DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claims 1-20 are pending and examined below. This action is in response to the claims filed 5/9/22

	Continued Examination Under 37 CFR 1.114
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 5/9/22 has been entered.

Response to Amendment
Applicant’s arguments, see Remarks pages 8-13, filed 5/9/22, with respect to the rejections of claims 1 and 17 under 35 USC § 103 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new grounds of rejection is made in view of Mont et al. (US 2017/0223039).

New claim 20 is likewise addressed below.

 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 2-7, 11-14, 16, 17, and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Musuvathi (US20180367550) in view of Hunt (US20180013768) and Mont et al. (US 2017/0223039).

Regarding claim 1, Musuvathi discloses a method of probing and responding to a security breach in a computer network, the method comprising (Musuvathi: [0002] describes a system that monitors data traffic patterns and determines illegitimate data traffic that is associated with a cyber-attack.): 
defining, by a device, a model to output a probability that a security breach has occurred based on an input and to generate commands (Musuvathi: [0047] discusses remedial action (command) that can be taken in response to detection of cyber-attack based on probability output computed by a model based on data instance (first portion) provided as input to the model.);
inputting the selected first portion into the model to obtain an output probability that a security breach has occurred (Musuvathi: [0047] discusses detection of cyber-attack based on probability output computed by a model based on data instance (first portion) provided as input to the model.); 
and if the output probability meets predetermined criteria: (a) determining that signs of a security breach have been detected (Musuvathi: [0047] discusses comparing outputted probability to a threshold (predetermined criteria)), 
 (c) generating a second command with the model to cause a change in settings at one or more of the first nodes (Musuvathi: [0115] states remedial action (second command) comprises blocking  (change in settings) an Internet Protocol (IP) address of a host or a source of the illegitimate data traffic.).
storing the collected data at one or more of the plurality of first nodes or at a dedicated storage location on the first computer network;
Musuvathi does not disclose, defining first rules and second rules. 
collecting data at a plurality of first nodes according to the first rules, said first nodes forming a first computer network; 
selecting a first portion of the collected data according to the first rules; 
sending the selected first portion from the first nodes to a second node, said second node forming part of a second computer network; 
(b) generating a first command with the model to cause a second portion of the collected data to be selected and sent from the first nodes to the second node according to the second rules, wherein the second portion of the collected data comprises a portion of the collected data different than the first portion of collected data; and
Hunt discloses, defining first rules and second rules (Hunt: [0208] discusses defining one or more (first and second) filtering criteria (rules).). 
collecting data at a plurality of first nodes according to the first rules, said first nodes forming a first computer network (Hunt: [0208] discusses first subset of nodes and collecting subset of information based on the criteria of events caused by unauthorized users (first rules). [0006] states a network comprises a collection of nodes.); 
storing the collected data at one or more of the plurality of first nodes or at a dedicated storage location on the first computer network (Hunt: [0208] discloses that the event information are provided to the local database, therefore, the collected information are stored in the local database.);
selecting a first portion of the collected data according to the first rules, (Hunt: [0206] a node identifies (selecting) a subset (first portion) of event information and [0208] discusses filtering criteria (first rules).); 
sending the selected first portion from the first nodes to a second node, said second node forming part of a second computer network, (Hunt: [0206] mentions returning (sending) the identified (selected) subset (portion) of the event information to remote server); 
(b) generating a first command with the model to cause a second portion of the collected data to be selected and sent from the first nodes to the second node according to the second rules, wherein (Hunt: [0215] discusses the remote server initiating (first command) of a deep dive investigation and a node uploading local context data (second portion) related to the event of interest (second rules).)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Musuvathi with the teachings of Hunt, in order to provide methods for threat detection and management for trusted connections between a node in a network and a remote server.
Musuvathi in view if Hunt does not explicitly disclose utilizing verbosity level in combating a security threat however Mont discloses a system to remediate a security threat to a network including
wherein the first portion is less than the collected data (Mont: [0060] discusses dropping data packets in a quarantine flow rule corresponding to the recited sending less than the collected data)
wherein the sending the selected first portion is based on a verbosity level of at least one program of the device minimizing and prioritizing data volume of the first portion (Mont: [0060]-[0061] discusses minimizing bandwidth therefore reducing flow and therefore data volume based on user specification corresponding to the recited basing the selected first portion based on a verbosity level where 304-2 corresponds to the recited first portion/first rule)
wherein the second rules are dynamically created in response to the detected security breach to at least select and send a volume of the collected data based on a set of at least one default selecting or sending policies associated with the verbosity level started by the device that is changed during execution of the sending (Mont: [0060]-[0061] discusses changing the minimum and maximum bandwidths as well as changing logging verbosity in two different response rules 304-1 and 304-2 respectively where 304-1 corresponding to the recited second rule), and 
wherein the verbosity level is changed dynamically to at least one of increase, decrease, or balance the second portion of the collected data for the selecting or sending policies at a next available predetermined time interval based on predetermined criteria comprising threshold probability values indicative of a security breach and a trust level of an application from which the collected data is received (Mont: [0060]-[0061] discusses increasing logging verbosity corresponding to the recited dynamically increasing the second portion of the collected data based on the identification of a network not being safe corresponding to the recited predetermined criteria indicative of a security breach and a trust level of an application. The combination of the defined period of time (Musuvathi: [0035]) the threshold of likelihood of security breach (Musuvathi: [0047]) and the verbosity inputs (Mont: [0060]-[0061]) fully disclose the elements as claimed).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Musuvathi in view of Hunt with the teachings of Mont, in order to remediate the security threat by altering a control path of the network (Mont: [0060]). 


