DETAILED ACTION
Claims 1, 3, 4, 5, 14, and 15 have been amended
Rejection to claims 3, 4, and 5 under 112(b) has been withdrawn based on applicant’s amendments. 
Claims 14 and 15 112(f) claim interpretation has been overcome based on applicant’s amendments. 
Claims 1-16 are pending.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments filed on 07/28/2022 have been fully considered.
With respect to the argument regarding the 112(b) rejection of claims 3-5, the argument is persuasive and therefore the 112(b) rejection is withdrawn.
With respect to the argument of claim 1, 14, 15, and 16, examiner respectfully disagrees.
With respect to the argument that MARTIN does not disclose any operations related to an internal swarm intelligence network, and because of this the proposed combination of KERSEBOOM and MARTIN is improper. Examiner respectfully disagrees because MARTIN does also teach of monitoring network events occurring on a network which comprises of a plurality of computers. ([MARTIN, para. 0026] “In particular, new events occurring at computers within the network may be scanned for possible security threats in real-time or in near real-time by other detection mechanisms—such as external intrusion detection systems (IDS) or intrusion prevention systems (IPS), as shown in FIG. 2—layered throughout the network. Such detection systems may compare a new event to threat intelligence of security threats known at the time of the event to determine in real-time if the event may be an indicator of an attack on the network.”) ([MARTIN, para. 0068] “the system can execute: a script to scan computers on the network for evidence of lateral movement by the cyber attack following initial infiltration into the computer”). Examiner is mapping the computers in MARTIN as being interpreted as a SWARM because they have entities that collect and transmit data. ([MARTIN, para. 0016] “Blocks of the method S100 can be executed by one or more local assets on the network or any other system.”) this sentence clearly shows MARTIN teaches an intelligent swarm network because a plurality of assets in the network can perform the method S100 for detecting a cyber attack. 
Regarding the argument that the node swarm of KERSEBOOM and the network event buffer of MARTIN are asserting different operations to detect threats, and therefore the proposed combination of KERSEBOOM and MARTIN is improper. Examiner respectfully disagrees because as seen above MARTIN does also teach of a swarm and therefore the proposed combination is proper. In addition, the applicant has not argued regarding the examiner provided motivation.  
Additional arguments are moot in view of the new grounds of rejection necessitated by the
claim amendments.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


Claims 1, 14, and 15 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 1, 14, and 15 recites the limitation "the respective local network".  There is insufficient antecedent basis for this limitation in the claim. For the purpose of examination this limitation is being interpreted as "the local computer network".  

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4, 7, 10, 12, 14-16 are rejected under 35 U.S.C. 103 as being unpatentable over KERSEBOOM (WO-2017102088-A1) in view of MARTIN (US-20180004942-A1), hereinafter KERSEBOOM- MARTIN.
Regarding claim 1, KERSEBOOM teaches “A method of threat control, the method comprising: establishing an internal swarm intelligence network comprising security agent modules of a plurality of interconnected network nodes of a local computer network, the method further comprising, at the one or more security agent modules:” ([KERSEBOOM, Page 1 lines 23-29] “The present invention generally relates to systems and (computer implemented) methods for communications network attack detection, and more particularly to a method and system for a distributed early attack warning platform (DEAWP) for detecting attacks and synchronizing gathered data over a separate communications network via a power line network connection, and the like, to connected nodes, in order to protect the network as a whole and systems connected thereto, and the like.”) ([KERSEBOOM, Page 2 lines 8-13] “Based on the monitored data communications transmitted over the first communications net- work, the plurality of monitoring node devices act as a swarm configured to communicate information over the second communications network regarding potential cyber-threats on the plurality of protected computer devices or the first communications network and possible countermeasures to the potential cyber-threats.”) collecting data related to the respective network node of the security agent module; ([KERSEBOOM,  Page 12 lines 16-21] “FIGs. 8 and 14 are used to illustrate a process for collecting data by nodes. In FIGs. 8 and 14, at steps S800 and S801 , the nodes 404 and 405 are introduced and connected to the network via the network router 408. The introduced nodes 404 and 405 collect data about available systems 406 within the network they re- side in. The nodes 404 and 405 then passively collect data about ports and running services from systems connected to each network.”) sharing information based on the collected data in the established internal swarm intelligence network; ([KERSEBOOM, Page 12 lines 27-29] “The node 404 collects and disseminates data from and to its peer nodes 405 that contain data concerning earlier connection attempts to any particular node 405 or 404.”).
