DETAILED ACTION
The following Non-Final office action is in response to application 16/871,259 filed on 5/11/2020. IDS filed 5/11/2020 has been considered.
Status of Claims
Claims 1-20 are currently pending and have been rejected as follows. 
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 are clearly drawn to at least one of the four categories of patent eligible subject matter recited in 35 U.S.C. 101 (system, method and non-transitory computer readable medium). Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without integrating the abstract idea into a practical application or amounting to significantly more than the abstract idea. 
	Regarding Step 1 of the 2019 Revised Patent Subject Matter Eligibility Guidance (‘2019 PEG”), Claims 1-7 are directed toward the statutory category of a process (reciting a “method”). Claims 8-14 are directed toward the statutory category of a machine (reciting a “system”). Claims 15-20 are directed toward the statutory category of an article of manufacture (reciting a “computer-program product”).
	Regarding Step 2A, prong 1 of the 2019 PEG, Claims 1, 8 and 15 are directed to an abstract idea by reciting receiving a global trending threat corresponding to an incident occurring in an industry; identifying a set of local Indicators of Concern (loCs) within an entity that corresponds to the global trending threat; computing an alert priority based on the set of local loCs and the global trending threat; adjusting the alert priority based on comparing one or more entity properties of the entity with one or more threat properties of the global trending threat; and dispatching an alert based on the adjusted alert priority. The claims are considered abstract because these steps recite organizing human activity like fundamental economic principles or practices (including hedging, insurance, mitigating risk). The claims receive global trending threat, identify indicators within an entity corresponding to the threat, determine a priority, adjust the priority based on comparison data and dispatch an alert based on the adjusted priority which is mitigating risk.
	Regarding Step 2A, prong 2 of the 2019 PEG, the judicial exception is not integrated into a practical application because the claims (the judicial exception and the additional elements such as one or more processors, and a memory) are not an improvement to a computer or a technology, the claims do not apply the judicial exception with a particular machine, the claims do not effect a transformation or reduction of a particular article to a different state or thing nor do the claims apply the judicial exception in some other meaningful way beyond generally linking the use of the judicial exception to a particular technological environment such that the claims as a whole is more than a drafting effort designed to monopolize the exception (see MPEP §§ 2106.05(a-c, e)). 
	Dependent claims 2-7, 9-14 and 16-20 do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the limitations recite mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea ‐ see MPEP 2106.05(f).
	Regarding Step 2B of the 2019 PEG, the additional elements have been considered above in Step 2A Prong 2. The claim limitations do not amount to significantly more than the judicial exception because they are directed to limitations referenced in MPEP 2106.05I.A. that are not enough to qualify as significantly more when recited in a claim with an abstract idea because the limitations recite mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea ‐ see MPEP
2106.05(f). Applicant' s claims mimic conventional, routine, and generic computing by their similarity to other concepts already deemed routine, generic, and conventional [Berkheimer Memorandum, Page 4, item 2] by the following [MPEP § 2106.05(d) Part (II)]. The claims recite steps like:
 “storing and retrieving information in memory” (Id., citing Versata Dev. Group, Inc. v. SAP Am., Inc. (citations omitted)), by handling a “global trending threat” and “indicators of concern” that are “compared” using a “memory and a processor” (example Claim 1). By the above, the claimed computing “call[s] for performance of the claimed information collection, analysis, and display functions ‘on a set of generic computer components'  and display devices” [Elec. Power Group, 830 F.3d at 1355] operating in a “normal, expected manner” [DDR Holdings, LLC v. Hotels.com, L.P., 773 F.3d at 1245, 1258 (Fed. Cir. 2014)]. Conclusively, Applicant' s invention is patent-ineligible. When viewed both individually and as a whole, Claims 1-20 are directed toward an abstract idea without integration into a practical application and lacking an inventive concept.

