DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
This Office Action is in response to the amendment filed 3/21/2022.
Claims 1, 12, 14, 16, 18 are currently amended. Claims 2, 13,17 are currently cancelled. Claims 21-23 are newly added. Claims 1, 3-12, 14-16, 18-23 are pending and considered.
The objection of claims 1, 12, 16 due to informalities has been withdrawn in light of applicant’s amendment to the claims.
The rejection of claims 1, 12, 16 under 35 USC 112(b) as being indefinite has been withdrawn in light of applicant’s amendment to the claims.
Response to Argument
Applicant’s argument, see pages 8-12 of the Remark filed 3/21/2022, with respect to claims over prior arts have been fully considered and are persuasive, further in view of the examiner’s amendments below. Upon examiner’s updated search on the features recited in the claims, examiner believes the case is in condition for allowance. Therefore, the rejection under 35 U.S.C. 103 of claims 1-20 has been withdrawn. The newly added claims 21, 22 and 23 depend on independent claims 12, 16 respectively and recite additional feature(s).
Allowable Subject Matter
Claims 1, 3-12, 14-16, 18-23 are allowed.
The following is an examiner’s statement of reasons for allowance: 
The present invention is directed to generating aggregate score from distribution of scores indicating a likelihood of anomaly of a plurality of security events where the aggregate score is calculated as a ratio of distribution of individual scores over expected distribution of individual scores presented in a plurality of buckets to represent deviation of the individual score from the expected score distribution for the purpose of initiating automated remedial actions based on the aggregate score.
Claim 1 (similarly claims 12 and 16) identifies the uniquely distinct features “generating, using at least one processing device, an aggregate score that represents the plurality of individual scores, wherein the aggregate score is based at least in part on an aggregation of a ratio, for each of a plurality of portions of the range, of: (i) 15a count or a percentage of the plurality of individual scores within a given portion of the range, relative to (ii) an expected count or an expected percentage of the plurality of individual scores within the corresponding given portion of the range based on the obtained expected distribution for the plurality of individual scores, wherein the aggregate score provides an 20indication of a deviation of the plurality of individual scores from the expected distribution; and initiating one or more automated remedial actions based at least in part on the aggregate score”. 
The prior art, Luiggi et al (US20200076843A1) discloses system and method for identifying security risks to a computer system based on a distribution of categorical features of events. In particular, Luiggi teaches generating composite score associated with events in a probability distribution analysis system for anomaly identification and investigation.
The prior art, Coffey et al (US20200145447A1) discloses system and method for protecting against contagion-based risk events. In particular, Coffey teaches presenting observed risk score with probability distribution function of a distribution of likelihood of sample score for risk detection, analysis and protection.
The prior art, Kincaid et al (US20070031883A1) discloses systems and methods of analyzing CGH data to identify aberrations. In particular, Kincaid teaches calculating a score to indicate significant negative deviations using log ratio of spread for test sample vs reference sample of Z-scores.
The prior art, Bailey et al (US20170070521A1) discloses systems and methods for detecting and scoring anomalies. In particular, Bailey teaches presenting observed count data representing data in buckets in histogram plot to use the comparison of observed count data over expected count data to identify anomalous behavior.
The prior art, Crotinger et al (US20180324199A1) discloses an anomaly detection with time series analyzer by determining an anomalous score for statistical outliers. In particular, Crotinger teaches using anomaly detection module to monitor stream of time series data to identify statistical outliers of the stream of data to represent a magnitude of deviation between current and model data as measure of anomaly.
The prior arts, either singularly or in combination fails to anticipate or render obvious the claimed limitations of claim 1 (similarly claims 12 and 16) of “generating, using at least one processing device, an aggregate score that represents the plurality of individual scores, wherein the aggregate score is based at least in part on an aggregation of a ratio, for each of a plurality of portions of the range, of: (i) 15a count or a percentage of the plurality of individual scores within a given portion of the range, relative to (ii) an expected count or an expected percentage of the plurality of individual scores within the corresponding given portion of the range based on the obtained expected distribution for the plurality of individual scores, wherein the aggregate score provides an 20indication of a deviation of the plurality of individual scores from the expected distribution; and initiating one or more automated remedial actions based at least in part on the aggregate score”.
Regarding the dependent claims: dependent claims 3-11, 14-15, 21-22, 18-20, 23 are also allowed for incorporating the allowable feature recited in the respective independent claims.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
Examiner’s Amendment
The application has been amended as follows: 
An Examiner's amendment to the record appears below. Should the changes and/or additions be unacceptable to applicants, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Kevin Mason (203-255-6558) on 5/16/2022 and further communication on 5/17/2022 (See PTO-413 interview summary).

