Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This is the initial office action has been issued in response to patent application, 17/115974, filed on 09 December 2020 with continuation date of 26 July 2017.  Claims 1-25, as originally filed, are currently pending and have been considered below.  

Information Disclosure Statement
The information disclosure statement filed 12/09/2020, 07/29/2021, and 11/08/2021 complies with the provisions of 37 CFR 1.97, 1.98 and MPEP § 609 and the information referred to therein has been considered as to the merits.  


Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.   A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. 
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).




Claims 1-25 are rejected under 35 U.S.C. 101 as claiming the same invention as that of claims 1-25, of Patent 10560487 (application 15/660016).  

Claims 1-25:
Claims 1-25 have similar limitations as in claims 1-25, of Patent 10560487 (application 15/660016).  Although the conflicting claims are not identical; they are not patentably distinct from each other because both applications claim intercepting, by a security agent …a first subset of a plurality of events … according to a first learned security policy …identifying… an anomaly … executing … a mitigation action. Claims 1-25 are rejected under the reasons as set forth above.  


This is an obviousness-type double patenting rejection because the conflicting claims have not in fact been patented.


Claims 1-25 in the instant application correspond to claims 1-25, of Patent 10560487 (application 15/660016).  Since claims 1-25 are A computer-implemented method/system/product: intercepting, by a security agent …a first subset of a plurality of events … according to a first learned security policy … identifying… an anomaly … executing … a mitigation action and claims 1-25, of Patent 10560487 (application 15/660016) are A computer-implemented method/system/product: intercepting, by a security agent …a first subset of a plurality of events … according to a first learned security policy … identifying… an anomaly … executing … a mitigation, it would have been obvious to modify claims 1-25 of Patent 10560487 (application 15/660016) to get Claims 1-25 in the instant application.


Claims 1-25 are rejected under 35 U.S.C. 101 as claiming the same invention as that of claims 1-25, of Patent 10965717 (application 16/675317).  

Claims 1-25:
Claims 1-25 have similar limitations as in claims 1-25, of Patent 10965717 (application 16/675317).  Although the conflicting claims are not identical; they are not patentably distinct from each other because both applications claim intercepting, by a security agent …a first subset of a plurality of events … according to a first learned security policy …identifying… an anomaly … executing … a mitigation action. Claims 1-25 are rejected under the reasons as set forth above.  


This is an obviousness-type double patenting rejection because the conflicting claims have not in fact been patented.


Claims 1-25 in the instant application correspond to claims 1-25, of Patent 10965717 (application 16/675317).  Since claims 1-25 are A computer-implemented method/system/product: intercepting, by a security agent …a first subset of a plurality of events … according to a first learned security policy … identifying… an anomaly … executing … a mitigation action and claims 1-25, of Patent 10965717 (application 16/675317) are A computer-implemented method/system/product: intercepting, by a security agent …a first subset of a plurality of events … according to a first learned security policy … identifying… an anomaly … executing … a mitigation, it would have been obvious to modify claims 1-25 of Patent 10965717 (application 16/675317)to get Claims 1-25 in the instant application.



Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-6, 8-25 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Cangini et al. (US 2007/0107052 A1, publish date 05/10/2007).

Claim 1:
With respect to claim 1, Cangini et al. discloses a computer-implemented method (a host-based intrusion detection system (HIDS), Figure 1) comprising:
intercepting, by a security agent of a client machine and based on a first learned security policy, a first subset of a plurality of events generated by a first execution environment utilizing the client machine (The device driver 101 is a system-dependent component which intercepts a subset of all possible system calls along with their return value and invocation parameters, 0073, 0075), wherein the first learned security policy is learned based on observing operation of the first execution environment (detection component 120, learns the "good" behavior of the system by recording all possible states reached in a "regular" period of work, 0058-0061) (The knowledge base (KB) modules, during the learning mode, each event updates the internal database and enhances the knowledge on the system behavior, 0067),

