DETAILED ACTION
This office action is in response to the original application filed on February 23, 2021.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Claims 1-15 are pending.

Claim Objections
Claims 1, 8 and 15 are objected to because of the following informalities:  claims 1, 8, and 15 includes the term SIEM in abbreviation form. SIEM should be presented as “Security Information and Event Management” at least once in the independent claims.  Appropriate correction is required.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1-2, 6-9 and 13-15 are rejected under 35 U.S.C. 103 as being unpatentable over Milazzo (US Pub. No. 2020/0186569) in view of Hatsutori (US Pub. No. 2019/0065755).

	As per claim 1 Milazzo discloses:
A system for identifying missing organizational security detection system rules, the system comprising at least one processing circuitry configured to: provide a known cyber-attack techniques repository including information of known cyber-attack techniques and required STEM rules required for protecting against each of the known cyber-attack techniques, (paragraph 30 of Milazzo, if the security event history trend database has a matching entry with that of the extracted attack characteristics, within a fuzzy tolerance, e.g., a degree of matching is equal to or above a predetermined threshold, and the corresponding entry indicates a particular SIEM rule was used previously in response to that identified attack or threat, then SIEM rules management system may identify that SIEM rule as an existing SIEM rule that handles the identified attack or threat. If there is not an explicit identification of a SIEM rule in this manner, then a search query is generated by the SIEM rules management system that includes the attack characteristics, categories, or the like, as identified from the ingested data) and (paragraph 31 of Milazzo, the search query is then applied to the SIEM rule database to identify one or more SIEM rules that have a sufficiently high match with the attack characteristics, categories, and/or the like, specified in the SIEM rule search query. Again, fuzzy matching criteria may be utilized that indicates a minimum degree of matching required to indicate that a corresponding SIEM rule matches the SIEM rule search query criteria. The matching SIEM rules may be ranked relative to one another based on their degrees of matching. The highest ranking SIEM rule may then be analyzed to determine if it has a sufficiently high match to the attack characteristics to indicate that the existing SIEM rule is sufficient to handle the attack or threat. If the SIEM rule is a 100% match, then a determination may be made that there is a pre-existing SIEM rule that handles the attack or threat and that no updates to the SIEM rule are necessary. However, if the match is not 100%, but is equal to or higher than a predetermined threshold, e.g., a match of 80% or greater but less than 100%, then a determination may be made that there is a pre-existing SIEM rule that can handle the attack or threat, but that the pre-existing SIEM rule may need some updates to make it a 100% match for handling the attack or threat).
Obtain existing STEM rules of a STEM of an organization, (paragraph 8 of Milazzo, the method comprises evaluating, by a security rule query engine of the security rules management system, existing security rules present in a security rules database to determine if any existing security rule addresses the attack characteristics) and (paragraph 30 of Milazzo, the SIEM rules management system generates a query to search a SIEM rule database to determine if there is a SIEM rule that already exists that is designed to handle the identified attack or threat).
compare the SIEM rules to the required STEM rules to identify missing rules, being the required STEM rules not included in the SIEM rules. paragraph 31 of Milazzo, the search query is then applied to the SIEM rule database to identify one or more SIEM rules that have a sufficiently high match with the attack characteristics, categories, and/or the like, specified in the SIEM rule search query. Again, fuzzy matching criteria may be utilized that indicates a minimum degree of matching required to indicate that a corresponding SIEM rule matches the SIEM rule search query criteria. The matching SIEM rules may be ranked relative to one another based on their degrees of matching. The highest ranking SIEM rule may then be analyzed to determine if it has a sufficiently high match to the attack characteristics to indicate that the existing SIEM rule is sufficient to handle the attack or threat. If the SIEM rule is a 100% match, then a determination may be made that there is a pre-existing SIEM rule that handles the attack or threat and that no updates to the SIEM rule are necessary. However, if the match is not 100%, but is equal to or higher than a predetermined threshold, e.g., a match of 80% or greater but less than 100%, then a determination may be made that there is a pre-existing SIEM rule that can handle the attack or threat, but that the pre-existing SIEM rule may need some updates to make it a 100% match for handling the attack or threat).
Milazzo teaches the method of comparing the SIEM with the pre-existing SIEM rule to check if an update to pre-existing SIEM is necessary or not (see paragraph 31 of Milazzo) but fails to disclose:
The known rules being in a generic SIEM rules format; the existing SIEM rules being in a vendor-specific language, other than the generic STEM rules format, translate the existing SIEM rules to the generic SIEM rules format, using a translation system, giving rise to translated STEM rule;
However, in the same field of endeavor, Hatsutori teaches this limitation as, (paragraph 4 of Hatsutori, the computer-implemented method comprises converting the SIEM rules to formal representations; generating rule abstraction of the formal representations, by using an abstraction function; constructing a finite automaton based on the rule abstraction; eliminating irrelevant transitions in the finite automaton to generate an optimized finite automaton; generating optimized formal rules, based on the optimized finite automaton; converting the optimized formal rules to  optimized SIEM rules; and deploying the optimized SIEM rules in a network of event processors) and (paragraph 27 pf Hatsutori, the computer system or server converts the SIEM (Security Information and Event Management) rules to formal representations. At this step, the input is the SIEM rules and the output is the formal rules).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Milazzo and include the above limitation using the teaching of Hatsutori in order to transform the detection rules and deploy the transformed rule to the system and compare the stored rule with the transformed rule (see paragraph 1 of Hatsutori).