Regarding claim 17, the claim is rejected under same rationale as applied to claim 1 above.

Regarding claim 2, Hunt discloses, sending of the volume of the collected data comprising sending selected first and second portions is performed at first predetermined time intervals (Hunt: [0205] - [0206] states that subsets of data are sent to the remote server at regular predetermined intervals.  Therefore, second subset (second portion) of data is sent after an interval of first subset (first portion) being sent.)

Regarding claim 3, Hunt discloses, if the output probability meets predetermined criteria (Hunt: [0073] states detection of IOC (criteria) indicates high probability of compromise), generating a third command with the model to cause the length of time between each of the first predetermined time intervals to be changed (Hunt: [0205] states remote server periodically deploys the integrity reporting request (third command) at predetermined schedule.  Therefore, time intervals can be changed.).

Regarding claim 4, Hunt discloses, changing that comprises decreasing the length of time between each of the first predetermined time intervals (Hunt: [0205] states that the intervals are predetermined.  So, time intervals can be increased or decreased.).

Regarding claim 5, Hunt discloses, a method wherein said inputting is performed at the first nodes (Hunt: [0206] states requested information is received (inputting) by the remote server (first nodes)); and said first, second, and third commands are generated by the model at the first node (Hunt: [0205] states remote server (model and first node) periodically deploys the integrity reporting request. Since request (command) is deployed periodically, first, second, and third requests (commands) occur over time.).

Regarding claim 6, Hunt discloses, a method wherein said inputting is performed at the second node (Hunt: [0206] states requested information is received (inputting) by the remote server (first nodes)); and said first, and third commands are generated by the model at the second node (Hunt: [0205] states remote server (model and first node) periodically deploys the integrity reporting request. Since request (command) is deployed periodically, first, second, and third requests (commands) occur over time.). 

Regarding claim 7, Musuvathi discloses defining a model comprises training a neural network using a training data set (Musuvathi: [0029] states number of processing nodes (neural network) provides training data subsets locally, and in further generates a global model as mentioned in [0033].); 
and said defining first and second rules is performed by the trained neural network (Musuvathi: [0105] states that a set of global model parameters (first and second rules) are generated).

Regarding claim 11, Hunt discloses a method comprising defining third rules; and if the output probability meets predetermined criteria (Hunt: [0073] states detection of IOC (criteria) indicates high probability of compromise): generating a fourth command with the model to cause a third portion of the collected data to be selected according to the third rules and sent from the first nodes to the second node (Hunt: [0209] discusses integrity reporting request (fourth command) and the integrity reporting criterion can include two or more filtering criteria (third rules).); and
performing sending of a selected third portion at second predetermined time intervals (Hunt: [0205] - [0206] states that subsets of data are sent to the remote server at regular predetermined intervals. Therefore, the third portion is sent after the second after a time interval.).

	Regarding claim 12, Musuvathi discloses a method wherein the first, second and third portions comprise one or more selected from the list of: program or file hashes, files stored at the first nodes, logs of network traffic, logs of network connections (Musuvathi: [0046] states features of data instance (portions) comprises a number of sources or hosts identifiable via IP addresses that attempt to establish a connection in a defined period of time.), process logs, binaries or files carved from memory, and logs from monitoring actions executed by programs running at the first nodes.

Regarding claim 13, Musuvathi discloses a method wherein said training data set is compiled from said logs from monitoring actions executed by programs running at the first node and said training is determined to be complete when a predetermined error rate threshold has been met or when the model has been trained on a predetermined amount of training data (Musuvathi: [0058] states training data subset includes data instances of a feature set (logs) and a label indicating whether received data traffic comprises a known cyber-attack. [0045] mentions training data subset that includes quantities (amount) of training data instances (Fig. 3) to complete a training for a model.).

Regarding claim 14, Hunt discloses, a method comprising storing the collected data at one or more of the first nodes, or at a dedicated storage location on the first computer network (Hunt: [0202] states event information is stored locally in the local database of the respective node.).

Regarding claim 16, Musuvathi: discloses a method wherein said change in settings comprises one or more of the list of: preventing one or more of the first nodes from being switched off; switching on a firewall at one or more of the first nodes (Musuvathi: [0115] states remedial action (second command) comprises blocking  (change in settings) an Internet Protocol (IP) address of a host or a source of the illegitimate data traffic.); warning a user of one or more of the first nodes that signs of a security breach have been detected; and/or sending a software update to one or more of the first nodes.