wherein the first learned security policy is stored in a directed acyclic graph (DAG)
(intrusion patterns using the graph formalism, mapped onto one of the graphs representing the intrusion scenarios, 0012) (a management system, which shows all the alerts, collects them for off-line analysis and possibly generates graphical reports, 0030) (a graphic console C which shows on the screen 801 all the alerts 802 coming from the different monitored hosts 803, 0134, Figure 8), and 
wherein at least one event of the first subset of events is a type of event associated with a malicious code profile (syscall ID, type of anomaly, Figure 7);
identifying, by the security agent and based on the first learned security policy for the first execution environment, an anomaly based on comparing at least one intercepted event to at least one rule of the first learned security policy (rule-based reasoning to detect attacks on the controlled host, Another significant feature is the organization of the various knowledge bases; each knowledge base defines a specific way to look at the system, The knowledge base captures the set of tests and analyses that a skilled administrator performs on the system to detect the early signs of an anomaly, 0046) (then it performs anomaly detection by revealing differences between the instantaneous state and the recorded ones, and correlates the anomalies to decide if they can represent an intrusion0060-0061) (in the analysis mode, the event is matched against the database and, if an anomaly is detected, a so-called led alert is sent to an Alerter module 106, 0067) (Rule list, 0122-0133); and
executing, by the security agent, a mitigation action responsive to identifying the anomaly (Whenever a knowledge base detects an anomalous behavior, a signal 
(hereinafter defined "led alert") is raised, 0040) (emits an alert to the management system 130, 0058-0061) (in the analysis mode, the event is matched against the database and, if an anomaly is detected, a so-called led alert is sent to an Alerter module 106, 0067) (Led Alert, Figure 7) (a graphic console C which shows on the screen 801 all the alerts 802 coming from the different monitored hosts 803, 0134, Figure 8).

Claims 2, 24:
With respect to claims 2, 24, Cangini et al. discloses further comprising: retrieving, by a security agent of a client machine, a first learned security policy from a security policy database in response to identifying a first execution environment utilizing the client machine (a second sub-component 105 (in turn comprised of a plurality of modules 105a, 105b, 105c, 105d, and 105e to be described later), using a high-level model, learns the "good" behavior of the system by recording all possible states reached in a "regular" period of work, 0058) (The knowledge base (KB) modules 105a-105e, use the syscall and the resynchronization events in two different conditions; during the learning mode, each event updates the internal database and enhances the knowledge on the system behavior; in the analysis mode, the event is matched against the database, 0067);
wherein the security policy database comprises a plurality of learned security policies, wherein each security policy comprises at least one security rule, and at least one condition (A led alert is emitted whenever a change of network behavior is observed.  The list of conditions that may lead to led alert emission, 0099) (The rule-based correlation mechanism, fuzzy logic rules that indicate a specific exploitation attempt, list details some rules as the purpose to show some of the possible attacks that this system can detect, 0112-0133).

Claims 3, 25:
With respect to claims 3, 25, Cangini et al. discloses wherein the security policy database comprises a security rules table, a security policies table, and a client machines table, wherein multiple security rules are associated with at least one security policy, wherein multiple security policies are associated with at least one security rule, wherein multiple client machines are associated with at least one security policy, and wherein multiple security policies are associated with at least one client machine (The rule-based correlation mechanism, fuzzy logic rules that indicate a specific exploitation attempt, list details some rules as the purpose to show some of the possible attacks that this system can detect, 0112-0133).

Claim 4:
With respect to claim 4, Cangini et al. discloses further comprising: retrieving, by the security agent, at least a second learned security policy from the security policy database in response to determining that the client machine is associated with the first learned security policy and the second learned security policy in the security policy database (In a learning stage 601, the module fills its internal data structures (the so called "knowledge base"), by recording the initial state (with an initialize( ) function 602), all the changes caused by the syscalls (with processXx()  functions 603), The learning stage can be restarted  (with an initialize( ) function 606) until the module is supposed to have collected a comprehensive view on the 
system behavior, 0090, Figure 6, 601, 603, 606). 

Claim 5:
With respect to claim 5, Cangini et al. discloses wherein the first learned security policy is learned by intercepting a subset of simulated events generated by a simulation of the first execution environment (The device driver 101 is a system-dependent component which intercepts a subset of all possible system calls, 0073) (the number of inbound/outbound simultaneous connection and so on, 0099) and generating a plurality of rules based on the intercepted subset of simulated events 
(The rule-based correlation mechanism, fuzzy logic rules that indicate a specific exploitation attempt, list details some rules as the purpose to show some of the possible attacks that this system can detect, 0112-0133).

