method comprising: 
receiving, at a processor (Expert system servers 137, see Fig. 1 and [0050]. And see [0051]: “FIG. 2 is a diagrammatic representation of a security expert system (SES) 200 capable of providing automated analysis of incoming security events and generating threat rating accordingly”) over at least one communications network (internet 103, see Fig. 1 and [0045]: “Data collected by an IDS sensor (e.g., target host responses to an internal broadcast) can be transmitted through an encrypted connection of the Internet 103 to a receiving end (e.g., receiving servers 130) at SES server network 101”) , data generated by one or more data systems (see [0044] and Fig. 1: “Client network 102 comprises a plurality of internal networks. Each client internal network can have a plurality of network resources (e.g., computers, printers, server machines, etc.”) and each client internal network is connected to a client firewall 104 via a network switch (e.g., 112, 114, 116)”. And see [0045]: “all internal network traffic through a switch can be mirrored to an IDS sensor connected thereto (e.g., using a passive mode)”. And see [0047] and Fig. 1: “One function of receiving servers 130 is to receive data (e.g., events) transmitted by any of the IDS sensors located at client network 102”. And see [0056] and Fig. 1: “embodiments of the invention can process and analyze an event originating from either a signature-based or anomaly-based detection engine (e.g., IDS sensors 122, 124, 126). In one embodiment, the term "event" refers to a network packet”. The Examiner interprets “data (e.g., events)”, which refers to network packets generated by the “network resources” in client network 102 and received by security expert system SES server network 101 as “data generated by one or more data systems” received “at a processing platform”); 
operating the processor to parse from a data field of the data (see [0052]: “SES 200 implements an expert system 201 programmed with computer-executable instructions to process and analyze an event 203 according to expert rules from knowledge base 202 and data from a central database (e.g., historical data 205 stored at database servers 131)”) at least one of an origin host identifier associated with an origin host component responsible for initiating an occurrence on the one or more data systems (see [0084]: “An attacker may be identified by the source address (e.g., an IP address, user ID, MAC address, etc. from where the attack is originated.)”) and an impacted host component that is affected by an occurrence on the one or more data systems (see [0065] and Fig. 4: “Target Exposure Analysis 409 can determine how likely a target (e.g., a machine) will be attacked and how likely it will be successfully attacked by an attacker”. The Examiner interprets the target analyzed in Target Exposure Analysis 409 as “an impacted host component that is affected by an occurrence on the one or more data systems” parsed “from the data”); 
determining, by the processor, that the impacted host cannot be used to obtain a previously-configured relative risk or threat level for the impacted host component from a database (database servers 131 and central database 302, see Fig. 1, [0052] and Fig. 3, [0058]) of known hosts and corresponding previously-configured relative risk or threat levels (see [0080] and Fig. 6: “At step 602, Target Exposure flow 600 operates to determine whether the target host is known to the system (e.g., expert system 301 if no information is known about the target host (e.g., the system has not scanned client network 102), rather than assuming that the attack has no impact, or has the most serious impact, host exposure is set to a predetermined, default value (e.g., 50%).”); 
obtaining, by the processor, a substitute relative risk or threat level for the impacted host component (see [0080] and Fig. 6: “At step 602, Target Exposure flow 600 operates to determine whether the target host is known to the system (e.g., expert system 301 if no information is known about the target host (e.g., the system has not scanned client network 102), rather than assuming that the attack has no impact, or has the most serious impact, host exposure is set to a predetermined, default value (e.g., 50%)”. The Examiner interprets the default value, e.g., 50% as “a substitute relative risk or threat level for the impacted host component”),
wherein the obtaining includes 2Attorney Docket No.: 50259-00036App. No. 15/187,947using the impacted host to obtain at least one default threat level for the impacted host component, wherein the substitute relative risk or threat level is the at least one default risk or threat level (see [0080] and Fig. 6: “At step 602, Target Exposure flow 600 operates to determine whether the target host is known to the system (e.g., expert system 301 if no information is known about the target host (e.g., the system has not scanned client network 102), rather than assuming that the attack has no impact, or has the most serious impact, host exposure is set to a predetermined, default value (e.g., 50%).”. The Examiner interprets the default value, e.g., 50% as “a substitute relative risk or threat level for the impacted host component”); and 
generating, with the processor, a risk based priority score for the data with the substitute relative risk or threat level (see [0091]: “the final threat rating of an event is determined based on at least three factors or components: the attacker rating (e.g., AttackerRating), the vulnerability of the target host (e.g., TargetRating), and the validity of the attack (e.g., ValidRating)”. And see [0083] and Fig. 6, step 603, “At step 607, the final host exposure (e.g., TargetRating)”. Church teaches in [0080] and [0091] that “if no information is known about the target host”, the “final threat rating of an event” is generated with the TargetRating/”final host exposure” of a default value (e.g., 50%), which is “the substitute relative risk or threat level”.
The Examiner interprets “the final threat rating of an event” as “a risk based priority score for the data” because Church teaches in [0028] that the final threat rating is used to prioritize alarms: “embodiments of the ISES disclosed herein can provide the best possible answer and a confidence score (e.g., a threat rating), substantially reducing or eliminating false positive results and producing more efficient and effective alarms (e.g., only alarms on security threats that have a high probability of success)”).

