Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Detailed Action
This communication is in response to the application filed on 09/26/2019 in which Claims 1-20 are presented for examination.
Drawings
The applicant’s drawings submitted on 09/26/2019 are acceptable for examination purposes. 
Double Patenting
The non-statutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.   A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. 
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).
Claims 1-20 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-20 of US patent No. 10503899. This is a provisional double patenting rejection since the conflicting claims have not yet been patented.
Claims 1-20 recite similar limitations as claims 1-20 of US patent application No. 10503899 as follows: 
       Instant application
    US patent No. 10503899
Claim 1.  A method comprising: receiving a plurality of event logs; determining, by a computing device, a reportability likelihood for each event log based on at least one algorithm; sorting an event queue of the plurality of event logs based on the reportability likelihood of each of the plurality of event logs; and transmitting, by the computing device and to an analysis system, the plurality of event logs sorted in the event queue based on the reportability likelihood of each of the plurality of event logs.  











Claims 14, 18.

Claims 2-3.

Claim 1. A method comprising: receiving a plurality of event logs; determining, by a computing device, a reportability likelihood for each event log based on at least one algorithm, wherein the reportability likelihood for each event log is based on at least one of: a fidelity of an event threat indicator, a type of the event threat indicator, an age of the event threat indicator, threat intelligence provider data associated with the event threat indicator, reputation data of at least one threat intelligence provider, or a risk score of the event threat indicator; sorting an event queue of the plurality of event logs based on the reportability likelihood of each of the plurality of event logs; and transmitting, by the computing device and to an analysis system, the plurality of event logs sorted in the event queue based on the reportability likelihood of each of the plurality of event logs.

Claims 11, 15

Claims 2-3.



The table above shows that, although the corresponding claims are directed to different statutory categories, the US patent No. 10503899 implemented on a computer would render the claims in the instant application obvious. 
	It is clearly obvious that the (U.S. patent No. 10503899) substantially discloses the subject matter of claim 1 of the instant Application.
The Applicant merely broadens the scope of the instant application by deleting a few elements from the (U.S. patent No. 10503899).
This is obviousness-type double patenting rejection.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 3, 5-7, 9-15, and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over PANDE U.S. Publication No 20180270261 A1, in view of Schneider U.S. 20080034429 A1 
As to claim 1, PANDE teaches a method comprising: receiving a plurality of event logs (PANDE Pa. [0003]) [collection of event logs; for each event log of the plurality of event logs]; determining, by a computing device, a reportability likelihood for each event log based on at least one algorithm (PANDE Pa. [0005]) [training the model using the vector representation of each feature to identify a contextual likelihood of each possible feature-context pair; applying the trained model to a second collection of event logs to generate a classification score for each feature within each event log of the second collection, the classification score representing a contextual likelihood of the feature appearing within the context included in that event log]; 
‘sorting an event queue’ (read classify/categorize/grouping) of the plurality of event logs based on the reportability likelihood of each of the plurality of event logs (PANDE Pa. [0004]) [apply the trained model to a second collection of event logs to generate a classification score for each feature within each event log of the second collection, the classification score representing a contextual likelihood of the feature appearing within the context included in that event log; based on the classification score of a feature within a particular event log being outside a predetermined threshold: identify the particular event log having the feature as containing an anomaly]
It is noted that PANDE does not appear explicitly disclose transmitting, by the computing device and to an analysis system, the plurality of event logs sorted in the event queue based on the reportability likelihood of each of the plurality of event logs.  
However, Schneider discloses transmitting, by the computing device and to an analysis system, the plurality of event logs sorted in the event queue based on the reportability likelihood of each of the plurality of event logs (Schneider Pa. [0037]) [retrieve the event logs for examination and analysis (Block 216). In several embodiments, the event logs are compared against factors known to be associated with pestware so as to identify a likelihood that the events in the event log are pestware related events. In addition, the event log may be sent to a centralized host, which collects information about activities at protected computers and generates weighted factors which are pushed out to the protected computers and utilized to help identify pestware at the protected computer. The above-identified application entitled Client Side Exploit Tracking includes details of techniques that may be used to identify pestware-related events from the event logs]
Thus, at the time of the invention, it would have been recognized by one of ordinary skill in the art, that applying the known technique taught by Schneider to the intrusion detection system of PANDE would have yield predictable results and resulted in an improved system, namely, a system that would periodic scan for anomalies and be able to identify and remove malware in a convenient manner (Schneider Pa. [0005])

