DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to a filing dated 02/20/2020. Claims 1-21 are pending.

Priority
No priority has been claimed.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 02/20/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Patent Eligibility (Abstract Idea Analysis)
Per 2019 Revised PEG (Electrical Arts):
Step 1: claims 1, 8 and 15 are directed to one of the four categories of inventions, i.e., claims are categorically subject matter “eligible”.

Step 2A, prong one: none of claims 1, 8 and 15 recite limitations fall under any of the defined abstract idea groupings because as claimed, receiving, identifying, analyzing, retrieving, comparing and finally generating a binary output are all explicitly performed by “a computer platform” that necessarily and inherently requires specialized computer instructions/codes to cause/perform the claimed steps and/or operations. As such, NONE of the limitations are abstract and claims 1-21 are determined patent “eligible”.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1, 8 and 15 are rejected under 35 U.S.C. 102 (a) (2) as being anticipated by Bhatia, US2020/0112590.

Per claim 1, Bhatia discloses a computing platform (Fig. 1, computer 102), comprising: 
at least one processor (Fig. 1, processor 104); 
a communication interface communicatively coupled to the at least one processor (Fig. 1, network interface 130); and 
memory storing computer-readable instructions (Fig. 1, system memory 136) that, when executed by the at least one processor, cause the computing platform to: 
receive a plurality of threat intelligence data feeds from a plurality of sources, each threat intelligence data feed of the plurality of threat intelligence data feeds including intelligence data (As shown in FIG. 7, a rule AI system 712 (analogous to rule AI machine learning system 212 shown in FIG. 2) receives inputs from threat intelligence feeds 701, SIEM 722 (analogous to STEM rules 222 shown in FIG. 2), and security solutions 703. [0104] The threat intelligence feeds 701 include feeds from telemetry sources 252, log source 226, and domain intelligence mapping 228 shown in Fig. 2 – par. 0103-0104) including a plurality of indicators of compromise and each intelligence feed being received from a respective source (As shown in FIG. 7, flow conditions 705, event conditions 707, offense conditions 709, behavior conditions 711, and miscellaneous rule conditions 713 are parsed out to build features needed for a rule (block 715) – par. 0106); 
identify, within a first threat intelligence data feed, a first indicator of compromise (rule thresholds are predicted and sent to the AI master 714 (analogous to AI master system 214 shown in FIG. 2)…once the rule AI system 712 parses test conditions and engineer features, rule thresholds (i.e., what thresholds must be exceeded in the conditions of the rule) are set and then labeled, in order to train deep learning systems – par. 0115 – Note: for example, rule threshold for incoming emails is a first indicator of compromise); 
analyze the identified first indicator of compromise to determine an intelligence type associated with the first indicator of compromise (The parsing/transformation of the rule by the parse rule logic 602 also leads to a description of which log sources (e.g., source of telemetry data, social media comments, etc.) should be used to test the rules, as shown in block 606… for example, a rule may state that if 90% of incoming emails are from unknown IP addresses, then a ticket should be issued. In this example, “90%” is the threshold of the rule that needs to be reached in order to issue a ticket – par. 0095-0096 – Note: intelligence type is equivalent to an email address or an IP address detected by telemetry sources, log sources and/or domain intelligence mappings. As an example, a telemetry source is as a sensor monitoring an email server or a social media platform monitoring posts and a log source is a collection of logged events or posted messages captured by sensors. Domain intelligence mapping searches for certain keywords, such as signatures/hashes and patterns – par. 0067-0070); 
based on the identified intelligence type associated with the first indicator of compromise, retrieve one or more system logs associated with the identified intelligence type (the decision model 307 closes or auto escalates the offense based on a set threshold and decision logic, such that escalated alerts are forwarded to profile correlator 308…As depicted in FIG. 5, profile correlator 508 (analogous to profile correlator 208 shown in FIG. 2) takes offense vector input from ATDS 506 (analogous to ATDS machine learning system 206) and profile inputs from customer asset profile database 520 (analogous to customer asset profile database 220 shown in FIG. 2). The client profiles are then cleaned, transformed and converted to strings – par. 0086 and 0088 – Note: the profile information 802 includes information such as the log source type that is used to report anomalies in the computer system, a rule design template used to design a rule for the particular client, predicted thresholds required to trigger a rule for the client, external threat intelligence describing security threats, and escalated offense attributes that describe what attributes of conditions must occur in order for an offense to be escalated to a work ticket, an alert, etc. – par. 0119); 
compare the first indicator of compromise to the retrieved one or more system logs to determine whether an occurrence of the first indicator of compromise in the one or more system logs exists (A similarity score is calculated for each set of customers' string data using cosine similarity algorithm (see block 507). Clients with a similarity score above a specified threshold (x %) are filtered and outputted to a master AI engine, such as the depicted AI master 514 (analogous to AI master system 214 shown in FIG. 2) … Using these inputs, the master AI 814 (analogous to AI master system 214 shown in FIG. 2) generates custom rules for each matched client using its profile information 802, which includes each client's asset profiles (i.e., what computer resources are used by the client), customer profile (e.g., what type of industry the client is working in), etc.– par. 0091 and 0119 – Note: the master AI system described herein will compare the client information 802 (i.e., a client profile) for client C1 shown in FIG. 2 to a different client information 802 for client C2 shown in FIG. 2 – par. 0124 and 0141); 
based on the comparing, generate a binary output, generating the binary output including:
responsive to determining that an occurrence of the first indicator of compromise exists in the one or more system logs, generate the binary output as actionable for the first indicator of compromise (determining whether an offence should be addressed, e.g., escalated to the generation of a ticket/report/action for the offense); and 
responsive to determining that an occurrence of the first indicator of compromise does not exist in the one or more system logs, generate the binary output as inactionable for the first indicator of compromise (determining whether an offence should be ignored (closed)… The decision as to whether the offense should be addressed or ignored is based on a machine learning process determining the likelihood that the offense is significant enough to warrant further actions. That is, the ATDS system 305 predicts what the disposition of the offense should be…this prediction/decision is based on how confident the AI process is that the offense warrants further action… the decision model 307 is thus able to decide (based on the output of one or more of the ML Models 1-3 depicted in blocks 303, 305, and/or 324) whether the recognized offense should be closed (block 309), and thus marked as being closed in a database 320; or whether the recognized offense should be escalated (block 317) – par. 0073 and 0085 – Fig. 3, Advanced Threat Disposition System (ATDS)).