PLEASE AMEND THE CLAIMS AS FOLLOWS:

(Currently Amended) A method, comprising:
obtaining a plurality of individual scores each indicating a likelihood of an anomaly associated with a corresponding one of a plurality of distinct security events, wherein a given individual score comprises one or more of: a confidence score and a risk score; 
obtaining an expected distribution for the plurality of individual scores, over a range of , wherein the range of score values is partitioned into a plurality of buckets; 
generating, using at least one processing device, an aggregate score that represents the plurality of individual scores, wherein the aggregate score is based at least in part on an aggregation of a ratio, for two or more of the plurality of buckets, of: (i) a count or a percentage of the plurality of individual scores within a given portion of the range, relative to (ii) an expected count or an expected percentage of the plurality of individual scores within the corresponding given portion of the range based on the obtained expected distribution for the plurality of individual scores, wherein the aggregate score provides an indication of a deviation of the plurality of individual scores from the expected distribution; and
initiating one or more automated remedial actions based at least in part on the aggregate score.

(Cancelled). 

(Currently Amended) The method of claim 1, wherein the plurality of buckets comprises score values. 

(Original) The method of claim 3, wherein each of the non-overlapping buckets has a corresponding expected percentile distribution indicating a percentage of the plurality of individual scores that should fall into each respective bucket.

(Original) The method of claim 3, wherein each of the non-overlapping buckets has a corresponding weight indicating one or more of how much a change in a given bucket contributes to an overall score, relative to other buckets, and whether the given bucket negatively or positively impacts the overall score.

(Previously Presented) The method of claim 1, wherein the generating the aggregate score that represents the plurality of individual scores further comprises computing an actual distribution of the plurality of individual scores.

(Previously Presented) The method of claim 1, further comprising comparing multiple aggregate risk scores across different vectors of an organization. 

(Previously Presented) The method of claim 1, wherein the one or more remedial actions comprise one or more of: (i) creating a security policy and (ii) modifying the security policy.

(Original) The method of claim 1, wherein an aggregate risk score is dynamically generated when one or more security policies are evaluated.

(Previously Presented) The method of claim 1, further comprising triggering an alert based on whether an aggregate risk score satisfies one or more predefined threshold criteria.

(Previously Presented) The method of claim 1, further comprising visualizing multiple aggregate risk scores in one or more of geographic regions and sub-networks of an organization.

(Currently Amended) A computer program product, comprising a non-transitory machine-readable storage medium having encoded therein executable code of one or more software programs, wherein the one or more software programs when executed by at least one processing device perform the following steps:
obtaining a plurality of individual scores each indicating a likelihood of an anomaly associated with a corresponding one of a plurality of distinct security events, wherein a given individual score comprises one or more of: a confidence score and a risk score; 
obtaining an expected distribution for the plurality of individual scores, over a range of , wherein the range of score values is partitioned into a plurality of buckets; 
generating, using at least one processing device, an aggregate score that represents the plurality of individual scores, wherein the aggregate score is based at least in part on an aggregation of a ratio, for two or more of the plurality of buckets, of: (i) a count or a percentage of the plurality of individual scores within a given portion of the range, relative to (ii) an expected count or an expected percentage of the plurality of individual scores within the corresponding given portion of the range based on the obtained expected distribution for the plurality of individual scores, wherein the aggregate score provides an indication of a deviation of the plurality of individual scores from the expected distribution; and
initiating one or more automated remedial actions based at least in part on the aggregate score.