	
	

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1, 5-8, 12-15, and 19-20 are rejected under 35 USC 102(a)(1) as being unpatentable over the teachings of
Crowley et al, US Publication No. 20120143650 A1, hereinafter Crowley. As per,

Claims 1, 8, 15
Crowley teaches
A method implemented by an information handling system that includes a 2memory and a processor, the method comprising: /
An information handling system comprising: one or more processors;  Docket No. P201911884US01 Page 24 of 29Atty. Ref. No. 0011a memory coupled to at least one of the processors; a set of computer program instructions stored in the memory and 5executed by at least one of the processors in order to perform actions of:  /
A computer program product stored in a computer readable storage 2 medium, comprising computer program code that, when executed by an 3information handling system, causes the information handling system to 4perform actions comprising:
3receiving a global trending threat corresponding to an incident occurring in 4an industry;  5(Crowley [0023] “FIG. 3 illustrates an example derivation of risk 300, according to one embodiment. In this example, the network event between compromised internal asset 305 and server 312 can contain attributes 320. These attributes 320 can include, but are not limited to: local attributes 321 and/or global threat attributes 322. Local attributes 321 can be derived information descriptive of malicious activity occurring within a network. Global threat attributes 322 can be information derived externally to a network that is descriptive of a threat to that network”)
identifying a set of local Indicators of Concern (loCs) within an entity that 6corresponds to the global trending threat;  7(Crowley fig. 3; [0042] “FIG. 3 also lists global threat attributes 322;” [0045] “The example in FIG. 3 also illustrates how local attributes 321 and global threat attributes 322 can be collected and tallied”)
computing an alert priority based on the set of local loCs and the global 8trending threat;  9(Crowley [0072] “ Alerts can be prioritized according to the composite risk score category”)
adjusting the alert priority based on comparing one or more entity 10properties of the entity with one or more threat properties of the global 11trending threat; (Crowley fig. 8; [0045] “Due to the ever-changing nature of risk, risk can be continually assessed and prioritized;” [0047] “The asset priority risk can be a number in the 1-5 range assigned by the user to an asset or group of assets, with 1 representing a high-priority asset, and 5, a low priority asset. The number assigned can be compared against a set of preselected ranges, and the risk associated with the ranges can then be assigned to the asset(s)”)
and 12dispatching an alert based on the adjusted alert priority. (Crowley [0016] “The method and system 100 admonishes risk through the use of alerts sent to a user”) 
Claims 5, 12, 191Clai
Crowley teaches

wherein the adjusting of the alert priority further 2comprises: 3increasing the alert priority in response to determining that the entity is in a 4geographic location that corresponds to the global trending threat;  5(Crowley [0053] “The geo-location can be a number in the 1-5 range assigned by the user to specific geographic locations for connection attempts, with 1 representing a high-priority geo-location, and 5, a low-priority geo-location. The number assigned can be compared against a set of preselected ranges, and the risk associated with the ranges can be assigned to the asset(s))
determining whether an industry type assigned to the entity corresponds 6to the global trending threat; (Crowley [0032] “A configurable priority set to specific network types, such as residential, commercial, government or other networks, as being higher risk for connection attempts, related to malicious network events, expressed as a range 0-100 according to one embodiment”)
and 7further increasing the alert priority in response to determining that the 8industry type assigned to the entity corresponds to the global trending 9threat.  (Crowley [0032] “a network type of priority 100 may represent a network (e.g., residential) which customer data should not be connecting to”)
Claims 6, 13, 20
Crowley teaches
1Claim2determining whether the entity comprises one or more on premise 3components that correspond to the global trending threat; (Crowley [0031] “A configurable priority set to the specific geo-location based on the location of the IP address of connection attempts related to malicious network events, expressed as a number in the 0-100 range”)
and  4further increasing the alert priority in response to determining that the 5entity comprises one or more on premise components that correspond to 6the global trending threat.  (Crowley [0031] “As an example, a geo-location priority 100 may represent a connection attempt to an IP address located in a country designated to be high risk by the customer”)
Claims 7, 14
Crowley teaches
1Cwherein the dispatched alert comprises one or 2more courses of actions to respond to the global trending threat.  (Crowley claim 12 “at least one user can be alerted regarding the at least two prioritized compromised network assets by their associated individual attribute risk or by the overall risk via at least one alert used to trigger incident response efforts”)