Claim 6:
With respect to claim 6, Cangini et al. discloses wherein the first subset comprises less than half of the plurality of events (syscall ID, type of anomaly, Figure 7);



Claim 8:
With respect to claim 8, Cangini et al. discloses wherein the method is performed by the security agent according to instructions downloaded to the client machine from a remote data processing system. (a related computer program product, loadable in the memory of at least one computer, 0026) (USB-related modules are dynamically loaded in the system when a USB device is attached to it, 0101).

Claim 9:
With respect to claim 9, Cangini et al. discloses wherein the method further comprises: metering usage of the security agent; and generating an invoice based on metering the usage of the security agent (the remaining part SP of the led alert is knowledge base module dependent. This means that each knowledge base module 105 adds all needed information to describe in depth the anomaly. Possible examples include, but are not limited to, the name of the variable/s that caused the anomaly, its/their current value/s and the range of values registered in the knowledge base. In addition to the current information taken from the current state module 104, every knowledge base module 105 assigns a weight to each led alert it emits, according to the "distance" of the anomaly from the regular behavior that is the state recorded during the learning phase and saved in the knowledge base. These weights will be used by the alerter 106 to correlate several led alerts and obtain a user-level alert as described in the following. 0094-0095).

Claim 10:
With respect to claim 10, Cangini et al. discloses further comprising:
identifying a process performing an authorized update on the first execution environment (After initialization, each security-related event generated in the real system is forwarded to the model, which is updated accordingly, 0035); 
entering a limited learning phase (Each knowledge base can operate in two essential modes; in the learning mode, it updates itself accordingly to the events occurring in the system, 0039) (After updating the internal state, the syscall event 
or the re-synchronization event is forwarded to a set of knowledge base modules 
105 provided in the system, 0066), wherein, during the limited learning phase, the instructions are further configured to cause the processor to perform a method further comprising:
intercepting a new set of events generated by the updated first execution environment;
generating an updated first learned security policy by updating at least one rule of the first learned security policy based on the new set of events; and providing the updated first learned security policy to the remote data processing system (during the learning mode, each event updates the internal database and enhances the knowledge on the system behavior; 0067) (In a learning stage 601, the module fills its internal data structures (the so called "knowledge base"), by recording the initial state (with an initialize( ) function 602), all the changes caused by the syscalls (with processXx()  functions 603), The learning stage can be restarted  (with an initialize( ) function 606) until the module is supposed to have collected a comprehensive view on the system behavior, 0090, Figure 6, 601, 603, 606). 

Claim 11:
With respect to claim 11, Cangini et al. discloses wherein the first learned security policy comprises at least one static rule independent of the first execution environment ("Intrusion Detection Via Static Analysis”, 0014) and at least one dynamic rule dependent on at least one parameter configured in the first execution environment (a first sub-component 104 is a current state module that maintains a real-time high-level model of the current state of the monitored host, learns the "good" behavior of the system by recording all possible states reached in a "regular" period of work, 0058), wherein the method further comprises:
substituting at least one parameter configured in the first execution environment in the at least one dynamic rule of the first learned security policy (substitutes it with its own sub-routines 202, 0074, Figure 2).

Claim 12:
With respect to claim 12, Cangini et al. discloses wherein identify the anomaly further comprise:
comparing a plurality of conditions for a first rule of the first learned security policy and the at least one intercepted event (A led alert is emitted whenever a change of network behavior is observed.  The list of conditions that may lead to led 
alert emission, 0099) (The rule-based correlation mechanism, fuzzy logic rules that indicate a specific exploitation attempt, list details some rules as the purpose to show some of the possible attacks that this system can detect, 0112-0133), wherein the plurality of conditions are related to a process name, a command line, and a file digest for the at least one intercepted event (the subset of system calls with related parameters and abstraction translation: process name processExec, 0075) (command line of invocation, 0080).

Claim 13:
With respect to claim 13, Cangini et al. discloses wherein at least one rule in the first learned security policy is associated with a set of conditions configured to generate a true value or a false value, wherein a true value is configured to execute a mitigation action, wherein a false value is configured to iterate to a next intercepted event (A led alert is emitted whenever a change of network behavior is observed.  The list of conditions that may lead to led alert emission, 0099) (The rule-based correlation mechanism, fuzzy logic rules that indicate a specific exploitation attempt, list details some rules as the purpose to show some of the possible attacks that this system can detect, 0112-0133) (it is used to match against every change caused by the system calls (with processXx( ) functions 610) or re-synchronization with the system (with a synchronize( ) function 610), Whenever the module detects some differences with the recorded state, it sends to the alerter 106 a led alert, which is a structure with all possible information about the detected anomaly, 0092).