Per claim 8, it recites a method, comprising: by a computing platform comprising at least one processor, memory, and a communication interface the method preforming the operations as recited in the computer platform of claim 1.
Therefore, claim 8 is rejected based on the same analysis as set forth in the rejection of claim 1 above. 

Per claim 15, it recites one or more non-transitory computer-readable media storing instructions that, when executed by a computing platform comprising at least one processor, memory, and a communication interface, cause the computing platform to perform the operations as recited in claim 1.
Therefore, claim 15 is rejected based on the same analysis as set forth in the rejection of claim 1 above. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 2-7, 9-14 and 16-20 are rejected under 35 U.S.C. 103 as being unpatentable over Bhatia, US2020/0112590 in view of Woodford, US2019/0260794 .

Per claims 2, 9 and 16, Bhatia discloses features of claims 1, 8 and 15. Bhatia is not relied on to explicitly disclose but discloses further including instructions that, when executed, cause the computing platform to: 
responsive to generating the binary output as actionable for the first indicator of compromise, retrieve additional information associated with the first indicator of compromise (The plotting and comparison are a way to filter out what is normal for that system and then be able to focus the analysis on what is abnormal or unusual for that system. Then for each hypothesis of what could be happening with the chain of unusual events or alerts, the gather module may gather additional metrics from the data store including the pool of metrics originally considered ‘normal behavior’ to support or refute each possible hypothesis of what could be happening with this chain of unusual behavior under analysis – Woodford: par. 0058 – Note: data relevant to each type of possible hypothesis will be automatically pulled from additional external and internal sources. Some data is pulled or retrieved by the gather module for each possible hypothesis from the data store – par. 0022); and 
prioritize further processing of the first indicator of compromise based on the binary output and the additional information (Instead of generating the simple binary outputs ‘malicious’ or ‘benign,’ the cyber threat defense system's mathematical algorithms produce outputs that indicate differing degrees of potential compromise. This output enables users of the system to rank different alerts in a rigorous manner and prioritize those that most urgently require action, simultaneously removing the problem of numerous false positives associated with a rule-based approach – Woodford: par. 0126).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Bhatia in view of Woodford to include responsive to generating the binary output as actionable for the first indicator of compromise, retrieve additional information associated with the first indicator of compromise; and prioritize further processing of the first indicator of compromise based on the binary output and the additional information.
One of ordinary skill in the art would have been motivated because it would allow “to contextualize cloud and SaaS events to link those events and better understand an entity's behavior by considering the SaaS metrics and events as well as the cloud metrics and events as an interconnected whole rather than separate realms” – Woodford: par. 0010 to allow “a behavioral pattern analysis of what are the unusual behaviors of the entity, such as a network, a system, a device, a user, or an email, virtual machine, SaaS application, traffic flow” – Woodford: par. 0046.