Claims 8 and 15 are rejected under the same reason set forth in rejection of claim 1:

As per claim 2 Milazzo in view of Hatsutori discloses:
Milazzo teaches the method of comparing the SIEM with the pre-existing SIEM rule to check if an update to pre-existing SIEM is necessary or not (see paragraph 31 of Milazzo) but fails to disclose:
The system of claim 1, wherein the processing circuitry is farther configured, upon identification of the missing rules, to: translate the missing rules to the vendor-specific language, giving rise to translated required rules; and add the translated required rules to the STEM of the organization.
However, in the same field of endeavor, Hatsutori teaches this limitation as, (paragraph 4 of Hatsutori, the computer-implemented method comprises converting the SIEM rules to formal representations; generating rule abstraction of the formal representations, by using an abstraction function; constructing a finite automaton based on the rule abstraction; eliminating irrelevant transitions in the finite automaton to generate an optimized finite automaton; generating optimized formal rules, based on the optimized finite automaton; converting the optimized formal rules to  optimized SIEM rules; and deploying the optimized SIEM rules in a network of event processors).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Milazzo and include the above limitation using the teaching of Hatsutori in order to transform the detection rules and deploy the transformed rule to the system (see paragraph 1 of Hatsutori).

Claim 9 is rejected under the same reason set forth in rejection of claim 2:

As per claim 6 Milazzo in view of Hatsutori discloses:
The system of claim |, wherein the comparison between the translated STEM rules and the required SIEM rules is based on a similarity criterion. (Paragraph 79 of Milazzo, the attack characteristics 120 extracted from the ingested data may be used to match to entries in the security event history trend database 140 to determine if a similar set of attack characteristics 120 were encountered previously and the corresponding action taken, e.g., existing SIEM rule used, new SIEM rule generated by the SIEM rules management system, or the like).

Claim 13 is rejected under the same reason set forth in rejection of claim 6:

As per claim 7 Milazzo in view of Hatsutori discloses:
The system of claim 1, wherein the organizational security detection system is a Security Information and Event Management (STEM) system, an Endpoint Detection and Response (EDR) system or a firewall. (Paragraph 1 of Milazzo, the present application relates generally to an improved data processing apparatus and method and more specifically to mechanisms for generating security rules, e.g., security information and event management (SIEM) rules, based on a cognitive and industry analysis).

Claim 14 is rejected under the same reason set forth in rejection of claim 7:

Claims 3-4 and 10-11 are rejected under 35 U.S.C. 103 as being unpatentable over Milazzo (US Pub. No. 2020/0186569) in view of Hatsutori (US Pub. No. 2019/0065755) and further in view of Berlin (US Pub. No. 2018/0041536).

