DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The amendment filed 4/25/2022 has been placed of record in the file.
Claim 1 has been amended.
Claims 1-9 are pending.
The applicant’s arguments with respect to claims 1-9 have been considered but are moot in view of the following new grounds of rejection.

Response to Amendment
Claims have been amended to further define the plurality of rules.  The amendment proves a change in scope to the independent claim as the independent claim now explicitly states deriving the plurality of rules by correlating the plurality of indicators.  However, none of the amended claims show a patentable distinction over the prior art as evidenced by the following new grounds of rejection.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, and 8 are rejected under 35 U.S.C. 103 as being unpatentable over Joshi et al. (U.S. Patent Application Publication Number 2014/0337974), hereinafter referred to as Joshi, in view of Laidlaw et al. (U.S. Patent Application Publication Number 2015/0163242), hereinafter referred to as Laidlaw.
Joshi disclosed techniques for context aware intrusion detection utilizing reasoning logic rules.  In an analogous art, Laidlaw disclosed techniques for generating rule bases in order to profile cyber threats.  Both systems are directed toward predicting cyber attacks in networked computer systems.
Regarding claim 1, Joshi discloses a method of predicting cyber threats, comprising: providing a processor in communication with a tangible storage medium storing instructions that are executed by the processor to perform operations comprising: accessing a first dataset defining communications from forums and marketplaces associated with a hacker community (paragraph 52, nontraditional data sources); learning a plurality of rules by correlating a plurality of indicators generated from the first dataset and ground truth information associated with known cyberattacks (paragraph 63, reasoning logic rules based on traditional and nontraditional data sources), the plurality of indicators including mappings between a vulnerability and a platform known to be susceptible to the vulnerability (paragraph 62, extracts product with particular vulnerability); and predicting a cyber threat, including: identifying an indicator of the plurality of indicators from a second dataset, the second dataset defining additional communications from the hacker community and the indicator being a precondition to a corresponding rule of the plurality of rules (paragraph 65, data gathered from nontraditional data sources), and applying information associated with the indicator to the corresponding rule of the plurality of rules to output at least one prediction of an attack associated with the cyber threat (paragraph 65, compares rules with data gathered and flags potential attack).
Joshi does not explicitly state that the learning the plurality of rules comprises deriving the plurality of rules.  However, generating rule bases in such a fashion was well known in the art as evidenced by Laidlaw.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Joshi by adding the ability for deriving the plurality of rules as provided by Laidlaw (see paragraph 119, rule base derived from model using machine learning).  One of ordinary skill in the art would have recognized the benefit that managing cyber threats in this way would assist administrators in effectively policing access to computer resources (see Laidlaw, paragraph 12).
Regarding claim 2, the combination of Joshi and Laidlaw discloses generating the plurality of rules by deriving a set of probability boundaries of future actions using an annotated probabilistic temporal logic rules framework and narrowing the set of probability boundaries (Joshi, paragraph 76, determines possibility of attack, and paragraph 87, initial data corpus annotated).
Regarding claim 8, the combination of Joshi and Laidlaw discloses wherein a plurality of rule-learning approaches are applied to learn a set of temporal correlations between the first dataset and the known cyberattacks (Joshi, paragraph 41, uses traditional and nontraditional sensors collaboratively).

