DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 have been examined. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over US 20160301709 to Hassanzadeh et al (hereinafter Hassanzadeh) and US 20120246200 to Balasubramanian et al (hereinafter Balasubramanian).
As per claims 1, 8 and 15, Hassanzadeh teaches:
A method for generating security alerts comprising: 
obtaining an input message stream from a set of data sources, wherein the input message stream comprises a sequence of input security-related data entries in different respective native formats that varies between different data sources of the set of data sources (Hassanzadeh: [0020] In some implementations, the system 100 may include one or more security sensors (e.g., security sensors 108a, 108b, 108c, and 108d). In general, security sensors included in the system 100 may include network based (NIDS) and host based (HIDS) intrusion detection systems, intrusion prevention systems (IPS), anti-virus systems, firewalls, and other detection/logging services (e.g., web server logs, database logs, etc.) which can monitor communications activity to and from computing devices. Activity data 140a, 140b, 140c, and 140d (e.g., detected by the corresponding security sensors 108a, 108b, 108c, and 108d) may be provided to an event correlation system 150. [0021] In the present example, each of the activity data 140a, 140b, 140c, and 140d may include event and/or alert data. [0029]: Activity data received from multiple sources (e.g., multiple security sensors, intrusion detection systems, and/or other security tools) may be heterogeneous in regard to language, protocols, and standards. Such activity data may be heterogeneous, for example, not only because of different security tools in a single domain, but because of different protocol standards which may be employed in multiple different domains by the same security tool); 
wherein each output message of the output message stream comprises output security-related data entries in a standardized format independent of the data source (Hassanzadeh: [0029]: Activity data received from multiple sources (e.g., multiple security sensors, intrusion detection systems, and/or other security tools) may be heterogeneous in regard to language, protocols, and standards. Such activity data may be heterogeneous, for example, not only because of different security tools in a single domain (which may be resolved through the use of alert/event standardization/normalization tools that convert data to a standard format)); 
applying a set of security rules to the output message stream to detect a data pattern indicative of malicious activity (Hassanzadeh: [0027] After aggregating the event/alert data, for example, aggregated data can be provided by the aggregator 214 to the correlator 216. In general, the event correlation system 202 can use the correlator 216 to generate a chain of events/alerts that may correspond to a threat scenario, and the event correlation system 202 can use the pattern recognizer 218 (e.g., based on data provide by the threat intelligence data source 234) to identify attack patterns associated with the threat scenario); and 
generating a security alert to an administrative interface indicative of the detected data pattern (Hassanzadeh: [0016]: Information about the attack patterns (e.g., visualization data) may be reported to a security analyst, and may be used for implementing appropriate courses of action).
Hassanzadeh does not teach: storing a set of filters each corresponding to the different data sources of the set of data sources; applying a set of filter selection rules to a current input message of the input message stream to identify a filter from the set of filters associated with a corresponding data source from which the current input message was derived; applying, by a processor, the identified filter to the current input message to transform the current input message to a current output message of an output message stream.
storing a set of filters each corresponding to the different data sources of the set of data sources; applying a set of filter selection rules to a current input message of the input message stream to identify a filter from the set of filters associated with a corresponding data source from which the current input message was derived; applying, by a processor, the identified filter to the current input message to transform the current input message to a current output message of an output message stream (Balasubramanian: [0045]: Different networked application event data collection systems 122 can receive data from different application instrumentation modules 114 (optionally using different formats), and different Web service event data collection systems 124 can receive data from different Web service instrumentation modules 118 (optionally using different formats). [0047]: Thus, consolidated event data storage 136 stores event data obtained from various different sources, and includes both networked application event data and Web service event data. [0050] The event data is stored in consolidated event data storage 136 in a common format, regardless of the formats in which event data is received by collection systems 122 and 124. In one or more embodiments, the event data received by collection systems 122 and 124 is converted to this common format by systems 122 and 124 prior to the storage of the event data in event data storage 132 and 134, respectively. [0052] The particular component, module, or system performing the conversion of the event data into the common format is configured with (e.g., programmed with) (storing a set of filters) or otherwise obtains an indication of how to convert the event data in the format in which the event data is received by collection systems 122 and 124 into the common format. The specific manner in which the event data is converted from the format in which the event data is received by collection systems 122 and 124 into the common format can vary based on the particular formats being used. For example, networked application event data received by collection system 122 can have a particular code identifying the type of the event data, and this particular code can be converted into the appropriate name for a name-value pair including that event data. By way of another example, Web service event data received by collection system 124 can include event data sent in a particular ordering in which the type of event data is inherent in the ordering. The component, module, or system performing the conversion knows this ordering, and can readily convert the event data into the appropriate name-value pairs. The event data from the different sources is consolidated and stored in a common format regardless of the sources from which the event data is received. [0059]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Balasubramanian in the invention of Hassanzadeh to include the above limitations. The claim would have been obvious because a particular known technique was recognized as part of the ordinary capabilities of one skilled in the art (see KSR Int’l Co. v. Teleflex Inc. 550 U.S. ___, 82 USPQ2d 1385 (Supreme Court 2007) (KSR)).