As to claim 3, the combination of PANDE and Schneider teaches further comprising: receiving, from the analysis system, report data generated based on analyzed event logs (PANDE Pa. [0097]) [features which can be analyzed to determine whether each attribute contextually fits within the event log, or should be flagged as anomalous. Examples of other contexts in which event logs may be analyzed include computing system event logs]; and updating training data for a machine learning system based on the report data generated based on the analyzed event logs  (PANDE Pa. [0075]) [the model may be updated in response to a change in an applied rule that results in the detection of more or fewer threats]

As to claim 5, the combination of PANDE and Schneider teaches wherein the machine-learned algorithm determines, for each event log, the second reportability likelihood for the event log based on at least one of a type of event threat indicator associated with the event log, threat intelligence provider data associated with the event log, and a number of threat intelligence providers associated with the event log (PANDE Pa. [0005]) [containing an anomaly; and classifying the feature as being anomalous; applying one or more rules to each identified event log as containing an anomaly; and based on identifying a threat from applying the one or more rules, generating an alert.]

As to claim 6, the combination of PANDE and Schneider teaches wherein the machine-learned algorithm determines, for each event log, the second reportability likelihood for the event log based on at least one of a domain name associated with the event log, an entropy value of the domain name associated with the event log, a number of labels of the domain name associated with the event log, a string length of the domain name associated with the event log, a size of data associated with the event log, and an event occurrence time associated with the event log (PANDE Pa. [0077])  [wherein the vocabulary is of size V and includes all unique features in one or more event logs under investigation.]
As to claim 7, the combination of PANDE and Schneider teaches wherein the machine-learned algorithm is continually updated based on correlation data derived from analyzed event logs (PANDE Pa. [0075]) [the model may be updated in response to a change in an applied rule that results in the detection of more or fewer threats]
  
As to claim 9, the combination of PANDE and Schneider teaches further comprising: receiving, from the analysis system, report data generated based on analyzed event logs (PANDE Pa. [0097]) [features which can be analyzed to determine whether each attribute contextually fits within the event log, or should be flagged as anomalous. Examples of other contexts in which event logs may be analyzed include computing system event logs]; and updating training data for the at least one algorithm based on the report data generated based on the analyzed event logs (PANDE Pa. [0075]) [the model may be updated in response to a change in an applied rule that results in the detection of more or fewer threats]

As to claim 10, the combination of PANDE and Schneider teaches further comprising: receiving a plurality of packets; determining, based on threat intelligence data, a plurality of potential threat communications events; generating, based on the plurality of potential threat communications events, the plurality of event logs (PANDE Pa. [0028]) [Determining whether such anomalies actually relate to an enterprise threat depends on the one or more rules that may be applied to such event logs]; and storing the plurality of event logs to the event queue (PANDE Pa. [0032]) [the event collection server 104 may capture and store events associated with one or more computing devices 108 accessing the web server 106, outbound network traffic using of one or more enterprise servers accessing the web server 106, one or more enterprise point of sale devices accessing the web server 106 to complete transactions, etc]

As to claim 11, the combination of PANDE and Schneider teaches further comprising: receiving, from the analysis system, report data generated based on analyzed event logs (PANDE Pa. [0097]) [features which can be analyzed to determine whether each attribute contextually fits within the event log, or should be flagged as anomalous. Examples of other contexts in which event logs may be analyzed include computing system event logs]; and updating, based on the report data generated based on the analyzed event logs, packet rule dispositions for determining packets to be one of the plurality of potential threat communications events (PANDE Pa. [0075]) [the model may be updated in response to a change in an applied rule that results in the detection of more or fewer threats]

As to claim 12, the combination of PANDE and Schneider teaches wherein the sorting is based on at least one of a fidelity of an event threat indicator, a type of the event threat indicator, an age of the event threat indicator, threat intelligence provider data associated with the event threat indicator, reputation data of at least one threat intelligence provider, and a risk score of the event threat indicator (PANDE Pa. [0004]) [a classification score for each feature within each event log of the second collection, the classification score representing a contextual likelihood of the feature appearing within the context included in that event log]

As to claim 13, the combination of PANDE and Schneider teaches wherein the reportability likelihood is a probability that a potential threat communication is associated with an actual threat (PANDE Pa. [0028]) [he higher the probability threshold, more anomalous features may be flagged. Each event log having one or more flagged anomalous features based on the probability threshold is thereafter processed against rules to determine whether the event is in fact a threat.]

As to claim 14, claim 14 recites the claimed that contain similar limitations as claim 1; therefore, it is rejected under the same rationale.

As to claim 15, claim 15 recites the claimed that contain similar limitations as claim 3; therefore, it is rejected under the same rationale.