10.	Claims 3-7 are rejected under 35 U.S.C. 103 as being unpatentable over Joshi in view of Laidlaw, further in view of Schultz et al. (U.S. Patent Application Publication Number 2015/0381649), hereinafter referred to as Schultz.
The combination of Joshi and Laidlaw disclosed techniques for context aware intrusion detection utilizing reasoning logic rules.  In an analogous art, Schultz disclosed techniques for forecasting the risk of cyber attacks on targeted networks.  Both systems are directed toward predicting cyber attacks in networked computer systems.
Regarding claim 3, the combination of Joshi and Laidlaw does not explicitly state wherein one of the plurality of rules defines a probability value for the attack associated with the cyber threat occurring within a predetermined time interval of a condition being true.  However, tying attack probabilities to time conditions was well known in the art as evidenced by Schultz.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Joshi and Laidlaw by adding the ability that one of the plurality of rules defines a probability value for the attack associated with the cyber threat occurring within a predetermined time interval of a condition being true as provided by Schultz (see paragraph 191, event time obeys probability distribution).  One of ordinary skill in the art would have recognized the benefit that integrating security alert data and traffic from different products with uncertainties would allow intrusion detection systems to further reduce false alarm rates (see Schultz, paragraph 6).
Regarding claim 4, the combination of Joshi, Laidlaw, and Schultz discloses wherein a point frequency function of the annotated probabilistic temporal logic rules framework is applied to output a frequency value for the attack following identification of the indicator from the second dataset in an exact time interval and defines a predetermined precise temporal relationship between the attack and the indicator (Schultz, paragraph 197, event times as discrete, and paragraph 216, non-stationary probabilities of event times).
Regarding claim 5, the combination of Joshi and Laidlaw does not explicitly state wherein an existential frequency function of the annotated probabilistic temporal logic rules framework is applied to output a frequency value for the attack following identification of the indicator within a predetermined number of time points and defines a specified temporal relationship between the attack and the indicator.  However, tying attack probabilities to time conditions was well known in the art as evidenced by Schultz.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Joshi and Laidlaw by adding the ability that an existential frequency function of the annotated probabilistic temporal logic rules framework is applied to output a frequency value for the attack following identification of the indicator within a predetermined number of time points and defines a specified temporal relationship between the attack and the indicator as provided by Schultz (see paragraph 197, event times as variable, and paragraph 216, non-stationary probabilities of event times).  One of ordinary skill in the art would have recognized the benefit that integrating security alert data and traffic from different products with uncertainties would allow intrusion detection systems to further reduce false alarm rates (see Schultz, paragraph 6).
Regarding claim 6, the combination of Joshi, Laidlaw, and Schultz discloses wherein the frequency value for the attack following the indicator in an exact time interval is calculated using a probability interval (Schultz, paragraph 216, probabilities depend on changes in probability distributions that occur at discrete time intervals).
Regarding claim 7, the combination of Joshi, Laidlaw, and Schultz discloses wherein the frequency value for the attack following the indicator within a predetermined number of time points is calculated using a probability interval (Schultz, paragraph 216, probabilities depend on changes in probability distributions that occur at discrete time intervals).

11.	Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Joshi in view of Laidlaw, further in view of Yampolskiy et al. (U.S. Patent Number 9,294,498), hereinafter referred to as Yampolskiy.
The combination of Joshi and Laidlaw disclosed techniques for context aware intrusion detection utilizing reasoning logic rules.  In an analogous art, Yampolskiy disclosed techniques for determining cybersecurity risk scores by collecting data associated with entities.  Both systems are directed toward predicting cyber attacks in networked computer systems.
Regarding claim 9, the combination of Joshi and Laidlaw does not explicitly state wherein a plurality of indicator extractors are applied to extract indicators from the first dataset and assigns a confidence score to extraction of the indicator.  However, utilizing confidence scores in cybersecurity systems was well known in the art as evidenced by Yampolskiy.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Joshi and Laidlaw by adding the ability that a plurality of indicator extractors are applied to extract indicators from the first dataset and assigns a confidence score to extraction of the indicator as provided by Yampolskiy (see column 18, lines 58-66, determines confidence level for data collected).  One of ordinary skill in the art would have recognized the benefit that assessing cybersecurity risk in such a fashion would assist entities in making meaningful decisions about improving cybersecurity performance (see Yampolskiy, column 1, lines 43-55).

Conclusion
12.	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
13.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to Victor Lesniewski whose telephone number is (571)272-2812. The examiner can normally be reached Monday thru Friday, 9am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/Victor Lesniewski/Primary Examiner, Art Unit 2493