Church does not explicitly teach that the impacted host component is associated with an impacted host identifier. 
However, Church teaches that the origin host component is associated with an origin host identifier (see [0084]: “An attacker may be identified by the source address (e.g., an IP address, user ID, MAC address, etc. from where the attack is originated.)”). 
Both the impacted host component and the origin host component taught by Church are computer hosts. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to associate the impacted host component taught by Church with an identifier, as taught by Church regarding the origin host component. It would have been obvious because doing so predictably achieves the commonly understood benefit of uniquely identifying the impacted host component. When the above modification is made, Church would teach “operating the processor to parse from the data at least one of an origin host identifier associated with an origin host component responsible for initiating an occurrence on the one or more data systems and an impacted host identifier associated with an impacted host component that is affected by an occurrence on the one or more data systems; 
determining, by the processor, that the impacted host identifier cannot be used to obtain a previously-configured relative risk or threat level for the impacted host component from a database of known hosts and corresponding previously-configured relative risk or threat levels; 
obtaining, by the processing platform, a substitute relative risk or threat level for the impacted host component using the impacted host identifier, wherein the obtaining includes using the impacted host identifier to obtain at least one default threat level for the impacted host component, wherein the substitute relative risk or threat level is the at least one default risk or threat level”.

Church does not explicitly teach wherein the at least one default risk or threat level is one or more first default threat levels when the at least one of the origin host identifier and impacted host identifier is the origin host identifier, and wherein the at least one default risk or threat level is one or more second default risk levels when the at least one of the origin host identifier and impacted host identifier is the impacted host identifier.
In the same field of endeavor, Martin teaches wherein the at least one risk or threat level is one or more first threat levels when the at least one of the origin host identifier and impacted host identifier is the origin host identifier, and wherein the at least one risk or threat level is one or more second risk levels when the at least one of the origin host identifier and impacted host identifier is the impacted host identifier (see claim 13: “The system of claim 1, wherein the processing circuit is configured and arranged to determine the threat level as a function of a direction of the data transactions, wherein the threat level as the function of the direction of the data transactions includes a higher threat level for a download of data than a threat level for an upload of data and a higher threat level for an outgoing call than a threat level for an incoming call”. And see claim 1: “A system, comprising: one or more VoIP servers, each configured and arranged to provide respective VoIP services to remote users; and a processing circuit communicatively-coupled to the one or more VoIP servers and configured and arranged to: monitor data transactions of at least one server, of the one or more VoIP servers, that is associated with a user account, the user account having a security policy; … determine a threat level as a function of one or more characteristics of the data transactions, …; and in response to the threat level exceeding a first threshold level indicated in the security policy of the user account, send a notification to an authorized user of the user account”. The Examiner interprets “wherein the threat level as the function of the direction of the data transactions includes a higher threat level for a download of data than a threat level for an upload of data” as “wherein the at least one risk or threat level is one or more first threat levels when the at least one of the origin host identifier and impacted host identifier is the origin host identifier, and wherein the at least one risk or threat level is one or more second risk levels when the at least one of the origin host identifier and impacted host identifier is the impacted host identifier” for the following reason: for a download of data, “the at least one of the origin host identifier and impacted host identifier is the impacted host identifier”. For an upload of data, “the at least one of the origin host identifier and impacted host identifier is the origin host identifier”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to let the at least one default risk or threat level taught by Church be one or more first threat levels when the at least one of the origin host identifier and impacted host identifier is the origin host identifier, and be one or more second risk levels when the at least one of the origin host identifier and impacted host identifier is the impacted host identifier, as taught by Martin. It would have been obvious because Martin teaches that the threat level for a download of data is higher than the threat level for an upload of data and doing so would achieve the commonly understood benefit of making the substitute relative risk or threat level more accurate. When such a modification is made, Church modified in view of Martin would teach “wherein the at least one default risk or threat level is one or more first default threat levels when the at least one of the origin host identifier and impacted host identifier is the origin host identifier, and wherein the at least one default risk or threat level is one or more second default risk levels when the at least one of the origin host identifier and impacted host identifier is the impacted host identifier”.