However, KERSEBOOM does not teach “using the collected data and information received from the internal swarm intelligence network for generating and adapting models related to the respective network node  wherein the models are optimized for local performance at the respective local network; in case a known security threat is detected, generating and sending a security alert to the internal swarm intelligence network and to a local centre node in the local computer network and activating security measures for responding to the detected security threat; in case a new threat is identified, verifying and containing the threat, generating a new threat model on the basis of the collected data and received information and sharing the generated new threat model in the internal swarm intelligence network and the local centre node; the method further comprising: transmitting  abstract information of  the security alert and/or the generated new threat model from the local centre node to a security service network for enabling the security service network to share the received security alert and/or the new threat model with other local computer networks and to take further action on the basis of the received security alert and the new threat model; and receiving instruction, at the local centre node, from the security service network to evolve the behaviour of the one or more security agent modules for detection of and/or responding to such security threats.”
In an analogous teaching, MARTIN teaches “using the collected data and information received from the internal swarm intelligence network for generating and adapting models related to the respective network node, ([MARTIN, Para. 0072] “In this implementation, the system can maintain a threat intelligence database of known security threats—including threat intelligence defining threat elements characteristic of these known security threats—and can append this threat intelligence database with new threat intelligence as new threat intelligence becomes available, such as from an ISAC, as described above.”) ([MARTIN, Para. 0055] “the new threat intelligence includes a cyber attack model of the newly-identified security threat; and the system can pass the cyber attack model and timestamped network events—matched to threat elements in the new threat intelligence—into an artificial neural network to calculate a strength of temporal alignment between the cyber attack model and these network events (e.g., a “confidence score”).”) wherein the models are optimized for local performance at the respective local network ([MARTIN, para. 0016] “Blocks of the method S100 can be executed by one or more local assets on the network or any other system.”), ([MARTIN, para. 0010] “The method can be executed in conjunction with a computer network, such as an internal network within a company, corporation, agency, administration, or other organization, to asynchronously detect security threats to the network by matching descriptors of newly-identified security threats to elements within a log of historical events that have occurred on the network over time.”) ([MARTIN, para. 0020] “In one example, as new events occur over time on computers (or machines, assets) within an internal network inside a credit union, the system writes network traffic data representative of these events (e.g., netflow, HTTP header, and/or DNS data) to a network event buffer containing network traffic data spanning a limited current time window, such as the current hour, the current date, or the past twenty-four hours.”), ([MARTIN, para. 0022] “Upon receipt of this new threat intelligence information for Red Gang 13, the system adds this new threat intelligence information to an existing threat corpus of threat intelligence of known threats and automatically scans the network event buffer for elements that match IOCs defined in the threat corpus. If the system detects a minimum number of elements in the network event buffer that match IOC values of a particular threat intelligence in the threat corpus or if the system matches a pattern of elements in the network event buffer to a pattern of IOC values of a particular threat intelligence in the threat corpus, such as described below, the system issues an alert for this threat.”),([MARTIN, para. 0023] “If the system fails to detect a common element between the compressed log file and the new threat intelligence information, the system can determine that such an attack by Red Gang 13 has not occurred on the credit union's internal network. However, if the system finds one or more common elements between the compressed log file and the new threat intelligence in Block S130, the system can determine that an attack by Red Gang 13 on the credit union's internal network is possible, and the system can then scan the network accounting log—containing original, uncompressed network event data—for a group or cluster of event records that may confirm such an attack by Red Gang 13 on the internal network in Block S140.”) in case a known security threat is detected, generating and sending a security alert to the internal swarm intelligence network and to a local centre node in the local computer network and activating security measures for responding to the detected security threat; ([MARTIN, Para. 0015] “The system can therefore scan new network events for indicators of both known and newly-identified security threats and scan a corpus of past network events for indicators of newly-identified security threats only such that network events are scanned a minimum number of times (e.g., once), thereby requiring limited processing time and power by the system while also maintaining