(Cancelled). 

(Currently Amended) The computer program product of claim 12, wherein the plurality of buckets comprises score values, and wherein each of the non-overlapping buckets has a corresponding expected percentile distribution indicating a percentage of the plurality of individual scores that should fall into each respective bucket.

(Previously Presented) The computer program product of claim 12, wherein the aggregate score comprises an aggregate risk score for a plurality of security events, and further comprising one or more steps of: (i) comparing multiple aggregate risk scores across different vectors of an organization; (ii) one or more of creating a security policy and modifying the security policy using at least one aggregate risk score; (iii) dynamically generating the aggregate risk score when one or more security policies are evaluated; (iv) triggering an alert based on whether at least one aggregate risk score satisfies one or more predefined threshold criteria; and (v) visualizing multiple aggregate risk scores in one or more of geographic regions and sub-networks of the organization.

(Currently Amended) An apparatus, comprising:
a memory; and
at least one processing device, coupled to the memory, operative to implement the following steps:
obtaining a plurality of individual scores each indicating a likelihood of an anomaly associated with a corresponding one of a plurality of distinct security events, wherein a given individual score comprises one or more of: a confidence score and a risk score; 
obtaining an expected distribution for the plurality of individual scores, over a range of , wherein the range of score values is partitioned into a plurality of buckets; 
generating, using at least one processing device, an aggregate score that represents the plurality of individual scores, wherein the aggregate score is based at least in part on an aggregation of a ratio, for two or more of the plurality of buckets, of: (i) a count or a percentage of the plurality of individual scores within a given portion of the range, relative to (ii) an expected count or an expected percentage of the plurality of individual scores within the corresponding given portion of the range based on the obtained expected distribution for the plurality of individual scores, wherein the aggregate score provides an indication of a deviation of the plurality of individual scores from the expected distribution; and
initiating one or more automated remedial actions based at least in part on the aggregate score.

(Cancelled). 

(Currently Amended) The apparatus of claim 16, wherein the plurality of buckets comprises score values, and wherein each of the non-overlapping buckets has a corresponding expected percentile distribution indicating a percentage of the plurality of individual scores that should fall into each respective bucket.

(Previously Presented) The apparatus of claim 16, wherein the generating the aggregate score for the plurality of individual scores further comprises computing an actual distribution of the plurality of individual scores.

(Previously Presented) The apparatus of claim 16, wherein the aggregate score comprises an aggregate risk score for a plurality of security events, and further comprising one or more steps of: (i) comparing multiple aggregate risk scores across different vectors of an organization; (ii) one or more of creating a security policy and modifying the security policy using at least one aggregate risk score; (iii) dynamically generating the aggregate risk score when one or more security policies are evaluated; (iv) triggering an alert based on whether at least one aggregate risk score satisfies one or more predefined threshold criteria; and (v) visualizing multiple aggregate risk scores in one or more of geographic regions and sub-networks of the organization.

(Currently Amended) The computer program product of claim 12, wherein the

(Currently Amended) The computer program product of claim 12, wherein the plurality of buckets comprises score values, and wherein each of the non-overlapping buckets has a corresponding weight indicating one or more of how much a change in a given bucket contributes to an overall score, relative to other buckets, and whether the given bucket negatively or positively impacts the overall score.

(Currently Amended) The apparatus of claim 16, wherein the plurality of buckets comprises score values, and wherein each of the non-overlapping buckets has a corresponding weight indicating one or more of how much a change in a given bucket contributes to an overall score, relative to other buckets, and whether the given bucket negatively or positively impacts the overall score.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL M LEE/Examiner, Art Unit 2436   

/AMIE C. LIN/Primary Examiner, Art Unit 2436