Claim 14:
With respect to claim 14, Cangini et al. discloses wherein at least one rule in the first learned security policy is associated with a set of conditions configured to generate a true value or a false value, wherein a false value is configured to execute a mitigation action, wherein a true value is configured to iterate to a next intercepted event (The rule-based correlation mechanism, fuzzy logic rules that indicate a specific exploitation attempt, list details some rules as the purpose to show some of the possible attacks that this system can detect, 0112-0133) (it is used to match against every change caused by the system calls (with processXx( ) functions 610) or re-synchronization with the system (with a synchronize( ) function 610), 
Whenever the module detects some differences with the recorded state, it sends to the alerter 106 a led alert, which is a structure with all possible information about the detected anomaly, 0092).

Claim 15:
With respect to claim 15, Cangini et al. discloses wherein a majority of respective events of the first subset of events comprise events associated with more than one malicious code profile (syscall ID, type of anomaly (min, max, etc), Figure 7).

Claim 16:
With respect to claim 16, Cangini et al. discloses a computer system (a host-based intrusion detection system (HIDS), Figure 1) comprising: 
one or more processors (a syscall processor 103, 0063, Figure 1);
one or more computer-readable storage media collectively storing program instructions which, when executed by the one or more processors (loadable in the memory of at least one computer and including software code portions for performing the steps of the method of the invention when the product is run on a computer, 0026) perform the steps of:
intercepting, based on a first learned security policy, a first subset of a plurality of events generated by a first execution environment utilizing a client machine (The device driver 101 is a system-dependent component which intercepts a subset of all possible system calls along with their return value and invocation parameters, 0073, 0075),, wherein the first learned security policy is learned based on observing operation of the first execution environment (detection component 120, learns the "good" behavior of the system by recording all possible states reached in a "regular" period of work, 0058-0061) (The knowledge base (KB) modules, during the learning mode, each event updates the internal database and enhances the knowledge on the system behavior, 0067), wherein the first learned security policy is stored in a directed acyclic graph (DAG) (intrusion patterns using the graph formalism, mapped onto one of the graphs representing the intrusion scenarios,  0012) (a management system, which shows all the alerts, collects them for off-line analysis and possibly generates graphical reports, 0030) (a graphic console C which shows on the screen 801 all the alerts 802 coming from the different monitored hosts 803 , 0134, Figure 8), wherein at least one event of the first subset of events is a type of event associated with a malicious code profile (syscall ID, type of anomaly, Figure 7);
identifying, based on the first learned security policy for the first execution environment, an anomaly based on comparing at least one intercepted event to at least one rule of the first learned security policy (rule-based reasoning to detect attacks on the controlled host, Another significant feature is the organization of the various knowledge bases; each knowledge base defines a specific way to look at the system, The knowledge base captures the set of tests and analyses that a skilled administrator performs on the system to detect the early signs of an anomaly, 0046) (then it performs anomaly detection by revealing differences between the instantaneous state and the recorded ones, and correlates the anomalies to decide if they can represent an intrusion0060-0061) (in the analysis mode, the event is matched against the database and, if an anomaly is detected, a so-called led alert is sent to an Alerter module 106, 0067) (Rule list, 0122-0133); and
executing a mitigation action responsive to identifying the anomaly (Whenever a knowledge base detects an anomalous behavior, a signal (hereinafter defined "led alert") is raised, 0040) (emits an alert to the management system 130, 0058-0061) (in the analysis mode, the event is matched against the database and, if an anomaly is detected, a so-called led alert is sent to an Alerter module 106, 0067) (Led Alert, Figure 7) (a graphic console C which shows on the screen 801 all the alerts 802 coming from the different monitored hosts 803 , 0134, Figure 8).