Regarding claim 18, Musuvathi discloses a computer program product comprising a non-transitory computer storage medium having computer code stored thereon which, when executed on a computer system, causes the network security system to perform operations according to claim 17 (Musuvathi: [0138] states that all of the methods and processes described may be embodied in, and fully automated via, software code modules executed by one or more general purpose computers or processors).

Regarding claim 19, Hunt discloses the second portion of the collected data comprises a portion of the collected data different than the first portion of collected data (Hunt; [0206] discloses “event information” as the first portion, and [0215] discloses “context data” as the second portion. Therefore, the first portion of the collected data is different from the second portion of the collected data.)

Regarding claim 20, Mont discloses the verbosity level for a specific program or group of programs of the at least one program changes the selected first portion sent to the second node forming part of the second computer network to a defined minimal value based on at least one predefined data collection condition being met in order to enable the second node to reduce a required time for reception, processing, and analyzing the selected portion of data (Mont: [0060] – [0061] discloses user to specify a minimum and maximum (minimal value based on at least one predefined data collection condition) in order to allow forensics is allowed to take place without interruption to the network or utilization of contested switch port analyzer (SPAN). (in order to enable the second node to reduce a required time for reception, processing, and analyzing the selected portion of data)).

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Musuvathi (US20180367550) in view of Hunt (US20180013768) and Strub et al. (US20070153689) as applied to the parent claim above, and further in view of Wright (US20180063190).

Regarding claim 8, Musuvathi in view of Hunt and Strub discloses the invention as in the parent claim above.
Musuvathi in view of Hunt and Strub does not disclose, a method wherein said defining a model comprises defining exact or heuristic rules.
Wright discloses, a method wherein said defining a model comprises defining exact or heuristic rules (Wright: [0056] states models possessing heuristic properties.).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Musuvathi and Hunt with the teachings of Wright, in order to provide methods for identifying phishing websites and hindering associated activity.

Claims 9 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Musuvathi (US20180367550) in view of Hunt (US20180013768) Musuvathi in view of Hunt and Strub as applied to the parent claim above, and further in view of Lam (US20200028874).

Regarding claim 9, Musuvathi in view of Hunt and Strub discloses the invention as in the parent claim above.
Musuvathi in view of Hunt and Strub does not disclose, a method wherein said defining a model comprise defining a fuzzy logic based model.
Lam discloses, a method wherein said defining a model comprise defining a fuzzy logic based model (Lam: [0055] discusses fuzzy logic models.).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Musuvathi in view of Hunt and Strub with the teachings of Lam, in order to provide methods for responding to cyberattacks using counter intelligence bot technology as taught by Lam.

Claims 9 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Musuvathi (US20180367550) in view of Hunt (US20180013768) Musuvathi in view of Hunt and Strub as applied to the parent claim above, and further in view of Howard (US20180288126).

Regarding claim 10, Musuvathi in view of Hunt and Strub discloses the invention as in the parent claim above.
Musuvathi in view of Hunt and Strub does not disclose, a method wherein said defining a model comprises defining a statistical inference based model.
Howard discloses, a method wherein said defining a model comprises defining a statistical inference based model (Howard: [0248] discusses statistical inference being utilized for the anomaly detectors.).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Musuvathi in view of Hunt and Strub with the teachings of Howard, in order to provide methods for detection of intentional and non-intentional anomalies on dedicated IP surveillance networks as taught by Howard.
Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Musuvathi (US20180367550) in view of Hunt (US20180013768) and Strub et al. (US20070153689) as applied to the parent claim above, and further in view of Tanzer (US20070255818).

Regarding claim 15, Musuvathi in view of Hunt and Strub discloses the invention as in the parent claim above.
Musuvathi in view of Hunt and Strub does not disclose, a method comprising generating a command with the model to cause the remainder of the collected data which does not form part of the first, the second or the third portion to be sent from the first nodes to the second node.
Tanzer discloses, a method comprising generating a command with the model to cause the remainder of the collected data which does not form part of the first, the second or the third portion to be sent from the first nodes to the second node (Tanzer: [0069] states remaining capture data is transmitted to the collecting server.).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Musuvathi in view of Hunt and Strub with the teachings of Tanzer, in order to provide methods for detecting possible security breach as taught by Tanzer.

Additional References Cited
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 

Conikee et al. (US 2019/0108342) discloses a system of securing applications from threats including  increasing/reducing the verbosity based on the severity of the threat (Conikee: [0067]).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Matthew J Reda whose telephone number is (408)918-7573.  The examiner can normally be reached on Monday - Friday 7-4 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hunter Lonsberry can be reached on (571) 272-7298.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/M.J.R./Examiner, Art Unit 3665                                                                                                                                                                                                        
/HUNTER B LONSBERRY/Supervisory Patent Examiner, Art Unit 3665