Per claims 3, 10 and 17, Bhatia and Woodford disclose features of claims 2, 9 and 16, wherein the additional information includes at least the respective source from which the first threat intelligence data feed was received (a number of domain specific time series data are derived, each chosen to reflect a distinct and identifiable facet of the underlying source of the data, which in some way reflects the usage or behavior of that system over time – Woodford: par. 0182 – Note: wherein derived metrics such as domain specific time series data are equivalent to the additional information per domain/source of the derived metrics).
The same motivation to modify Bhatia in view of Woodford applied to claim 2 above applies here.

Per claims 4, 11 and 18, Bhatia and Woodford disclose features of claims 2, 9 and 16, wherein the additional information includes at least historical data associated with a previous occurrence of the first indicator of compromise (client profiles is based on an analysis of respective client environments comprising client assets and an intrusion detection alert history of a plurality of clients – Bhatia: par. 0123).

Per claims 5, 12 and 19, Bhatia and Woodford disclose features of claims 2, 9 and 16, wherein prioritizing further processing of the first indicator of compromise is performed using machine learning (The cyber threat defense system uses unique implementations of unsupervised machine learning algorithms to analyze network data at scale, intelligently handle the unexpected, and embrace uncertainty…Threats from within, which would otherwise go undetected, can be spotted, highlighted, contextually prioritized and isolated using these algorithms – Woodford: par. 0119-0120).
The same motivation to modify Bhatia in view of Woodford applied to claim 2 above applies here.
Per claims 6, 13 and 20, Bhatia and Woodford disclose features of claims 2, 9 and 16, further including instructions that, when executed, cause the computing platform to: transmit the first indicator of compromise (a potential cyber threat) and priority for further processing (the cyber threat module may generate a threat risk parameter listing a set of values describing aspects of a potential cyber threat. The autonomous response module is configured to identify at least one autonomous response to take in response to the cyber threat based on the threat risk parameter… The autonomous response module is further configured to know when to cause the one or more autonomous actions to be taken such as i) when the cyber-threat risk parameter indicative of the likelihood of the cyber-threat is equal to or above the actionable threshold and the actionable threshold is a threat level score– Woodford: par. 0040 and 0081 and 0126 – Note: wherein instead of generating the simple binary outputs ‘malicious’ or ‘benign,’ the cyber threat defense system's mathematical algorithms produce outputs that indicate differing degrees of potential compromise. This output enables users of the system to rank different alerts in a rigorous manner and prioritize those that most urgently require action based on their threat level score – par. 0126).
The same motivation to modify Bhatia in view of Woodford applied to claim 2 above applies here.

Per claims 7, 14 and 21, Bhatia and Woodford disclose features of claims 6, 13 and 20, wherein the further processing includes at least identifying one or more mitigating actions to execute (The autonomous response module is configured to identify at least one autonomous response to take in response to the cyber threat based on the threat risk parameter. The autonomous response can be, for example, alerting an internal system administrator, alerting the third-party operator, reducing permissions, shutting down a device or port, disabling a user account, and other actions that regulate machine and/or network connectivity, as well as altering user permissions – Woodford: par. 0040).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Bhatia in view of Woodford to include wherein the further processing includes at least identifying one or more mitigating actions to execute.
One of ordinary skill in the art would have been motivated because it would allow “rapid autonomous actions to be taken to contain the cyber threat when the threat risk parameter from the cyber threat module is equal to or above an actionable threshold or meets predefined threat conditions” – Woodford: par. 0039.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 

Jenkinson (US2019/0260785) disclose ranking different alerts in a rigorous manner and prioritize those that most urgently require action which simultaneously removes the problem of numerous false positives associated with a rule-based approach.

Saraiya (US2021/0406041) discloses analytics dashboards and cognitive functionalities assisting user organizations with improving their handling of critical events, including, but not limited to reducing the organizations' TTRs of critical events, improving response efficiency, improving response effectiveness, assigning optimal priorities to critical events, automating response actions, and predicting attributes of newly arriving critical events.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to AREZOO SHERKAT whose telephone number is (571)272-8533. The examiner can normally be reached Monday - Friday 8:30-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on 571 - 272 - 3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AREZOO SHERKAT/            Examiner, Art Unit 2494