Church modified in view of Martin fails to teach “inferring, by the processor, whether the at least one of the origin host identifier and impacted host identifier identifies an internal host or an external host, wherein the inferring includes obtaining a heading of the data field and determining that the at least one of the origin host identifier and impacted host identifier identifies an internal host or an external host based on the obtained heading, wherein the at least one default risk or threat level is obtained based on a result of the inferring, wherein the one or more first default threat levels includes an external host default threat level for when the origin host component is inferred to be an external host and an internal host default threat level for when the origin host component is inferred to be an internal host, and wherein the one or more second default risk levels includes an external host default threat level for when the impacted host component is inferred to be an external host and an internal host default threat level for when the impacted host component is inferred to be an internal host”.
In the same field of endeavor, Farley teaches inferring, by the processor, whether the at least one of the origin host identifier and impacted host identifier identifies an internal host or an external host (see [0175] and Fig. 12: “In decision step 1220, it is determined whether the source zone and destination zone of the current raw event being processed are both internal relative to the network or computer being monitored by the fusion engine 22”), wherein the inferring includes obtaining a heading of the data field and determining that the at least one of the origin host identifier and impacted host identifier identifies an internal host or an external host based on the obtained heading (see [0175] and Fig. 12: “In decision step 1220, it is determined whether the source zone and destination zone of the current raw event being processed are both internal relative to the network or computer being monitored by the fusion engine 22. This determination is made by examining the values of the source zone parameter 508 and destination zone parameter 510 of the raw event assigned by steps 1020 and 1025, respectively, of routine 730 shown in FIG. 10”. And see [0154] and Figs. 5B, 5C and 10: “In step 1020, a source zone 508 value is assigned to each raw event based upon the source internet protocol address of the raw event and a comparison with the context database 630. In step 1025, a destination zone 510 value is assigned to each raw event based upon the destination internet protocol address of each raw event and a comparison with the context database 630”. Because a source internet protocol address and a destination internet protocol address of each raw event are contained in a heading of an IP packet data, the Examiner interprets determining “whether the source zone and destination zone of the current raw event being processed are both internal relative to the network or computer being monitored” by “examining the values of the source zone parameter 508 and destination zone parameter 510 of the raw event”, which are further based upon the source internet protocol address of the raw event and the destination internet protocol address of each raw event, as “wherein the inferring includes obtaining a heading of the data field and determining that the at least one of the origin host identifier and impacted host identifier identifies an internal host or an external host based on the obtained heading”), 
wherein the at least one risk or threat level is obtained based on a result of the inferring (see [0175]: “In decision step 1220, it is determined whether the source zone and destination zone of the current raw event being processed are both internal relative to the network or computer being monitored by the fusion engine 22. This determination is made by examining the values of the source zone parameter 508 and destination zone parameter 510 of the raw event assigned by steps 1020 and 1025, respectively, of routine 730 shown in FIG. 10. For many event types, raw events classified as being internal are less of a threat to a network of computers being monitored compared to an event that may be external to a network or computer being monitored by the fusion engine 22”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to let the method of Church modified in view of Martin include the step of inferring, by the processor, whether the at least one of the origin host identifier and impacted host identifier identifies an internal host or an external host, wherein the inferring includes obtaining a heading of the data field and determining that the at least one of the origin host identifier and impacted host identifier identifies an internal host or an external host based on the obtained heading, wherein the at least one risk or threat level is obtained based on a result of the inferring, taught by Farley. It would have been obvious because Farley explicitly teaches that “raw events classified as being internal are less of a threat to a network of computers being monitored compared to an event that may be external to a network or computer being monitored” and doing so would achieve the commonly understood benefit of making the risk based priority score generated by the method of Church modified in view of Martin more accurate by taking into account the fact that an event associated with an external host is usually more risky than an event associated with an internal host. 
When the above modification is made, Church modified in view of Martin and Farley would teach “inferring, by the processor, whether the at least one of the origin host identifier and impacted host identifier identifies an internal host or an external host, wherein the inferring includes obtaining a heading of the data field and determining that the at least one of the origin host identifier and impacted host identifier identifies an internal host or an external host based on the obtained heading, wherein the at least one default risk or threat level is obtained based on a result of the inferring, wherein the one or more first [taught by Martin] default threat levels includes an external host default threat level for when the origin host component is inferred to be an external host and an internal host default threat level for when the origin host component is inferred to be an internal host [taught by Farly], and wherein the one or more second [taught by Martin] default risk levels includes an external host default threat level for when the impacted host component is inferred to be an external host and an internal host default threat level for when the impacted host component is inferred to be an internal host [taught by Farly]”.

