Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

EXAMINER'S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Authorization for this examiner’s amendment was given in an interview with Albert Du on 6/13/22.

The application has been amended as follows: 

1. (Currently Amended) A computer-implemented method, comprising: receiving a sequence of security events comprising n security events from different log sources; parsing only the n security events from the different log sources; determining, in the received sequence of security events, a first cyber-attack pattern using a correlation engine by applying a set of predefined rules for a detection of an indicator of compromise of a first partial cyber-attack of a cyber-attack chain, thereby identifying a specific cyber-attack chain having a plurality of phases with at least two phases having distinct types and attributes; determining a type and an attribute in a pattern of the first partial cyber-attack of the identified specific cyber-attack chain; configuring at least one correlation rule of [[a]] the set of predefined rules for a downstream partial cyber-attack in the specific cyber-attack chain based on the type and the attribute in an attack pattern of the first partial cyber-attack which prepares a security information and event monitoring (SIEM) solution anticipating future partial cyber-attacks, wherein the correlation rule addresses the specific cyber-attack chain at at least one of the phases downstream of the first partial cyber-attack of the specific cyber-attack chain; ; and removing the at least one configured correlation rule for a downstream partial cyber- attack in the specific cyber-attack chain in the set of predefined rules, in response to determining that a risk value for the specific cyber-attack chain is reduced to below a predetermined risk threshold value.  

2. (Currently Amended) The method according to claim 1, further comprising: determining, in the received sequence of security events, a second cyber-attack pattern using the correlation engine by applying the configured at least one correlation rule for a detection of a second indicator of compromise in the second cyber-attack of the cyber-attack chain.  
3. (Currently Amended) The method according to claim 1, wherein the set of predefined rules uses information about malware attribute enumeration and characterization and structured threat information expressions.  
4. (Currently Amended) The method according to claim 3, further comprising: updating the set of predefined 
5. (Currently Amended) The method according to claim 1, wherein the adding the at least one configured correlation rule to the set of predefined rules is performed by performing an action selected from the group consisting of: selectively configuring and/or activating correlation rules in the set of predefined rules; grouping of the predefined rules; and prioritizing the configured and added at least one correlation rule against generic rules in the set of predefined rules.  
6. (Currently Amended) The method according to claim 1, wherein the configuring the at least one correlation rule for a downstream partial cyber-attack comprises: using data about tactic-technique-procedure identifying rules, malware attribute enumeration and characterization and structured threat information expressions from a repository.  
7. (Currently Amended) The method according to claim 1, wherein the configuring the at least one correlation rule for a downstream partial cyber-attack further comprises: configuring additional correlation rules relating to typical downstream partial cyber- attacks of a cyber-attack chain relating to the determined type and attribute in the pattern of the first partial cyber-attack of the identified specific cyber-attack chain.  
8. (Previously Presented) The method according to claim 1, further comprising: constantly checking a repository to dynamically develop rules that are applicable to new malware campaigns based on tactic-technique-procedure (TTP), malware attribute enumeration and characterization (MEAC); monitoring additional partial cyber-security attacks along an entire cyber-attack chain; processing received events of the cyber-security attacks through campaign specific rules and generic rules, and. triggering an alarm signal after a predefined number of subsequent partial security attacks corresponding to one cyber-attack chain has been determined.  
9. (Currently Amended) The method according to claim 1, further comprising: removing the at least one configured correlation rule for a downstream partial cyber- attack in the specific cyber-attack chain in the set of predefined rules if it is determined that a risk value for the specific cyber-attack chain is reduced to below a predetermined risk threshold value.  
10. (Currently Amended) The method according to claim 9, further comprising: removing the at least one configured correlation rule for a downstream partial cyber- attack in the specific cyber-attack chain if correlation engine using the at least one configured correlation rule did not determine a downstream cyber-attack pattern for a predefined time.  
11. (Currently Amended) The method according to claim 9, further comprising: removing a rule relating to at least one configured correlation rule for a downstream partial cyber-attack in the specific cyber-attack chain in the set of predefined rules from the repository of malware attribute enumeration and characterization and structure threat information expressions.  
12. (Currently Amended) A computer system, comprising: a processor; and a computer readable storage device storing programming instructions for execution by the processor, the program instructions comprising instructions for: receiving a sequence of security events comprising n security events from different log sources; parsing only the n security events from the different log sources; determining, in the received sequence of security events, a first cyber-attack pattern using a correlation engine by applying a set of predefined rules for a detection of an indicator of compromise of a first partial cyber-attack of a cyber-attack chain, thereby identifying a specific cyber-attack chain having a plurality of phases with at least two phases having distinct types and attributes; determining a type and an attribute in a pattern of the first partial cyber-attack of the identified specific cyber-attack chain; configuring at least one correlation rule of the set of predefined rules for a downstream partial cyber-attack in the specific cyber-attack chain based on the type and the attribute in an attack pattern of the first partial cyber-attack which prepares a security information and event monitoring (SIEM) solution anticipating future partial cyber- attacks, wherein the correlation rule addresses the specific cyber-attack chain at at least one of the phases downstream of the first partial cyber-attack of the specific cyber-attack chain anticipating future partial cyber-attacks in the specific cyber-attack chain; removing the at least one configured correlation rule for a downstream partial cyber- attack in the specific cyber-attack chain in the set of predefined rules, in response to determining that a risk value for the specific cyber-attack chain is reduced to below a predetermined risk threshold value.  