As per claim 3:
The combination of Milazzo and Hatsutori teaches the method of comparing the SIEM with the pre-existing SIEM rule to check if an update to pre-existing SIEM is necessary or not (see paragraph 31 of Milazzo) but fails to disclose:
The system of claim 1, wherein the translation system is an encoder-decoder neural network.
However, in the same field of endeavor, Berlin teaches this limitation as, (paragraph 5 of Berlin, the processor is configured to identify a feature vector for a potentially malicious file and provide the feature vector as an input to a trained neural network autoencoder to produce a modified feature vector. The processor is configured to generate an output vector by introducing Gaussian noise into the modified feature vector to ensure a Gaussian distribution for the output vector within a set of modified feature vectors. The processor is configured to provide the output vector as an input to a trained neural network decoder associated with the trained neural network autoencoder to produce an identifier of a class associated with the set of modified feature vectors. The processor is configured to perform a remedial action on the potentially malicious file based on the potentially malicious file being associated with the class).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Milazzo and Hatsutori to include the above limitation using the teaching of Berlin in order to compare and perform a remedial action on the potentially malicious file based on the result of comparing process (see abstract of Berlin).

Claim 10 is rejected under the same reason set forth in rejection of claim 3:

As per claim 4:
The combination of Milazzo and Hatsutori teaches the method of comparing the SIEM with the pre-existing SIEM rule to check if an update to pre-existing SIEM is necessary or not (see paragraph 31 of Milazzo) but fails to disclose:
The system of claim 3, wherein the encoder-decoder neural network is trained using a training set including the known rules and known translation of the known-rules to the vendor-specific language.
However, in the same field of endeavor, Berlin teaches this limitation as, (paragraph 5 of Berlin, the processor is configured to identify a feature vector for a potentially malicious file and provide the feature vector as an input to a trained neural network autoencoder to produce a modified feature vector. The processor is configured to generate an output vector by introducing Gaussian noise into the modified feature vector to ensure a Gaussian distribution for the output vector within a set of modified feature vectors. The processor is configured to provide the output vector as an input to a trained neural network decoder associated with the trained neural network autoencoder to produce an identifier of a class associated with the set of modified feature vectors. The processor is configured to perform a remedial action on the potentially malicious file based on the potentially malicious file being associated with the class) and (paragraph 16 of Berlin, processor can extract features from a potential malware file. In one embodiment, the processor can train a deep neural network to modify the features to more closely identify a match between the potential malware file and known samples of malware files. The deep neural network can be trained based on triple loss function neural networks and/or based on variational autoencoder neural networks. The processor can then identify an identity of the potential malware file based on matching the modified features to known malware samples).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Milazzo and Hatsutori to include the above limitation using the teaching of Berlin in order to compare and perform a remedial action on the potentially malicious file based on the result of comparing process (see abstract of Berlin).

Claim 11 is rejected under the same reason set forth in rejection of claim 4: 

Claims 5 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Milazzo (US Pub. No. 2020/0186569) in view of Hatsutori (US Pub. No. 2019/0065755) and further in view of Bhatia (US Pub. No. 2020/0272741).

As per claim 5:
The combination of Milazzo and Hatsutori teaches the method of comparing the SIEM with the pre-existing SIEM rule to check if an update to pre-existing SIEM is necessary or not (see paragraph 31 of Milazzo) but fails to disclose:
The system of claim 1, wherein the database is MITRE ATT&CK database.
However, in the same field of endeavor, Bhatia teaches this limitation as, (paragraph 63 of Bhatia, the STEM rules are reformatted into various characteristics of the corresponding SIEM rules, including a rule name, tests performed by the rule, and other features identified in the content of the rule definition in the SIEM rule data structure 134 identified via the parsing) and (paragraph 96 pf Bhatia, the rule generation engine 122 comprises a Recurrent Neural Network (RNN) 124 that is trained using a supervised machine learning operation, to learn, from threat intelligence feeds, such as from threat intelligence feed computing systems 160, e.g., Mitre ATT&CK databases, NVD CVEs, and the like, how to predict the rule components from the rule component database 126 to utilize to define a new STEM rule to address new threats).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Milazzo and Hatsutori to include the above limitation using the teaching of Bhatia in order to enhance the security of computing system by enhancing the stem rule set to include a rule to address a threat that may not be adequately address by the existing STEM rule (see paragraph 40 pf Bhatia).

Claim 12 is rejected under the same reason set forth in rejection of claim 5: 

Conclusion
The prior art made or record and not relied upon is considered pertinent to applicant’s disclosure is Kouznetsov (US Pub. No. 2016/0156642). Kouznetsov discloses the methods and systems for implementing a process for universal interception of events in a computing system using a novel Universal Interception Manager.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to TESHOME HAILU whose telephone number is (571)270-3159. The examiner can normally be reached M-F 8 a.m. - 5 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571) 272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/TESHOME HAILU/Primary Examiner, Art Unit 2434