DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to communication filed on 05/13/2022.
Status of claims in the instant application:
Claims 1-4, 6-14 and 16-20 are pending.
Claims 5 and 15 have been canceled.
Claims 1, 3, 6, 11 and 16 have been amended.
No new claim has been added.
Response to Arguments
Applicant’s arguments, see page [9-10] of the remarks filed on 05/13/2022, with respect to objections to claims have been fully considered in view of the claim amendments, and they are persuasive. Therefore, the claim objections are withdrawn.
Applicant’s arguments, see page [10-18] of the remarks filed on 05/13/2022, with respect to rejections of claims under 35 USC 112 and interpretation of claims under 35 USC 112(f) have been fully considered in view of the claim amendments, and they are persuasive. Therefore, the claim rejections and interpretations are withdrawn.
Applicant’s arguments, see page [18-21] of the remarks filed on 05/13/2022, with respect to rejections of claims under 35 USC 103 have been fully considered in view of the claim amendments, and they are persuasive. Therefore, the claim rejections are withdrawn.
Allowable Subject Matter
Claims 1-4, 6-14 and 16-20 are allowed, but they are renumbered as claim 1-18.
The following are examiner's statement of reasons for allowance: The following prior arts were yielded during the examination of applicant’s amended claim set filed on 05/13/2022  in response to office action mailed on 12/13/2021. They do not explicitly teach the applicant’s claimed invention, in view of the amended claims, but are in general realm of applicant’s field of endeavor:
USPGPUB US 20150341379 A1, Lefebvre et al.: Lefebvre discloses methods, systems, and apparatus, including computer programs encoded on computer storage media, for determining network related anomaly scores. One of the methods includes generating a network map including at least a plurality of network nodes and a plurality of edges that indicate communications paths between the plurality of network nodes, obtaining first data indicating network activity over the edges and between the plurality of network nodes for a first time period, generating a model of expected network activity over the edges and between the plurality of network nodes for a future time period using the network map and the first data, obtaining second data indicating network activity over the edges and between the plurality of network nodes for a second time period, and determining an anomaly score using a comparison between the second data and the model of expected network activity.
USPGPUB US 20170063899 A1, Muddu et al.: Muddu discloses a  security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly. The present disclosure pertains to distributed data processing systems, and more particularly, to intelligence generation and activity discovery from events in a distributed data processing system.
	US-PGPUG 20140201836 A1 (Amsler): Amsler discloses a risk assessment and managed security system for network users provides security services for dealing with formidable cyber threats, malware creations and phishing techniques. Automated solutions in combination with human-driven solutions establish an always-alert positioning for incident anticipation, mitigation, discovery and response. A proactive, intelligence-driven and customized approach is taken to protect network users. Assessments of threats are made before and after a breach. Cyber threats are identified in advance of a resulting network problem, and automated analysis locates the threats and stops them from having an adverse effect. Humans can focus on the high-level view, instead of looking at every single potential problem area. Troubling patterns may be reviewed within the network environment to identify issues. Cyber analysis is conducted to provide a baseline over time via statistically proven, predictive models that anticipate vulnerabilities brought on by social-media usage, Web surfing and other behaviors that invite risk.
	The present invention generally relates to network security and in particular to an automated system and method for detecting, evaluating and reporting network threats
	US-PGPUB 20180219894 A1 (Crabtree et al.): Crabtree discloses a system for user and entity behavioral analysis using an advanced cyber decision platform is provided, comprising a grouping engine configured to create an interaction dataset based at least in part on interactions within a particular network, process the interaction to generate an interaction map, and create a plurality of groups based at least in part by the interaction map; a behavioral analysis engine configured to create a network-usage dataset, and process the network-usage dataset to generate a behavioral baseline for each group; and a monitoring service configured to continuously monitor each group for anomalous network behavior.
The disclosure relates to the field of network security, particularly to the detection and mitigation of threats by monitoring for anomalous user behavior.
US-PGPUB 20070226796 A1 (Gilbert et al.): Gilbert discloses a utility that enables detection of both tactical and strategic threats against an individual entity and interrelated/affiliated networks of entities. A distributed network of sensors and evaluators are utilized to detect tactical attacks against one or more entities. Events on the general network are represented as an input graph, which is searched for matches of example pattern graphs that represent tactical attacks. The search is performed using a scalable graph matching engine and an ontology that is periodically updated by a subject matter expert or analyst. NETWAR provides the functionality to determine/understand the strategic significance of the detected tactical attacks by correlating detected tactical attacks on the individual entities to identify the true motive of these attacks as a strategic attack. NETWAR also provides predictive capability to predict future entities and sub-entities that may be targeted based on evaluation of the attack data.
	The present invention relates generally to computer processing of data, and in particular to computer evaluation of network activity data. Still more particularly, the present invention relates to a method and system for performing computer evaluation of network activity data to detect attacks.
	US-PAT 9641544 B1 (Treat et al.): Treat discloses techniques for automated insider threat prevention are disclosed. In some embodiments, a system, process, and/or computer program product for automated insider threat prevention includes monitoring network communications at a network device; detecting an anomalous activity based on the monitored network communications associated with a user based on a behavior profile for the user; and performing an action in response to the detected anomalous activity based on a policy.
However, none of the prior arts of record, alone or in combination, discloses all the limitations of the amended independent claims 1, 11 and 20 specifically they do not disclose the combination of claim limitations as recited in amended independent amended claims, “analyzing the host research data using the at least one host metric; generating an automatic threat score describing an autonomously-determined threat level presented by the external host based at least on the host research data using the at least one host metric; Docket No.: 034306-001 P62 Application No.: 16/278,957presenting the input data in a threat-tracking graphical user interface that displays the automatic threat score for the external host to a user analyst; and analyzing i) data being displayed and called up on the threat-tracking graphical user interface, and ii) queries being made by the user analyst on the threat-tracking graphical user interface, in order to analyze what is happening in the network being protected by the cyber threat defense system and what the user analyst is looking at in order to then anticipatorily go out to internal and external sources to anticipate and assist in finding potentially relevant data to assist in a current investigation”.
Therefore, the independent claims are allowable over the prior arts. The dependent claims being definite, further limiting, and fully enabled by the specification are also allowed because of their dependence on the independent claims.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAHABUB S AHMED whose telephone number is (571)272-0364.  The examiner can normally be reached on 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/MAHABUB S AHMED/Examiner, Art Unit 2434
/KAMBIZ ZAND/Supervisory Patent Examiner, Art Unit 2434