13. (Currently Amended) The system according to claim 12, wherein instructions for determining comprise instructions for: determining, in the received sequence of security events, a second cyber-attack pattern using the correlation engine by applying the configured at least one correlation rule for a detection of a second indicator of compromise in the second cyber-attack of the cyber-attack.  
14. (Currently Amended) The system according to claim 12, wherein the set of predefined rules comprises: using information about malware attribute enumeration and characterization and structured threat information expressions.  
15. (Currently Amended) The system according to claim 14, further comprising instructions for: updating the set of predefined 
16. (Currently Amended) The system according to claim 12, wherein instructions for adding further comprise instructions for performing an action selected from the group consisting of: selectively configuring and/or activating correlations rules in the set of predefined rules; grouping of the predefined rules; and prioritizing the configured and added at least one correlation rule against generic rules in the set of predefined rules.  
17. (Original) The system according to claim 12, further comprising: a repository for storing data about tactic-technique-procedure identifying rules, malware attribute enumeration and characterization and structured threat information expressions to be used by the instructions for configuring.  
18. (Currently Amended) The system according to claim 12, wherein the instructions for configuring the at least one correlation rule for a downstream partial cyber-attack comprise instructions for: configuring additional correlation rules relating to typical downstream cyber-attacks of a cyber-attack chain relating to the determined type and attribute in the pattern of the first partial cyber-attack of the identified specific cyber-attack chain.  
19. (Original) The system according to claim 12, further comprising instructions for: triggering an alarm signal after a predefined number of subsequent partial security attacks corresponding to one cyber-attack chain has been determined.  
20. (Cancelled) 
21. (Currently Amended) The system according to claim 12, wherein the instructions for removing comprise: removing the at least one configured correlation rule for a downstream partial cyber-attack in the specific cyber-attack chain, in response to determining that the correlation engine using the at least one configured correlation rule did not determine a downstream cyber-attack pattern for a predefined time.  
22. (Currently Amended) The system according to claim 12, wherein the instructions for removing comprise instructions for: removing a rule relating to at least one configured correlation rule from the set of predefined rules.  
23. (Currently Amended) A computer program product for dynamically identifying security threats comprising a cyber-attack chain composed of a sequence of partial cyber-attacks represented by attack patterns, said computer program product comprising a computer readable storage medium having program instructions embodied therewith, said program instructions being executable by one or more processors of one or more computing systems or controllers to execute a method, the program instructions comprising instructions for: receiving a sequence of security events comprising n security events from different log sources; parsing only the n security events from the different log sources; determining, in the received sequence of security events, a first cyber-attack pattern using a correlation engine by applying a set of predefined correlation rules for a detection of an indicator of compromise of a first partial cyber-attack of the cyber-attack chain, thereby identifying a specific cyber-attack chain having a plurality of phases with at least two phases having distinct types and attributes; determining a type and an attribute in a pattern of the first partial cyber-attack of the identified specific cyber-attack chain; configuring at least one correlation rule of [[a]] the set of predefined correlation rules for a downstream partial cyber-attack in the specific cyber-attack chain based on the type and the attribute in an attack pattern of the first partial cyber-attack which prepares a security information and event monitoring (SIEM) solution anticipating future partial cyber-attacks, wherein the correlation rule addresses the specific cyber-attack chain at at least one of the phases of the specific cyber-attack chain and the downstream partial cyber-attack follows the first partial cyber-attack in the cyber-attack chain; ; and removing the at least one configured correlation rule for a downstream partial cyber- attack in the specific cyber-attack chain in the set of predefined rules, in response to determining that a risk value for the specific cyber-attack chain is reduced to below a predetermined risk threshold value. 


Allowable Subject Matter

Claims 1-19, 21-23 are allowed over the prior art of record.  
Claims are allowed at least over the prior art combination of Puri US 2018/0322283; Ettema US 10,530,810; and Lem US 2019/0132344.
Claims are allowable due to agreed amendments including a threshold risk value and removal of correlation rules.  Claims should be viewed as allowable in their entirety, and a combination of claim elements that makes the invention non-obvious over the prior art of record.  No single claim element should be viewed as allowable on its own merits.  It is the claims as a whole that are allowable over the prior art.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER BROWN whose telephone number is (571)272-3833. The examiner can normally be reached M-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439