DETAILED ACTION
A.	This action is in response to the following communications: Transmittal of New Application filed 06/09/2020.
B.	Claims 1-20 remains pending.
 
Claim Rejections - 35 USC § 102
1.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
2.	The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


3.	Claim(s) 1-20 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Phillip A. Porras (US Pub. 2016/0218933), herein referred to as “Porras”.


As for claims 1, 13 and 20, Porras teaches. A computer program product and corresponding method of claim 13 and system of claim 20 comprising computer executable code embodied in a non- transitory computer readable medium that, when executing on one or more computing devices, performs the steps of (specific to claim 1; par. 21 The system 110 further includes actuation components that are designed to implement network reconfigurations that are specified by the network-executable instructions. An exemplary system is described in the context of a secure software-defined network environment; however, in other embodiments, the disclosed technology is implemented in other (e.g., non-SDN) network environments.):

a plurality of compute instances; an enterprise network coupling the plurality of compute instances in a communicating relationship; and a threat management facility for the enterprise network, the threat management facility including a processor and a memory storing code that, when executing on the processor, performs the steps of (specific to claim 20; par. 21, The system 110 includes components that receive digital alerts over time regarding current network activity and flows, as well as information regarding detected or suspected cyber-threats. Components of the system 110 conduct an interactive natural language dialog for a human user based on those alerts and information, thereby enabling a real-time natural language-based series of interactions (e.g., a “conversation”) between human(s) and computer(s) regarding the network, and its current activity, flows, and cyber-threats):

identifying a file within an enterprise network with a hash of the file (par.51 The environment 202 includes a network activity correlation module 210 and a network context evaluation module 212, which interface with contextual information from the enterprise/network that is being monitored);

monitoring activity within the enterprise network to obtain a record of activities for one or more instances of the file, the record including a history of execution for the file and a number of locations of the file within the enterprise network (par. 51 monitoring different aspects of the enterprise/network (data stores containing the network activity data 140, network topology data 220, infection profile data 222, IP reputation data 224, network role data 226, network policies 228, and conflicts data 136. Portions of the network activity data 140, network topology data 220, infection profile data 222, IP reputation data 224, network role data 226, network policies 228, and conflicts data 136 may be received, accessed or obtained from other systems and stored in computer memory, e.g., in a searchable data structure such as a database, table, data file, or XML (eXtensible Markup Language) data structures);

storing the record in a database (par. 51 utilization of a database);

detecting a suspicious activity associated with the file, the suspicious activity indicating a reputation of the file between safe and malicious (par. 61 detection of suspicious network traffic and the like);

presenting an identifier of the file to an analyst in a user interface, the user interface configured to present a list of suspicious files to the analyst and support investigation of the file by the analyst using the database; (par. 62 displaying on user interface indicator of network events that are safe and malicious);

receiving a disposition of the file as malicious or non-malicious (par. 87 receiving different disposition on network event related to application/file etc.…); and

in response to the disposition, removing the file from the list of suspicious files (par. 87-88 taking disposition into action and performing function such as removing it from current network location).

As for claim 2, Porras teaches. The computer program product of claim 1 further comprising code that performs the step of, when the analyst disposes of the file by indicating that the file is malicious, remediating a first location of execution of the file in the history of execution (par. 47 example of different actions taken by subsystems when an event that is deemed threat as been detected).

As for claim 3, Porras teaches. The computer program product of claim 1 further comprising code that performs the step of, when the analyst disposes of the file by indicating that the file is malicious, remediating each of the number of locations of the file stored in the record (par. 48-49 analysis of events that were detected as threat wherein the subsystems remediate the files/applications etc.… affected).

As for claims 4 and 14, Porras teaches. The computer program product of claim 1 wherein the number of locations include a machine and a path for each of the one or more instances of the file (par. 54-55 different addresses of monitored networked reachable applications/files that are being monitored by subsystems).

As for claims 5 and 15, Porras teaches. The computer program product of claim 1 wherein the history of execution includes a time and place of a first execution of the file in the enterprise network (par. 37 attribute metadata related to network activity is traced).

As for claims 6 and 16, Porras teaches. The computer program product of claim 1 wherein the record includes one or more network connections associated with the file (par. 37 recording event data pertaining to network traffic).

As for claim 7, Porras teaches. The computer program product of claim 6 wherein the one or more network connections include at least one connection created by a process executing from the file (par. 31 and 39 examples of execution of process in regards to monitored activity).

As for claim 8, Porras teaches. The computer program product of claim 6 wherein the one or more network connections include at least one connection used to transfer the file to a location within the enterprise network (par. 38 transfer data packets).

As for claims 9 and 17, Porras teaches. The computer program product of claim 1 further comprising code that performs the step of aging the record out of the database after a predetermined interval (par. 37 and 52 predetermined time intervals).

As for claims 10 and 18, Porras teaches. The computer program product of claim 1 further comprising code that performs the step of returning the file to the list of suspicious files upon a detection of a second suspicious activity by the file occurring after the disposition (par. 84, redirection and allow of file taken upon event detections mentioned above).

As for claim 11, Porras teaches. The computer program product of claim 10 further comprising code that performs the step of presenting a history of dispositions and one or more associated analysts in the user interface (par. 82 user interface that displays plurality of network information to user and par. 83 that discusses that information is disposition of events detected on network monitored).

As for claims 12 and 19, Porras teaches. The computer program product of claim 11 further comprising code that performs the step of receiving an override of the disposition by a second analyst (par. 84, allow action taken upon event detections mentioned above).

(Note :) 	It is noted that any citation to specific, pages, columns, lines, or figures in the prior art references and any interpretation of the references should not be considered to be limiting in any way. A reference is relevant for all it contains and may be relied upon for all that it would have reasonably suggested to one having ordinary skill in the art. In re Heck, 699 F.2d 1331, 1332-33, 216 USPQ 1038, 1039 (Fed. Cir. 1983) (quoting In re Lemelson, 397 F.2d 1006,1009, 158 USPQ 275, 277 (CCPA 1968)).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Inquires
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NICHOLAS AUGUSTINE whose telephone number is (571)270-1056 and fax is 571-270-2056.  The examiner can normally be reached on M-F 8am-5pmpm Eastern.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Stephen Hong can be reached on 571-272-4124.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



    PNG
    media_image1.png
    213
    564
    media_image1.png
    Greyscale

/NICHOLAS AUGUSTINE/Primary Examiner, Art Unit 2178                                                                                                                                                                                                        June 7, 2022