Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
	Claims 1-20 are presented for examination.
EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Mr. Stephen A. Terrile (Reg. No.: 32,946) on 30 June 2022.
The application has been amended as follows: 

1.	(Currently Amended)	A computer-implementable method for performing a security operation, comprising:  
monitoring an entity, the monitoring observing at least one electronically-observable data source;
deriving an observable based upon the monitoring of the electronically-observable data source;
identifying a security related activity of the entity, the security related activity being based upon the observable derived from the electronic data source, the security related activity being of analytic utility;
processing the security related activity to generate a session fingerprint, the session fingerprint representing a set of behavior factors associated with a session;
associating the session fingerprint with a particular security vulnerability scenario from a plurality of security vulnerability scenarios, each of the plurality of security vulnerability scenarios providing a grouping of security risk use cases that represent a particular class of security vulnerability;
inferring a particular security vulnerability scenario from the observable derived based upon the monitoring;  
associating the security related activity with a phase of a cyber kill chain, the associating being based in part on the security vulnerability scenario inferred from the observable, each phase of the cyber kill chain having a corresponding security risk persona, each security risk persona characterizing a behavioral pattern exhibited by the entity during enactment of an entity behavior associated with a particular phase of the cyber kill chain; and,
performing a security operation on the security related activity via a security system, the security system executing on a hardware processor, the security operation disrupting performance of the phase of the cyber kill chain.  

7.	(Currently Amended)	A system comprising:  
a hardware processor;  
a data bus coupled to the processor; and 
a non-transitory, computer-readable storage medium embodying computer program code, the non-transitory, computer-readable storage medium being coupled to the data bus, the computer program code interacting with a plurality of computer operations and comprising instructions executable by the processor and configured for: 
monitoring an entity, the monitoring observing at least one electronically-observable data source;
deriving an observable based upon the monitoring of the electronically-observable data source;
identifying a security related activity of the entity, the security related activity being based upon the observable derived from the electronic data source, the security related activity being of analytic utility;
processing the security related activity to generate a session fingerprint, the session fingerprint representing a set of behavior factors associated with a session;
associating the session fingerprint with a particular security vulnerability scenario from a plurality of security vulnerability scenarios, each of the plurality of security vulnerability scenarios providing a grouping of security risk use cases that represent a particular class of security vulnerability;
inferring a particular security vulnerability scenario from the observable derived based upon the monitoring;  
associating the security related activity with a phase of a cyber kill chain, the associating being based in part on the security vulnerability scenario inferred from the observable, each phase of the cyber kill chain having a corresponding security risk persona, each security risk persona characterizing a behavioral pattern exhibited by the entity during enactment of an entity behavior associated with a particular phase of the cyber kill chain; and,
performing a security operation on the security related activity via a security system, the security system executing on the hardware processor, the security operation disrupting performance of the phase of the cyber kill chain.  

13.	(Currently Amended)	A non-transitory, computer-readable storage medium embodying computer program code, the computer program code comprising computer executable instructions configured for:  
monitoring an entity, the monitoring observing at least one electronically-observable data source;
deriving an observable based upon the monitoring of the electronically-observable data source;
identifying a security related activity of the entity, the security related activity being based upon the observable derived from the electronic data source, the security related activity being of analytic utility;
processing the security related activity to generate a session fingerprint, the session fingerprint representing a set of behavior factors associated with a session;
associating the session fingerprint with a particular security vulnerability scenario from a plurality of security vulnerability scenarios, each of the plurality of security vulnerability scenarios providing a grouping of security risk use cases that represent a particular class of security vulnerability;
inferring a particular security vulnerability scenario from the observable derived based upon the monitoring;  
associating the security related activity with a phase of a cyber kill chain, the associating being based in part on the security vulnerability scenario inferred from the observable, each phase of the cyber kill chain having a corresponding security risk persona, each security risk persona characterizing a behavioral pattern exhibited by the entity during enactment of an entity behavior associated with a particular phase of the cyber kill chain; and,
performing a security operation on the security related activity via a security system, the security system executing on a hardware processor, the security operation disrupting performance of the phase of the cyber kill chain.  
Allowable Subject Matter
Claims 1-20 are allowed.
The claims are directed to novel and non-obvious methods, systems and non-transitory computer-readable storage mediums for performing a security operation, which requires, at least in part, processing the security related activity to generate a session fingerprint, the session fingerprint representing a set of behavior factors associated with a session; associating the session fingerprint with a particular security vulnerability scenario from a plurality of security vulnerability scenarios, each of the plurality of security vulnerability scenarios providing a grouping of security risk use cases that represent a particular class of security vulnerability; inferring a particular security vulnerability scenario from the observable derived based upon the monitoring; associating the security related activity with a phase of a cyber kill chain, the associating being based in part on the security vulnerability scenario inferred from the observable, each phase of the cyber kill chain having a corresponding security risk persona, each security risk persona characterizing a behavioral pattern exhibited by the entity during enactment of an entity behavior associated with a particular phase of the cyber kill chain; and, performing a security operation on the security related activity via a security system, the security system executing on a hardware processor, the security operation disrupting performance of the phase of the cyber kill chain.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTOL-892.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to DARREN B SCHWARTZ whose telephone number is (571)270-3850. The examiner can normally be reached 9am-7pm EST, Monday-Thursday, 9am-5pm EST, Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph P Hirl can be reached on (571)272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/DARREN B SCHWARTZ/               Primary Examiner, Art Unit 2435