DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1, 7, 9, 10, 16, 18 and 19 are allowed.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 3/17/20 is being considered by the examiner.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Dmitry Paskalov on 9/23/21.
The application has been amended as follows: 
1.   (Currently Amended) A system for detecting network intrusions, comprising: 
a storage device to store audit data generated by a network traffic analyzer in accordance with an audit policy that determines an auditing level; and 
a processor to: 
receive a case defined by a case definition, wherein the case definition comprises a plurality of symptoms and each symptom is defined by a separate symptom definition, wherein each of the plurality of symptoms is associated with a corresponding symptom lookup level, and wherein the case definition specifies a plurality of audit thresholds that determine the symptom lookup level to be applied based on a comparison of the case score with the plurality of audit thresholds; 
perform a query of the audit data in accordance with each of the symptoms to generate captured symptom data, wherein the symptom definition specifies a query condition, a time period over which to search for the query condition, and a grouping object over which to count occurrences of the query condition over the time period; 
score the symptoms based on the captured symptom data to generate symptom scores; 
sum the symptom scores to generate a case score;
compare the case score to an upper audit threshold specified by the case definition and, when the case score is above the upper audit threshold, increase the symptom lookup level and update the audit policy to increase the audit level for an object identified in the captured symptom data, wherein the symptom lookup level determines which of the plurality of symptoms are used to query the audit data;
compare the case score to a lower audit threshold specified by the case definition and, when the case score is below the lower audit threshold, reduce the symptom lookup level and update the audit policy to reduce the audit level, wherein the symptom lookup level determines which of the plurality of symptoms are used to query the audit data; and 
issue an alert when the case score exceeds an alert threshold specified by the case definition.

2-6.  (Cancelled).
7.  (Currently Amended) The system of claim 1, wherein the time period is equal to or greater than 60 days.
8.  (Cancelled).
9. (Original) The system of claim 1, wherein the processor is to log the case as a violation when the case score exceeds the alert threshold specified by the case definition.

10.  (Currently Amended) A method of operation of an intrusion detection system, the method comprising: 
receiving a case defined by a case definition, wherein the case definition comprises a plurality of symptoms and each symptom is defined by a separate symptom definition, wherein each of the plurality of symptoms is associated with a corresponding symptom lookup level, and wherein the case definition specifies a plurality of audit thresholds that determine the symptom lookup level to be applied based on a comparison of the case score with the plurality of audit thresholds; 
performing a query of audit data in accordance with each of the symptoms to generate captured symptom data, wherein the audit data is generated by a network traffic analyzer in accordance with an audit policy that determines an auditing level, wherein the symptom definition specifies a query condition, a time period over which to search for the query condition, and a grouping object over which to count occurrences of the query condition over the time period; 
scoring the symptoms based on the captured symptom data to generate symptom scores;
summing the symptom scores to generate a case score; 
comparing the case score to an upper audit threshold specified by the case definition and, when the case score is above the upper audit threshold, increasing the symptom lookup level and updating the audit policy to increase the audit level for an object identified in the captured symptom data, wherein the symptom lookup level determines which of the plurality of symptoms are used to query the audit data;
comparing the case score to a lower audit threshold specified by the case definition and, when the case score is below the lower audit threshold, reducing the symptom lookup level and updating the audit policy to reduce the audit level, wherein the symptom lookup level determines which of the plurality of symptoms are used to query the audit data; and 
issuing an alert when the case score exceeds an alert threshold specified by the case definition.

11-15. (Cancelled).
16. (Currently Amended) The method of claim 10, wherein the time period is equal to or greater than 60 days.
17.  (Cancelled).
18.  (Original) The method of claim 10, comprising logging the case as a violation when the case score exceeds the alert threshold specified by the case definition.

19.  (Currently Amended) A computer program product for intrusion detection comprising a computer readable storage medium having program instructions embodied therewith, wherein the computer readable storage medium is not a transitory signal per se, and wherein the program instructions are executable by a processor to cause the processor to: 
receive a case defined by a case definition, wherein the case definition comprises a plurality of symptoms and each symptom is defined by a separate symptom definition, wherein each of the plurality of symptoms is associated with a corresponding symptom lookup level, and wherein the case definition specifies a plurality of audit thresholds that determine the symptom lookup level to be applied based on a comparison of the case score with the plurality of audit thresholds; 
perform a query of the audit data in accordance with each of the symptoms to generate captured symptom data, wherein the audit data is generated by a network traffic analyzer in accordance with an audit policy that determines an auditing level, wherein the symptom definition specifies a query condition, a time period over which to search for the query condition, and a grouping object over which to count occurrences of the query condition over the time period; 
score the symptoms based on the captured symptom data to generate symptom scores; 
sum the symptom scores to generate a case score; 
compare the case score to an upper audit threshold specified by the case definition and, when the case score is above the upper audit threshold, increase the symptom lookup level and update the audit policy to increase the audit level for an object identified in the captured symptom data, wherein the symptom lookup level determines which of the plurality of symptoms are used to query the audit data;
comparing the case score to a lower audit threshold specified by the case definition and, when the case score is below the lower audit threshold, reduce the symptom lookup level and update the audit policy to reduce the audit level, wherein the symptom lookup level determines which of the plurality of symptoms are used to query the audit data; and 
issue an alert when the case score exceeds an alert threshold specified by the case definition. 20. (Cancelled).


REASONS FOR ALLOWANCE
The following is an examiner’s statement of reasons for allowance:
Deaguero et al. U.S. Pub. No. 20200067952 discloses method for monitoring network traffic associated with networks to provide metrics, wherein a monitoring engine may determine an anomaly based on the metrics exceeding threshold values, adjust a performance score associated with investigation profile based on occurrence of the investigation activities and a completion status of the investigation.
Demla et al. U.S. Pub. No. 20190171633 discloses a method for recording in an audit log data store, log records that satisfy one or more audit log rules, wherein audit log rules may be associated with one or more context attributes, and the audit log data store may be efficiently queried to provide information regarding multi-system operations because of the targeted nature of the audit log data gathering techniques.
The prior art of record do not explicitly disclose, in light of other features recited in independent claims, wherein each of the plurality of symptoms is associated with a corresponding symptom lookup level, and wherein the case definition specifies a plurality of audit thresholds that determine the symptom lookup level to be applied based on a comparison of the case score with the plurality of audit thresholds and wherein the symptom definition specifies a query condition, a time period over which to search for the query condition, and a grouping object over which to count occurrences of the query condition over the time period.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Wu et al. U.S. Pub. No. 20190245734 discloses ranking alerts based on network monitoring.
Smyth et al. U.S. Pub. No. 20180034842 discloses automated machine learning scheme for software exploit prediction.
El-Moussa et al. U.S. Pub. No. 20170223032 discloses malicious encrypted traffic inhibitor.
Liu et al. U.S. Pub. No. 20160065620 discloses network maliciousness susceptibility analysis and rating.
Singhal et al. U.S. Pub. No. 20150288709 discloses using trust profiles for network breach detection.
Gassoway U.S. Pub. No. 20050262562 discloses method of computer security.
Mumcuoglu et al. U.S. Pat. No. 9979742 discloses identifying anomalous messages.
Ramsey et al. U.S. Pat. No. 8621618 discloses method for assessing whether a communication contains an attack.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHIN HON (ERIC) CHEN whose telephone number is (571)272-3789.  The examiner can normally be reached on Monday to Thursday 9am- 7pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/SHIN-HON (ERIC) CHEN/               Primary Examiner, Art Unit 2431