Regarding claim 2, Church further teaches writing the risk based priority score to a field in the data (see [0068] and Fig. 4: “At step 413, a final threat score (i.e., threat rating) can be determined. … Referring back to FIG. 4, setting a threat score at step 413 may optionally trigger one or more steps to be taken. …Alternatively, based on the result of the processing that has been performed so far to analyze a particular event, an incident pertaining to the event may be automatically built or created at step 415. The building of the incident having a certain event type, host type, and/or level of severity (i.e., threat score) may also trigger a defensive action to be automatically taken at step 414”. The Examiner interprets building an incident having level of severity (i.e., threat score) as “writing the risk based priority score to a field in the data”).

Regarding claim 5, Church modified in view of Martin fails to teach determining, by the processor, whether the at least one of the origin host identifier and impacted host identifier identifies a known host that is configured as an internal host or an external host, wherein the inferring includes inferring that the at least one of the origin host identifier and impacted host identifier identifies an internal host when the at least one of the origin host identifier and impacted host identifier identifies a known host that is configured as an internal host, and wherein the inferring includes inferring that the at least one of the origin host identifier and impacted host identifier identifies an external host when the at least one of the origin host identifier and impacted host identifier identifies a known host that is configured as an external host.
However, Farley teaches determining, by the processor, whether the at least one of the origin host identifier and impacted host identifier identifies a known host that is configured as an internal host or an external host, wherein the inferring includes inferring that the at least one of the origin host 3Attorney Docket No.: 50259-00036 App. No. 15/187,947 identifier and impacted host identifier identifies an internal host when the at least one of the origin host identifier and impacted host identifier identifies a known host that is configured as an internal host, and wherein the inferring includes inferring that the at least one of the origin host identifier and impacted host identifier identifies an external host when the at least one of the origin host identifier and impacted host identifier identifies a known host that is configured as an external host (see [0175]: “In decision step 1220, it is determined whether the source zone and destination zone of the current raw event being processed are both internal relative to the network or computer being monitored by the fusion engine 22. This determination is made by examining the values of the source zone parameter 508 and destination zone parameter 510 of the raw event assigned by steps 1020 and 1025, respectively, of routine 730 shown in FIG. 10. For many event types, raw events classified as being internal are less of a threat to a network of computers being monitored compared to an event that may be external to a network or computer being monitored by the fusion engine 22”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to add to the method of Church modified in view of Martin the step of “determining, by the processing engine, whether the at least one of the origin host identifier and impacted host identifier identifies a known host that is configured as an internal host or an external host, wherein the inferring includes inferring that the at least one of the origin host   identifier and impacted host identifier identifies an internal host when the at least one of the origin host identifier and impacted host identifier identifies a known host that is configured as an internal host, and wherein the inferring includes inferring that the at least one of the origin host identifier and impacted host identifier identifies an external host when the at least one of the origin host identifier and impacted host identifier identifies a known host that is configured as an external host” taught by Farley. It would have been obvious because doing so achieves the commonly understood benefit of making the risk based priority score generated by the method of Church modified in view of Martin more accurate by taking into account the fact that an event associated with an external host is usually more risky than an event associated with an internal host.