1112the entity. Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 2-4, 9-11, 16-18 are rejected under 35 USC 103 as being unpatentable over the teachings of 
Crowley in view of
Patel et al, US Publication No. 20210211452 A1, hereinafter Patel. As per,

Claims 2, 9, 16
Crowley teaches
[…]
[…]
[…]
[…]
and 10matching the global trending threat to a customer profile corresponding to 11the entity.Docket No. P201911884US01Page 23 of 29Atty. Ref. No. 0011the entity. (Crowley fig. 4; [0069] “Composite risk scores ascertained via Algorithm 330 in FIG. 3 may be correlated against specific Attributes 410 to prioritize remediation efforts, according to a company's internal policies and/or highest level of concern;” claim 11 “at least one overall risk is correlated with any individual attribute risk and the result is displayed in at least one threat matrix, allowing at least one user to quickly identify at least one most important compromised network asset to at least one organization”)
Crowley does not explicitly teach
1Claims wherein prior to the receiving of the global trending 2threat, the method further comprises: 3crowdsourcing a plurality of loCs from a plurality of entities, wherein the 4plurality of loCs comprise the set of local loCs and the plurality of entities 5comprise the entity;  6
generating a set of features from the crowdsourced plurality of loCs;  7
performing a topological data analysis on the set of features;  8
identifying the global trending threat based on the topological data 9analysis; 
Patel however in the analogous art of threat management teaches
wherein prior to the receiving of the global trending 2threat, the method further comprises: 3crowdsourcing a plurality of loCs from a plurality of entities, wherein the 4plurality of loCs comprise the set of local loCs and the plurality of entities 5comprise the entity;  6(Patel [0069] “Crowdsourcing methods 522 for capturing risk parameter values can include the use of dedicated data collection resources 524, periodic surveys 526 to select individuals”) 
generating a set of features from the crowdsourced plurality of loCs; (Patel [0071] “the process 500 includes using at least one method to obtain risk profile parameter values to build and maintain some level of device cybersecurity risk posture 502”) 7
performing a topological data analysis on the set of features;  8(Patel [0006] “the threat indicators can be generated by analyzing previously, more importantly very recently, exploited conditions during cyber-attack … The process includes actively and/or periodically accessing the data source, analyzing the data, and updating threat indicator values in the device risk profiles;” [0034] “the device risk profiles can also include threat indicators. The threat indicators can be generated by analyzing previously exploited conditions via cyber-attacks”)
identifying the global trending threat based on the topological data 9analysis; (Patel [0087] “the reference 432 in FIG. 4 indicates both vulnerability and threat with respect to password management knowledge”)
Before the effective filling date of the claimed invention, it would have been obvious for one of ordinary skill in the art to modify Crowley’s threat detection to include crowdsourcing indicators from entities to identify the global threat in view of Patel in an effort to deliver human-factor-related conditions (see Patel ¶ [0068] & MPEP 2143G).
Claims 3, 10, 17
Crowley teaches
wherein at least one of the set of features is selected from a group consisting of a time variant feature, a time invariant feature, a time independent feature, and a label feature.  (Crowley [0079] “First Seen. Time (e.g., in days) when the asset was first seen to communicate with an external entity”)
Claims 4, 11, 18
Crowley teaches

wherein the matching indicates one or more 2vulnerabilities within the entity that is targeted by the global trending 3threat.  (Crowley [0038] “A configurable priority set to specific assets based on identified vulnerabilities on those assets, expressed as a range 0-100, according to one embodiment. As an example, a Vulnerability of 100 would indicate the asset being investigated has known vulnerabilities that could be used by the remote criminal operator to control the asset and exfiltrated data.”)
Docket No. P201911884US01Page 25 of 29Atty. Ref. No. 00111Docket No. P201911884US01 Page 26 of 29Atty. Ref. No. 0011

	


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. US 20210168166 A1.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMED EL-BATHY whose telephone number is (571)270-5847.  The examiner can normally be reached on M-F 8AM-4:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, PATRICIA MUNSON can be reached on (571) 270-5396.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/MOHAMED N EL-BATHY/Primary Examiner, Art Unit 3624