Claim 17:
With respect to claim 17, Cangini et al. discloses a computer program product comprising one or more computer readable storage media having program instructions collectively embodied therewith, the program instructions executable by one or more processors (loadable in the memory of at least one computer and including software code portions for performing the steps of the method of the invention when the product is run on a computer, 0026 (a syscall processor 103, 0063, Figure 1) to cause the one or more processors to perform a method comprising:
intercepting, based on a first learned security policy, a first subset of a plurality of events generated by a first execution environment utilizing a client machine (The device driver 101 is a system-dependent component which intercepts a subset of all possible system calls along with their return value and invocation parameters, 0073, 0075) (detection component 120, learns the "good" behavior of the system by recording all possible states reached in a "regular" period of work, 0058-0061) (The knowledge base (KB) modules, during the learning mode, each event updates the internal database and enhances the knowledge on the system behavior, 0067),
wherein the first learned security policy is stored in a directed acyclic graph (DAG)  (intrusion patterns using the graph formalism, mapped onto one of the graphs representing the intrusion scenarios,  0012) (a management system, which shows all the alerts, collects them for off-line analysis and possibly generates graphical reports, 0030) (a graphic console C which shows on the screen 801 all the alerts 802 coming from the different monitored hosts 803 , 0134, Figure 8), and wherein at least one event of the first subset of events is a type of event associated with a malicious code profile (syscall ID, type of anomaly, Figure 7);
identifying, based on the first learned security policy for the first execution environment, an anomaly based on comparing at least one intercepted event to at least one rule of the first learned security policy (rule-based reasoning to detect attacks on the controlled host, Another significant feature is the organization of the various knowledge bases; each knowledge base defines a specific way to look at the system, The knowledge base captures the set of tests and analyses that a skilled administrator performs on the system to detect the early signs of an anomaly, 0046) (then it performs anomaly detection by revealing differences between the instantaneous state and the recorded ones, and correlates the anomalies to decide if they can represent an intrusion0060-0061) (in the analysis mode, the event is matched against the database and, if an anomaly is detected, a so-called led alert is sent to an Alerter module 106, 0067) (Rule list, 0122-0133); and
executing a mitigation action responsive to identifying the anomaly (Whenever a knowledge base detects an anomalous behavior, a signal (hereinafter defined "led alert") is raised, 0040) (emits an alert to the management system 130, 0058-0061) (in the analysis mode, the event is matched against the database and, if an anomaly is detected, a so-called led alert is sent to an Alerter module 106, 0067) (Led Alert, Figure 7) (a graphic console C which shows on the screen 801 all the alerts 802 coming from the different monitored hosts 803 , 0134, Figure 8).


Claim 18:
With respect to claim 18, Cangini et al. discloses a computer-implemented method (a host-based intrusion detection system (HIDS), Figure 1) comprising:
generating a plurality of security policies (The rule-based correlation mechanism, fuzzy logic rules that indicate a specific exploitation attempt, list details some rules as the purpose to show some of the possible attacks that this system can detect, 0112-0133) based on a subset of events associated with a synthetic first execution environment (detection component 120, learns the "good" behavior of the system by recording all possible states reached in a "regular" period of work, 0058-0061) (The knowledge base (KB) modules, during the learning mode, each event updates the internal database and enhances the knowledge on the system behavior, 0067), wherein at least one rule associated with the first learned security policy is based on a type of event that is associated with a malicious code profile (syscall ID, type of anomaly, Figure 7);
storing the first learned security policy in a directed acyclic graph (DAG) (intrusion patterns using the graph formalism, mapped onto one of the graphs representing the intrusion scenarios,  0012) (a management system, which shows all the alerts, collects them for off-line analysis and possibly generates graphical reports, 0030) (a graphic console C which shows on the screen 801 all the alerts 802 coming from the different monitored hosts 803 , 0134, Figure 8) in a security policy database (a second sub-component 105 (in turn comprised of a plurality of modules 105a, 105b, 105c, 105d, and 105e to be described later), using a high-level model, learns the "good" behavior of the system by recording all possible states reached in a "regular" period of work, 0058) (The knowledge base (KB) modules 105a-105e, use the syscall and the resynchronization events in two different conditions; during the learning mode, each event updates the internal database and enhances the knowledge on the system behavior; in the analysis mode, the event is matched against the database, 0067);
providing the first learned security policy to a first client, wherein the first learned security policy is relevant to a first execution environment deployed by the first client (rule-based reasoning to detect attacks on the controlled host, Another significant feature is the organization of the various knowledge bases; each knowledge base defines a specific way to look at the system, The knowledge base captures the set of tests and analyses that a skilled administrator performs on the system to detect the early signs of an anomaly, 0046) (then it performs anomaly detection by revealing differences between the instantaneous state and the recorded ones, and correlates the anomalies to decide if they can represent an intrusion0060-0061) (in the analysis mode, the event is matched against the database and, if an anomaly is detected, a so-called led alert is sent to an Alerter module 106, 0067) (Rule list, 0122-0133); and
receiving, from the first client, an alert identifying an anomaly based on at least one intercepted event generated by the first execution environment deployed on the first client and intercepted by the first client according to the first learned security policy (Whenever a knowledge base detects an anomalous behavior, a signal (hereinafter defined "led alert") is raised, 0040) (emits an alert to the management system 130, 0058-0061) (in the analysis mode, the event is matched against the database and, if an anomaly is detected, a so-called led alert is sent to an Alerter module 106, 0067) (Led Alert, Figure 7) (a graphic console C which shows on the screen 801 all the alerts 802 coming from the different monitored hosts 803 , 0134, Figure 8).