Regarding claim 6, Church modified in view of Martin fails to teach determining, by the processor, whether the at least one of the origin host identifier and impacted host identifier is resident within at least one network range that is configured as an internal network or an external network, wherein the inferring includes inferring that the at least one of the origin host identifier and impacted host identifier identifies an internal host when the at least one of the origin host identifier and impacted host identifier is resident within at least one network range that is configured as an internal network, and wherein the inferring includes inferring that the at least one of the origin host identifier and impacted host identifier identifies an external host when the at least one of the origin host identifier and impacted host identifier is resident within at least one network range that is configured as an external network.
However, Farley teaches determining, by the processor, whether the at least one of the origin host identifier and impacted host identifier is resident within at least one network range that is configured as an internal network or an external network, wherein the inferring includes inferring that the at least one of the origin host identifier and impacted host identifier identifies an internal host when the at least one of the origin host identifier and impacted host identifier is resident within at least one network range that is configured as an internal network, and wherein the inferring includes inferring that the at least one of the origin host identifier and impacted host identifier identifies an external host when the at least one of the origin host identifier and impacted host identifier is resident within at least one network range that is configured as an external network (see [0175]: “In decision step 1220, it is determined whether the source zone and destination zone of the current raw event being processed are both internal relative to the network or computer being monitored by the fusion engine 22. This determination is made by examining the values of the source zone parameter 508 and destination zone parameter 510 of the raw event assigned by steps 1020 and 1025, respectively, of routine 730 shown in FIG. 10”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to add to the method of Church modified in view of Martin the step of “determining, by the processor, whether the at least one of the origin host identifier and impacted host identifier is resident within at least one network range that is configured as an internal network or an external network, wherein the inferring includes inferring that the at least one of the origin host identifier and impacted host identifier identifies an internal host when the at least one of the origin host identifier and impacted host identifier is resident within at least one network range that is configured as an internal network, and wherein the inferring includes inferring that the at least one of the origin host identifier and impacted host identifier identifies an external host when the at least one of the origin host identifier and impacted host identifier is resident within at least one network range that is configured as an external network” taught by Farley. It would have been obvious because doing so achieves the commonly understood benefit of making the risk based priority score generated by the method of Church modified in view of Martin more accurate by taking into account the fact that an event associated with an external host is usually more risky than an event associated with an internal host.

Regarding claim 11, Church further teaches obtaining, by the processor, a risk rating assigned to a classification of the data determined by a processing rule used to process the data, wherein the generating includes generating the risk based priority score with classification risk rating (see [0064] and Fig. 4: “Attack Validation 408 can determine whether an attack is an actual attack, what is the likelihood of success for the attack, whether the target host is vulnerable to the attack, and whether the attack actually succeeded by examining post-attack communications between the target host and the attacker. According to one embodiment of the invention, Attack Validation 408 can generate a validation rating (e.g., "ValidRating")”. And see [0077]: “the validity of an event is rated based on the event's class rating and the vulnerability of a target host to an attack associated with the event”. The Examiner interprets validation rating as “classification risk rating”).

Regarding claim 12, Church further teaches wherein the using includes: allowing, by the processor, one of the classification risk rating and the substitute relative risk or threat level to influence generation of the risk based priority score more than the other of the risk rating and the relative risk or threat level (see [0091]: “the final threat rating of an event is determined based on at least three factors or components: the attacker rating (e.g., AttackerRating), the vulnerability of the target host (e.g., TargetRating), and the validity of the attack (e.g., ValidRating). Optionally, the threat rating can be negated with a user-define value (e.g., NegativeRating). In one embodiment, Threat rating=(AttackerRating*w.sub.attacker)+(TargetRating*w.sub.target)+(Valid- Rating*w.sub.validation)-NegativeRating, where w.sub.attacker, w.sub.target, and w.sub.validation are user-configurable weights or modifiers, which can be any user-defined numbers (e.g., between 0 and 1, 1, 123, etc.)”. And see [0093]:” w.sub.validation=0.4, w.sub.attacker=0.2”. When the validation rating weight 0.4 is higher than the attacker rating weight 0.2, Church teaches “allowing, by the processor, one of the classification risk rating and the substitute relative risk or threat level to influence generation of the risk based priority score more than the other of the risk rating and the relative risk or threat level”).

Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Church (US Pub. No. 20070169194), further in view of Martin (US 9,300,679), further in view of Farley (US Pub. No. 2006/0265746), and further in view of Connary (US 2004/0044912).

