DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
2.    The text of those sections of Title 35 U.S. Code not included in this section can be found in the prior office action.
3.    The prior office actions are incorporated herein by reference. In particular, the observations with respect to claim language, and response to previously presented arguments.
4.    This Office action is in response to communications received on June 1, 2022. Claims 1-18, 20 and 21 are pending and addressed below.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on June 1, 2022 has been entered.

Response to Arguments
Applicant’s amendments (and Examiner’s amendments herein below) are sufficient to overcome the claim objections set forth in the previous Office Action. 
Applicant’s amendments are sufficient to overcome the 35 U.S.C. 102(a)(2) rejections set forth in the previous Office Action.

EXAMINER’S AMENDMENT
8.	An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with D. Scott Sudderth (Reg. No. 34,026) on 14 June 2022.
The application has been amended as follows:

Listing of Claims:

Claim 10 (Currently Amended)	A method for detection of one or more security threats or malicious actions, comprising: 
receiving data from one or more data producers; 
providing the data to a behavior processor; 
identifying, by the behavior processor, a plurality of behaviors from the data based on datum, features, or characteristics included therein; 
providing the plurality of identified behaviors to a tactic processor; 
identifying, by the tactic processor, one or more tactics, based on a determination that the plurality of identified behaviors relate to one or more tactics stored in a tactic data store wherein each of the one or more tactics comprise a plurality of known behaviors ordered according to a selected relationship therebetween; 
determining, by the tactic processor, a composite tactic based on a combination of at least one of the one or more identified tactics and one or more of the identified behaviors; 
submitting one or more of the one or more identified tactics or the composite tactic to a tactic classifier; and 
determining, by the tactic classifier, whether the one or more of the one or more identified tactics or the composite tactic are indicative of the one or more security threats or malicious actions based on a sequence of data comprising each of the one or more identified tactics and one or more of the identified behaviors determined to be related thereto.

Claim 14 (Currently Amended)	The method of claim 10, further comprising: 
identifying, by the behavior processor, one or more additional behaviors based on the one or more datum, features, or characteristics; the plurality of identified behaviors; or combinations thereof.

Claim 16 (Currently Amended)	The method of claim 10, further comprising: 
identifying, by the tactic processor, one or more additional tactics based on the plurality of identified behaviors, the one or more identified tactics, or combinations thereof.

Claim 18 (Currently Amended)	The method of claim 10, wherein the received data includes a system log, user metadata, infrastructure data, or combinations thereof.

Allowable Subject Matter
Independent claims 1 and 10 are allowed. Dependent claims 2-9, 11-18, 20 and 21 are allowed based on their dependency. 

Claim 1 recites, inter alia, “identify one or more tactics based on a determination that the one or more identified behaviors relate to one or more tactics stored in a tactic data store and influence applied based upon any identified attributes of the behaviors using the at least one tactic processor, wherein the influence applied based on the identified attributes may vary for each identified attribute applicable to the one or more identified tactics, wherein the influence is used to determine a confidence value of an identification of a particular tactic, and wherein the tactics comprise a plurality of known behaviors ordered according to a selected relationship therebetween”.

Claim 10 recites, inter alia, “determining, by the tactic processor, a composite tactic based on a combination of at least one of the one or more identified tactics and one or more of the identified behaviors”.

12.    The closest prior arts made of record are:
i)	Neumann (U.S. Patent No. 10,728,263 cited in the previous Office Action) which discloses an attack identification module uses behavioral fragments to determine an attack (see col. 15 lines 5-32, col. 21 lines 1-22, col. 22 lines 9-64, col. 25 lines 20 43 and Fig. 3A of Neumann).
ii)	Ahmed et al. (U.S. Pub. No. 2019/0297096 and hereinafter referred to as Ahmed) which discloses sending behavior data and an initial determination to an inference engine and the inference engine determining if an attack is verified (see paragraph [0077] and Fig. 9 of Ahmed).

13.    None of the prior art anticipates or makes obvious the invention of the present application before the effective filing date of the claimed invention, the invention including: “identify one or more tactics based on a determination that the one or more identified behaviors relate to one or more tactics stored in a tactic data store and influence applied based upon any identified attributes of the behaviors using the at least one tactic processor, wherein the influence applied based on the identified attributes may vary for each identified attribute applicable to the one or more identified tactics, wherein the influence is used to determine a confidence value of an identification of a particular tactic, and wherein the tactics comprise a plurality of known behaviors ordered according to a selected relationship therebetween” (as recited in claim 1) and “determining, by the tactic processor, a composite tactic based on a combination of at least one of the one or more identified tactics and one or more of the identified behaviors” (as recited in claim 10). Therefore, claims 1 and 10 are considered to be allowable.

14.    None of the prior art of record, either taken by itself or in any combination, would have anticipated or made obvious the invention of the present application before the effective filing date of the claimed invention.

15.    Any comments considered necessary by applicant must be submitted no later than payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance."

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Kuppa et al. (U.S. Pub. No. 2020/0195683) – cited for teaching detecting anomalous behavior – Abstract
Ross et al. (U.S. Pub. No. 2021/0226970) – cited for teaching a behavior catalog – Abstract 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to THADDEUS J PLECHA whose telephone number is (571)270-7506. The examiner can normally be reached M-F 8-4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on 571-272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/THADDEUS J PLECHA/Examiner, Art Unit 2438