Claim 19:
With respect to claim 19, Cangini et al. discloses wherein the DAG includes security policies comprising rules represented as nodes, and connections between the security policies represented as edges (intrusion patterns using the graph formalism, mapped onto one of the graphs representing the intrusion scenarios,  0012) (a management system, which shows all the alerts, collects them for off-line analysis and possibly generates graphical reports, 0030) (The report and logging part 107 of the management system 103, as shown in FIG. 8, consists essentially of a graphic console C which shows on the screen 801 all the alerts 802 coming from the different monitored hosts 803, 0134).

Claim 20:
With respect to claim 20, Cangini et al. discloses wherein providing the first learned security policy further comprises:
providing a second learned security policy responsive to determining that a second node corresponding to the second learned security policy shares an edge in the DAG with a first node corresponding to the first learned security policy (intrusion patterns using the graph formalism, mapped onto one of the graphs representing the intrusion scenarios,  0012) (a management system, which shows all the alerts, collects them for off-line analysis and possibly generates graphical reports, 0030) (The report and logging part 107 of the management system 103, as shown in FIG. 8, consists essentially of a graphic console C which shows on the screen 801 all the alerts 802 coming from the different monitored hosts 803, 0134).

Claim 21:
With respect to claims 18, 24, Cangini et al. discloses wherein generating the first learned security policy further comprises:
intercepting a first subset of events (The device driver 101 is a system-dependent component which intercepts a subset of all possible system calls along with their return value and invocation parameters, 0073, 0075) from a synthetic first execution environment for a first time interval (to build a synthetic, comprehensive representation of the system, 0035) (detection component 120, learns the "good" behavior of the system by recording all possible states reached in a "regular" period of work, 0058-0061) (The knowledge base (KB) modules, during the learning mode, each event updates the internal database and enhances the knowledge on the system behavior, 0067); 
generating a plurality of rules defining normal and abnormal behavior based on the first subset of events from the synthetic first execution environment (detection component 120, learns the "good" behavior of the system by recording all possible states reached in a "regular" period of work, 0058-0061) (The knowledge base (KB) modules, during the learning mode, each event updates the internal database and enhances the knowledge on the system behavior, 0067), wherein respective rules are associated with one or more conditions;
(A led alert is emitted whenever a change of network behavior is observed.  The list of conditions that may lead to led alert emission, 0099);
storing the plurality of rules as the first learned security policy for the first execution environment in the security policy database (The knowledge base (KB) modules, during the learning mode, each event updates the internal database and enhances the knowledge on the system behavior, 0067) (in the analysis mode, the event is matched against the database and, if an anomaly is detected, a so-called led alert is sent to an Alerter module 106, 0067) (Rule list, 0122-0133); and
associating the first learned security policy with the first client (rule-based reasoning to detect attacks on the controlled host, Another significant feature is the organization of the various knowledge bases; each knowledge base defines a specific way to look at the system, The knowledge base captures the set of tests and analyses that a skilled administrator performs on the system to detect the early signs of an anomaly, 0046) (then it performs anomaly detection by revealing differences between the instantaneous state and the recorded ones, and correlates the anomalies to decide if they can represent an intrusion0060-0061) (in the analysis mode, the event is matched against the database and, if an anomaly is detected, a so-called led alert is sent to an Alerter module 106, 0067).