Regarding claim 3, Church modified in view of Martin and Farley fails to teach wherein the obtaining includes: using the at least one of the origin host identifier and impacted host identifier to obtain a relative risk or threat level of a known network range within which the at least one of the origin host identifier and impacted host identifier is present, wherein the substitute relative risk or threat level is the relative risk or threat level of the known network range.
In the same field of endeavor, Connary teaches using the at least one of the origin host identifier and impacted host identifier to obtain a relative risk or threat level of a known network range within which the at least one of the origin host identifier and impacted host identifier is present, wherein the substitute relative risk or threat level is the relative risk or threat level of the known network range (see [0107]: “`src_nb_tw table[src_netblock]` is the threat weight associated with an IP address range of which the source IP address is a member. For example, blocks of IP address ranges that originate outside of the network may be more threatening then IP address blocks such as the 10.xxx.xxx.xxx which originate within the in which `10 is the most significant byte of the four byte IP address and `xxx` indicates that the associated value may be any value from 0-255.”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify the obtaining in Church modified in view of Martin and Farley so that it includes using the at least one of the origin host identifier and impacted host identifier to obtain a relative risk or threat level of a known network range within which the at least one of the origin host identifier and impacted host identifier is present, wherein the substitute relative risk or threat level is the relative risk or threat level of the known network range, as taught by Connary. It would have been obvious because doing so predictably obtains a risk value of the at least one of the origin host and impacted host.

Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Church (US Pub. No. 20070169194), further in view of Martin (US 9,300,679), further in view of Farley (US Pub. No. 2006/0265746), and further in view of Bernoth (US 2008/0172347).

Regarding claim 4, Church modified in view of Martin and Farley fails to teach determining that the at least one of the origin host identifier and impacted host identifier cannot be used to obtain a relative risk or threat level of a known network range within which the at least one of the origin host identifier and impacted host identifier is present.
In the same field of endeavor, Bernoth teaches determining that the at least one of the origin host identifier and impacted host identifier cannot be used to obtain a relative risk or threat level of a known network range within which the at least one of the origin host identifier and impacted host identifier is present (see [0038] and Figs. 1, 3: “each network (e.g., network 104 or 106 of FIG. 1) that is accessible through the created firewall is rated in accordance with a type (i.e., zone) associated with the network, where the type is selected from of a plurality of predefined types. An example of such ratings of networks is shown in a table 300 of FIG. 3. Table 300 is a network definition table that stores risk values of different types used to classify source and destination networks in steps 206 and 208 of the process of FIGS. 2A-2B. Table 300 includes examples of risk values that can be assigned to each network to classify the network's zone…. If known attributes of a given network are insufficient to utilize the predefined criteria to determine a particular risk value for table 300, then the risk value in the row labeled "Default" is used in steps 206 and/or 208 in FIG. 2A”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to let the method of Church modified in view of Martin and Farley include the step of determining that the at least one of the origin host identifier and impacted host identifier cannot be used to obtain a relative risk or threat level of a known network range within which the at least one of the origin host identifier and impacted host identifier is present taught by Bernoth. It would have been obvious because doing so predictably achieves the “determining, by the processing platform, that the at least one of the origin host identifier and impacted host identifier cannot be used to obtain a previously-configured relative risk or threat level for the origin host component or impacted host component from a database of known hosts and corresponding previously-configured relative risk or threat levels” taught by Church.

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Church (US Pub. No. 20070169194), further in view of Martin (US 9,300,679), further in view of Farley (US Pub. No. 2006/0265746), and further in view of Jeong (US Pub. No. 2002/0024946).

Regarding claim 7, Church modified in view of Martin and Farley fails to teach determining whether the at least one of the origin host identifier and impacted host identifier is resident within at least one private network range, wherein the inferring includes inferring that the at least one of the origin host identifier and impacted host identifier identifies an internal host when the at least one of the origin host identifier and impacted host identifier is resident within at least one private network range, and wherein the inferring includes inferring that the at least one of the origin host identifier and impacted host identifier identifies an external host when the at least one of the origin host identifier and impacted host identifier is not resident within at least one private network range.
However, Jeong teaches that an internal host is resident within one private network range (see [0010]: “When an internal node having a private IP address uses an external server via the Internet, a gateway in the access node of the private network assigns external port value to the internal node and sends out a packet by using a Network Address Port Translation (NAPT)”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to let Church modified in view of Martin and Farley infer whether the at least one of the origin host identifier and impacted host identifier identifies an internal host or an external host by determining whether the host is resident within one private network range, as suggested by Jeong. It would have been obvious because doing so predictably determines whether the host is an internal host or an external host. When the above modification is made, Church modified in view of Martin, Farley and Jeong teaches “determining whether the at least one of the origin host identifier and impacted host identifier is resident within at least one private network range, wherein the inferring includes inferring that the at least one of the origin host identifier and impacted host identifier identifies an internal host when the at least one of the origin host identifier and impacted host identifier is resident within at least one private network range, and wherein the inferring includes inferring that the at least one of the origin host identifier and impacted host identifier identifies an external host when the at least one of the origin host identifier and impacted host identifier is not resident within at least one private network range”.
 
