DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 2/26/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1-4, 7-11, 14-17, 20 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Lock (PGPUB 2007/0112824).

Regarding Claim 8:
Lock teaches a system comprising a processor (paragraph 102, computer), memory accessible by the processor (paragraph 392, memory), and computer program instructions stored in the memory and executable by the processor to perform (paragraph 392, computer program instructions embodied in memory): 
simulating operation of a security incident and event management system by running a plurality of rules of the system on labeled data (abstract, method of anomaly detection applicable to telecommunications or retail fraud or software vulnerabilities using training data set including positive anomaly samples of data covered by rules; paragraph 92, each transaction labeled with Boolean attribute indicating “true” if transaction is known or suspected to be fraudulent, or “false” otherwise; paragraph 98, database of events or transactions that have individual labels indicating whether they are fraudulent or non-fraudulent; paragraph 260-264, set of new or initial rules is constructed and applied to training examples in order to estimate the accuracy by which they classify the training examples as anomalous or not); 
determining fitness metrics of the plurality of rules (paragraph 264, by applying the rules to the training examples, this establishes their fitness, i.e. identifies which of the rules are best at classifying the training examples as anomalous or not; paragraph 265-266, check is made against termination criteria, i.e. a prearranged number of iterative search steps has been carried out, or a rule that adequately classifies all of the training examples has been found to within a prearranged accuracy); 
selecting at least one rule of the plurality of rules based on the determined fitness metrics (paragraph 267, rule is selected using tournament selection; a subset of the previous population rules is randomly selected, and the rule in the subset with the highest fitness is the winner and is selected); 
modifying the selected rule to form an updated rule (paragraph 268, a genetic operator is selected by the computer, e.g. combining two rules to form a new rule, modifying a single rule by deleting one of its conditions or adding a new condition, or changing one of a rule’s constant values for another of an appropriate type); and 
repeating running the updated rule on the labeled data (paragraph 269, process repeats until a new population of rules is reached, at which point the new population is evaluated and the two termination criteria are checked once more), determining fitness metrics of the updated rule (paragraph 264, 270, rules evaluated to establish fitness; procedure continues if neither termination criteria is met), and mutating the updated rule (paragraph 268, 270, genetic operator modifies rule; procedure continues if neither termination criteria is met).

Regarding Claim 9:
Lock teaches the system of claim 8.  In addition, Lock teaches wherein the plurality of rules of the system comprise one of: default rules, given rules, or current rules (paragraph 261, new or initial population of rules, which can be considered default rules, given rules, or current rules).

Regarding Claim 10:
Lock teaches the system of claim 9.  In addition, Lock teaches wherein the labeled data comprises at least some data labeled as benign and at least some data labeled as malicious (paragraph 98, database of events or transactions that have individual labels indicating whether they are fraudulent or non-fraudulent (i.e. malicious or benign)).

Regarding Claim 11:
Lock teaches the system of claim 10.  In addition, Lock teaches wherein the labeled data comprises at least one of: data relating to security devices, data relating to servers and host systems, network and virtual activity data, database activity data, application activity, configuration data, vulnerability data, user activity data, and threat data (paragraph 90-92, example includes commercial system that can measure and record data from cashiers’ tills which may indicate fraudulent or suspicious data; transaction data, i.e. cashier ID, date and time, transaction type, and expected and actual cash in till before and after transaction is recorded and labeled; such data can be seen as relating to security devices (cashiers’ tills), user activity data (cashier transactions), and threat data (fraudulent transactions)).

Regarding Claim 14:
Lock teaches the system of claim 8.  In addition, Lock teaches the system, further comprising at least one of: performing rule minimization comprising deleting rules that cover malicious events that are already covered by other rules, rule prioritization comprising prioritizing rules that cover more malicious events and/or fewer benign events (paragraph 264-267, fitness of rules established based on accuracy of classifying training samples; tournament selection is performed in which rule in subset with highest fitness is the winner and thus selected), and defining rules to control the response to detected conditions comprising providing configuration of rules to block activity without reducing availability.

Regarding Claims 1-4, 7:
These are the method claims corresponding to the system of claims 8-11, 14, and are therefore rejected for corresponding reasons.

Regarding Claims 15-16, 20:
These are the computer program product claims corresponding to the system of claims 8-9, 14, and are therefore rejected for corresponding reasons.

Regarding Claim 17:
Lock teaches the computer program product of claim 16.  In addition, Lock teaches wherein the labeled data includes at least some data labeled as benign and at least some data labeled as malicious (paragraph 98, database of events or transactions that have individual labels indicating whether they are fraudulent or non-fraudulent (i.e. malicious or benign)) and wherein the labeled data comprises at least one of: data relating to security devices, data relating to servers and host systems, network and virtual activity data, database activity data, application activity, configuration data, vulnerability data, user activity data, and threat data (paragraph 90-92, example includes commercial system that can measure and record data from cashiers’ tills which may indicate fraudulent or suspicious data; transaction data, i.e. cashier ID, date and time, transaction type, and expected and actual cash in till before and after transaction is recorded and labeled; such data can be seen as relating to security devices (cashiers’ tills), user activity data (cashier transactions), and threat data (fraudulent transactions)).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 5-6, 12-13, 18-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Lock, and further in view of Lysecky et al (PGPUB 2022/0035927).

Regarding Claim 12:
Lock teaches the system of claim 11.  
Lock does not explicitly teach wherein the fitness metrics comprise at least one of: a deviation, a coverage, and a simplicity of the rules.
However, Lysecky teaches the concept wherein fitness metrics comprise at least one of: a deviation, a coverage, and a simplicity of the rules (abstract, security framework using runtime, adaptive methods for automatic mitigation; paragraph 360, genetic algorithm for optimization; paragraph 373, optimization scenario for fitness function utilized by genetic algorithm; paragraph 380, 384, fitness function metric relies on maximum/average path coverage).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the coverage metric teachings of Lysecky with the automated anomaly detection system of Lock, in order to incorporate additional fitness metrics into the rule scoring algorithm, thereby making the system more accurate and robust when applied to a large variety of different anomaly detection scenarios, where reliance on a single metric for fitness would otherwise generate a low accuracy model or a model prone to generating false positives.

Regarding Claim 13:
Lock in view of Lysecky teaches the system of claim 12.  In addition, Lock teaches wherein modifying the selected rule comprises at least one of: mutating the rule using numeric mutations (paragraph 268, changing one of a rule’s constant values for another of an appropriate type), predefined mutations, or both, semantic mutations, harvesting of IP addresses, and crossover (paragraph 268, combining two rules to form a new rule).

Regarding Claims 5-6:
These are the method claims corresponding to the system of claims 12-13, and are therefore rejected for corresponding reasons.

Regarding Claims 18-19:
These are the computer program product claims corresponding to the system of claims 12-13, and are therefore rejected for corresponding reasons.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FORREST L CAREY whose telephone number is (571)270-7814. The examiner can normally be reached 9:00AM-5:30PM M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/FORREST L CAREY/Examiner, Art Unit 2491                                                                                                                                                                                         
/Kevin Bechtel/Primary Examiner, Art Unit 2491