Claim 22:
With respect to claim 22, Cangini et al. discloses wherein the first learned security policy is configured to be dynamically changed by each client of the plurality of clients based on respective parameters associated with respective first execution environments deployed on each client (Figure 6 and 8) (a first sub-component 104 is a current state module that maintains a real-time high-level model of the current state of the monitored host, learns the "good" behavior of the system by recording all possible states reached in a "regular" period of work, 0058)

Claim 23:
With respect to claim 23, Cangini et al. discloses a computer-implemented method (a host-based intrusion detection system (HIDS), Figure 1) comprising:
generating a first learned security policy (The rule-based correlation mechanism, fuzzy logic rules that indicate a specific exploitation attempt, list details some rules as the purpose to show some of the possible attacks that this system can detect, 0112-0133) based on a subset of events associated with a synthetic first execution environment (detection component 120, learns the "good" behavior of the system by recording all possible states reached in a "regular" period of work, 0058-0061) (The knowledge base (KB) modules, during the learning mode, each event updates the internal database and enhances the knowledge on the system behavior, 0067), wherein at least one rule associated with the first learned security policy is based on a type of event that is associated with a malicious code profile (syscall ID, type of anomaly, Figure 7);
storing the first learned security policy in a security policy database (The knowledge base (KB) modules, during the learning mode, each event updates the internal database and enhances the knowledge on the system behavior, 0067) (in the analysis mode, the event is matched against the database and, if an anomaly is detected, a so-called led alert is sent to an Alerter module 106, 0067) (Rule list, 0122-0133),  
providing the first learned security policy to a first client, wherein the first learned security policy is relevant to a first execution environment deployed by the first client (rule-based reasoning to detect attacks on the controlled host, Another significant feature is the organization of the various knowledge bases; each knowledge base defines a specific way to look at the system, The knowledge base captures the set of tests and analyses that a skilled administrator performs on the system to detect the early signs of an anomaly, 0046) (then it performs anomaly detection by revealing differences between the instantaneous state and the recorded ones, and correlates the anomalies to decide if they can represent an intrusion0060-0061) (in the analysis mode, the event is matched against the database and, if an anomaly is detected, a so-called led alert is sent to an Alerter module 106, 0067) (Rule list, 0122-0133); and
receiving, from the first client, an alert identifying an anomaly based on at least one intercepted event generated by the first execution environment deployed on the first client and intercepted by the first client according to the first learned security policy (Whenever a knowledge base detects an anomalous behavior, a signal (hereinafter defined "led alert") is raised, 0040) (emits an alert to the management system 130, 0058-0061) (in the analysis mode, the event is matched against the database and, if an anomaly is detected, a so-called led alert is sent to an Alerter module 106, 0067) (Led Alert, Figure 7) (a graphic console C which shows on the screen 801 all the alerts 802 coming from the different monitored hosts 803 , 0134, Figure 8).



Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.



The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Cangini et al. (US 2007/0107052 A1, publish date 05/10/2007) in view of Chen et al. (US 9792562 B1, file date 10/27/2016).

Claim 7:
With respect to claim 7, Cangini et al. discloses the limitations of claim 1, as addressed.

Cangini et al. does not disclose wherein the first subset of the plurality of events comprises less than 1% of the plurality of events as claimed.

However, Chen et al. teaches Applications such as fraud detection, credit evaluation, gene expression, and medical diagnosis or prognosis, for example, may present an input space with thousands, or even millions, of data points. (0003), wherein the first subset of the plurality of events comprises less than 1% of the plurality of events (wherein the subset of input features includes less than approximately one percent of the larger set of input features, claim 13).

Cangini et al. and Chen et al. are analogous art because they are from the same field of endeavor of fraud/intrusion detection.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Chen et al. in Cangini et al. for herein the first subset of the plurality of events comprises less than 1% of the plurality of events as claimed for purposes of enhancing the intrusion detection system of Cangini et al. by providing the ability to suppress less useful data and select a reduced set of meaningful support data/vectors can greatly enhance the performance in terms of computational resources, speed, and accuracy.  (see Chen et al.  0003)


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure, (see PTO Form 892).

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Helai Salehi whose telephone number is 571-270-7468.  The examiner can normally be reached on Monday - Friday from 9 am to 5 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Jeff Pwu, can be reached on 571-272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/HELAI SALEHI/Examiner, Art Unit 2433        

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433