As to claim 17, the combination of PANDE and Schneider teaches wherein the machine-learned algorithm determines the second reportability likelihood based on a correlation between an event and historical reportable events (PANDE Pa. [0021]) [Word embeddings have historically only been used in the context of natural language processing, and in particular to identify similarities and the proper context among words]
As to claim 18, claim 18 recites the claimed that contain similar limitations as claim 1; therefore, it is rejected under the same rationale.

As to claim 19, claim 19 recites the claimed that contain similar limitations as claim 2; therefore, it is rejected under the same rationale.

As to claim 20, claim 20 recites the claimed that contain similar limitations as claim 3; therefore, it is rejected under the same rationale.

Claims 2, 4, 8 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over PANDE U.S. Publication No 20180270261 A1, in view of Schneider U.S. 20080034429 A1 in further view of Miller US 10187482 B2, DÃNILÃ US 20180248902 A1.
As to claim 2, the combination of PANDE and Schneider teaches wherein the reportability likelihood is a combined reportability likelihood, and wherein the determining, by the computing device, the reportability likelihood for each event log based on the at least one algorithm comprises (PANDE Pa. [0004]) [apply the trained model to a second collection of event logs to generate a classification score for each feature within each event log of the second collection, the classification score representing a contextual likelihood of the feature appearing within the context included in that event log; based on the classification score of a feature within a particular event log being outside a predetermined threshold: identify the particular event log having the feature as containing an anomaly]
It is noted that the combination of PANDE and Schneider does not appear explicitly disclose determining, by the computing device, a first reportability likelihood for each event log based on a static algorithm; determining, by the computing device, a second reportability likelihood for each event log based on a machine-learned algorithm; and determining, by the computing device, the combined reportability likelihood for each event log based on the first reportability likelihood and the second reportability likelihood.  
However, Miller discloses determining, by the computing device, a first reportability likelihood for each event log based on a static algorithm; determining, by the computing device, a second reportability likelihood for each event log based on a machine-learned algorithm; and determining, by the computing device, the combined reportability likelihood for each event log based on the first reportability likelihood and the second reportability likelihood (Miller Col. 30, claim 3) [normalizing the first likelihood and the second likelihood; combining the first likelihood and the second likelihood to create a combined likelihood; and determining an overall likelihood that the pair of devices are owned or operated by a common user based at least in part on the combined likelihood]
Thus, at the time of the invention, it would have been recognized by one of ordinary skill in the art, that applying the known technique taught by Miller to the intrusion detection system of PANDE and Schneider would have yield predictable results and resulted in an improved system, namely, a system that would provide user identity management and to delivering Internet content (Miller Col.1])
Furthermore, see DÃNILÃ US 20180248902 A1 which discloses the aspect of “static algorithm” (DÃNILÃ Pa. [0236]) [supervised algorithms, and may use one or more of a plurality of algorithms. The algorithms may incorporate one or more static rules, which may be defined by operator feedback. The algorithms may be based on any combination of simple statistical rules (such as medians, averages, and moving averages),]
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify the system of PANDE and Schneider for detecting enterprise’s attacks by enhancing PANDE and Schneider testing each of plurality of user interactions with monitored computer networks against said probabilistic model., as taught by DÃNILÃ, in order to identify abnormal user interactions.

As to claim 4, the combination of PANDE and Schneider teaches wherein the static algorithm determines, for each event log, the first reportability likelihood for the event log based on at least one of a fidelity of an event threat indicator, a type of the event threat indicator, an age of the event threat indicator, threat intelligence provider data associated with the event threat indicator, reputation data of at least one threat intelligence provider, and a risk score of the event threat indicator (PANDE Pa. [0004]) [a classification score for each feature within each event log of the second collection, the classification score representing a contextual likelihood of the feature appearing within the context included in that event log]

As to claim 8, the combination of PANDE and Schneider teaches wherein the static algorithm is a human designed algorithm, wherein the static algorithm is set based on an operator input (DÃNILÃ Pa. [0236]) [supervised algorithms, and may use one or more of a plurality of algorithms. The algorithms may incorporate one or more static rules, which may be defined by operator feedback. The algorithms may be based on any combination of simple statistical rules (such as medians, averages, and moving averages),]

As to claim 16, claim 16 recites the claimed that contain similar limitations as claim 4; therefore, it is rejected under the same rationale.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EVANS DESROSIERS whose telephone number is (571)270-5438. The examiner can normally be reached Monday -Thursday 7:00 am - 5:30 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok B. Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/EVANS DESROSIERS/Primary Examiner, Art Unit 2491