Claims 8 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Church (US Pub. No. 20070169194), further in view of Martin (US 9,300,679), further in view of Farley (US Pub. No. 2006/0265746), and further in view of Rankin (US Pub. NO. 2017/0263092).

Regarding claim 8, Church modified in view of Martin and Farley fails to teach determining whether the at least one of the origin host identifier and impacted host identifier is resident within at least a first list of identifiers, wherein the first list of identifiers is assigned a first relative threat level, and wherein the default threat level is obtained based on a4Attorney Docket No.: 50259-00036 App. No. 15/187,947result of the whether the at least one of the origin host identifier and impacted host identifier is determined to be resident within the first list of identifiers.
However, Rankin teaches determining whether the at least one of the origin host identifier and impacted host identifier is resident within at least a first list of identifiers, wherein the first list of identifiers is assigned a first relative threat level, and wherein the default threat level is obtained based on a result of the whether the at least one of the origin host identifier and impacted host identifier is determined to be resident within the first list of identifiers (see [0038]: “the unknown device's identifier may be compared to one or more lists of device identifiers for association with an individual and, in turn, a threat level”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to let the method of Church modified in view of Martin and Farley include the step of determining whether the at least one of the origin host identifier and impacted host identifier is resident within at least a first list of identifiers, wherein the first list of identifiers is assigned a first relative threat level, taught by Rankin. It would have been obvious because doing so predictably enables the threat level of the origin host or the impacted host to be determined using the threat level of the list. When the above modification is made, Church modified in view of Martin, Farley and Rankin would teach “wherein the default threat level is obtained based on a 4Attorney Docket No.: 50259-00036 App. No. 15/187,947result of the whether the at least one of the origin host identifier and impacted host identifier is determined to be resident within the first list of identifiers”.

Regarding claim 9, Church modified in view of Martin, Farley and Rankin further teaches wherein the at least one default threat level is the first relative threat level when the at least one of the origin host identifier and impacted host identifier is determined to be resident within the first list of identifiers (see Rankin [0038]: “the unknown device's identifier may be compared to one or more lists of device identifiers for association with an individual and, in turn, a threat level”).

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Church (US Pub. No. 20070169194), further in view of Martin (US 9,300,679), further in view of Farley (US Pub. No. 2006/0265746), further in view of Rankin (US Pub. NO. 2017/0263092), and further in view of Official Notice.

Regarding claim 10, Church modified in view of Martin, Farley and Rankin fails to teach ascertaining that the at least one of the origin host identifier and impacted host identifier is resident within the first list of identifiers and within a second list of identifiers, wherein the second list of identifiers is assigned a second relative threat level different than the first relative threat level, and wherein the at least one default threat level is the one of the first and second relative threat levels that is more severe than the other of the first and second relative threat levels.
The Examiner takes Official Notice that it is a well-known technique to let a variable representing an adverse condition take a higher value of adversity when the variable can take two different values of adversity.
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to let Church modified in view of Martin, Farley and Rankin ascertain that the at least one of the origin host identifier and impacted host identifier is resident within the first list of identifiers and within a second list of identifiers, wherein the second list of identifiers is assigned a second relative threat level different than the first relative threat level, and wherein the at least one default threat level is the one of the first and second relative threat levels that is more severe than the other of the first and second relative threat levels, as suggested by the Official Notice. It would have been obvious because doing so achieves the commonly understood benefit of erring on the side of caution by generating the risk based priority score using the worst scenario.

	Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHIMEI ZHU whose telephone number is (571)270-7990. The examiner can normally be reached 10am-6pm Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ZHIMEI ZHU/Examiner, Art Unit 2495                                                                                                                                                                                                        
/JEFFERY L WILLIAMS/Primary Examiner, Art Unit 2495