As per claims 2, 9 and 16, Hassanzadeh in view of Balasubramanian teaches:
The method of claim 1, wherein the current input message comprises a key-value pair formatted based on the corresponding data source from which it was derived (Hassanzadeh: [0029]: Activity data received from multiple sources (e.g., multiple security sensors, intrusion detection systems, and/or other security tools) may be heterogeneous in regard to language, protocols, and standards. [0036] In some implementations, each of the sets of alerts 430 and 432 may have similar data formats (e.g., an intrusion detection message exchange format (IDMEF)), and may include data fields for source address, destination address, port number, timestamp, priority, and attack description).

As per claims 3, 10 and 17, Hassanzadeh in view of Balasubramanian teaches:
The method of claim 1, wherein the current input message comprises a key-value pair in a standardized format independent of the corresponding data source from which it was derived (Hassanzadeh: [0006]: A single vantage point and a standardized data exchange format may be provided for analyzing event/alert log data. [0029]: As another example, a standard format may be used for communicating activity data. Balasubramanian: [0051] In one or more embodiments, the common format in which event data is stored in consolidated event data storage 136 is a set of name-value pairs. The name refers to an identifier or description of the event or event data, and the value refers to the event data itself).

As per claims 4, 11 and 18, Hassanzadeh in view of Balasubramanian teaches:
The method of claim 1, wherein obtaining the input message stream comprises: detecting a message format of each of the input security-related data entries; and parsing the input security-related data entries according to the message format (Hassanzadeh: [0029]: For example, activity data received from multiple sources (e.g., multiple security sensors, intrusion detection systems, and/or other security tools) may be heterogeneous in regard to language, protocols, and standards. Balasubramanian: [0052]: For example, networked application event data received by collection system 122 can have a particular code identifying the type of the event data, and this particular code can be converted into the appropriate name for a name-value pair including that event data. By way of another example, Web service event data received by collection system 124 can include event data sent in a particular ordering in which the type of event data is inherent in the ordering. The component, module, or system performing the conversion knows this ordering, and can readily convert the event data into the appropriate name-value pairs).

As per claims 5, 12 and 19, Hassanzadeh in view of Balasubramanian teaches:
The method of claim 1, wherein applying the set of filter selection rules comprises: applying a data source-specific detection rule to identify characteristics of the current input message uniquely associated with the corresponding data source from which the current input message was derived (Hassanzadeh: [0036] In some implementations, each of the sets of alerts 430 and 432 may have similar data formats (e.g., an intrusion detection message exchange format (IDMEF)), and may include data fields for source address, destination address, port number, timestamp, priority, and attack description. Balasubramanian: [0052]: The particular component, module, or system performing the conversion of the event data into the common format is configured with (e.g., programmed with) or otherwise obtains an indication of how to convert the event data in the format in which the event data is received by collection systems 122 and 124 into the common format. For example, networked application event data received by collection system 122 can have a particular code identifying the type of the event data, and this particular code can be converted into the appropriate name for a name-value pair including that event data. By way of another example, Web service event data received by collection system 124 can include event data sent in a particular ordering in which the type of event data is inherent in the ordering. The component, module, or system performing the conversion knows this ordering, and can readily convert the event data into the appropriate name-value pairs).

As per claims 6, 13 and 20, Hassanzadeh in view of Balasubramanian teaches:
The method of claim 1, wherein the set of filters comprise a single filter for each of the set of data sources (Balasubramanian: [0052]: The particular component, module, or system performing the conversion of the event data into the common format is configured with (e.g., programmed with) (storing a set of filters) or otherwise obtains an indication of how to convert the event data in the format in which the event data is received by collection systems 122 and 124 into the common format. The specific manner in which the event data is converted from the format in which the event data is received by collection systems 122 and 124 into the common format can vary based on the particular formats being used. For example, networked application event data received by collection system 122 can have a particular code identifying the type of the event data, and this particular code can be converted into the appropriate name for a name-value pair including that event data. By way of another example, Web service event data received by collection system 124 can include event data sent in a particular ordering in which the type of event data is inherent in the ordering. The component, module, or system performing the conversion knows this ordering, and can readily convert the event data into the appropriate name-value pairs).

As per claims 7 and 14, Hassanzadeh in view of Balasubramanian teaches:
The method of claim 1, wherein generating the security alert comprises: generating a recommended remedial action to remediate a security threat associated with the detected data pattern (Hassanzadeh: [0027]. [0061] The alert correlation and pattern extraction system 502 can use the threat analyzer 516, for example, to analyze the threat scenarios 560, and to generate data associated with one or more courses of action 574. In some implementations, appropriate courses of action 574 may be provided for each domain (e.g., information technology and operational technology) and/or each device in an industrial control system network. Courses of action 574, for example, may include actions such as closing ports on computing devices, blocking communications that originate from particular internet protocol addresses, shutting down computing devices, and so forth).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
US 20020019945 to Houston et al: A computer-implemented system for managing security event data collected from a computing network. The system employs an event managing software module that can reside on a computing network that is being monitored with security devices. The event managing software collects security event data from security devices located in the monitored computing network and can process the security event data. In processing the security event data, the event manager module can format the data and create manageable summaries of the data. The event manager also supports storage of the security event data and the results of any processing performed on the data. Security event data can be identified by the event manager for use in responding to a security event.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHURI R HERZOG whose telephone number is (571)270-3359. The examiner can normally be reached 8:30AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

MADHURI R. HERZOG
Primary Examiner
Art Unit 2438



/MADHURI R HERZOG/Primary Examiner, Art Unit 2438