a high degree of accuracy in detection of both previously- and newly-identified security threats. (The system can additionally or alternatively interface with external intrusion detection systems and/or intrusion prevention systems that both detect network events and compare these network events to known threat intelligence to detect such known threats on the network substantially in real-time.)”); ([MARTIN, Para. 0024] “the system can execute one or more actions to handle the threat on the internal network in Block S150, such as by automatically: issuing an alert that can be combined with other alerts to trigger human involvement; prompting human security personnel at an external security operation center (or “SOC”) to begin an investigation into the threat; and/or quarantining one or more compromised computers within the network.”) in case a new threat is identified, verifying and containing the threat, generating a new threat model on the basis of the collected data and received information and sharing the generated new threat model in the internal swarm intelligence network and the local centre node; ([MARTIN, Abstract] “in response to receipt of a new threat intelligence representing a newly-identified security threat identified after the period of time, querying the compressed log file for a set of metadata values of a threat element defined in the new threat intelligence; in response to detecting the set of metadata values of the threat element in the compressed log file, querying the network accounting log for a set of threat elements defined in the new threat intelligence; and in response to detecting the set of threat elements in the network accounting log, issuing an alert to respond to the newly-identified security threat on the network.”) ([MARTIN, Para. 0072] “In one implementation, the system interfaces with IDSs and/or IPSs on the network to detect network events indicative of IOCs of known security threats substantially in real-time. In this implementation, the system can maintain a threat intelligence database of known security threats …… can append this threat intelligence database with new threat intelligence as new threat intelligence becomes available, such as from an ISAC, as described above. The system can serve the threat intelligence database (or data contained therein) to IDSs and/or IPSs throughout the network to assist these IDSs and/or IPSs in detecting IOCs on the network in real-time.”) the method further comprising: transmitting abstract information of the security alert and/or the generated new threat model from the local centre node to a security service network for enabling the security service network to share the received security alert and/or the new threat model with other local computer networks and to take further action on the basis of the received security alert and the new threat model; ([MARTIN, Para. 0072] “For example, the IDSs and/or IPSs can output micro alerts defining correlations between new network events and threat elements defined by threat intelligence in the threat intelligence database. When new threat intelligence for a newly-identified security threat is received, the system can also scan the compressed log file in Block S130 and, when relevant, the network accounting log for past network events indicative of this newly-identified security threat in Block S140, as described above, such as before new network events detected by the IDSs and/or IPSs are written to the compress log file and to the network accounting log.”) ([MARTIN, Para. 0019] “An ISAC and related entities can document IOCs of associated actors and their TTPs in a standardized format (e.g., structured threat information expression, or “STIX”) to package threat intelligence for each known security threat, and the ISC can share these threat intelligence among its related entities in order to improve incident response and computer forensics.”) ([MARTIN, Para. 0051] “The system can then execute an action—such as issuing an alert, prompting security personnel to investigate an attack, or automatically quarantining assets on the network”) and receiving instruction, at the local centre node, from the security service network to evolve the behaviour of the one or more security agent modules for detection of and/or responding to such security threats. ([MARTIN, Para. 0072]  “append this threat intelligence database with new threat intelligence as new threat intelligence becomes available, such as from an ISAC, as described above. The system can serve the threat intelligence database (or data contained therein) to IDSs and/or IPSs throughout the network to assist these IDSs and/or IPSs in detecting IOCs on the network in real-time.”).
Thus, given the teaching of MARTIN, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of detecting known and new threats on a network and taking necessary actions as taught by MARTIN into the teaching of a threat control method comprising of interconnected nodes as taught by KERSEBOOM. One of ordinary skill in the art would have been motivated to do so because MARTIN recognizes the need to detect and mitigate known and unknown threats in real-time. ([MARTIN, Para. 0025] “Therefore, the system can regularly query a network event buffer of current network events for IOCs of both known and new threat intelligence defined in a threat corpus in order to determine—substantially in real-time—whether a known or new threat is present on the network.”).

Regarding claim 4, KERSEBOOM-MARTIN teach all limitations of claim 1. KERSEBOOM further teaches “wherein a detection mechanism is used to detect security threats, and comprises using at least one of: a machine learning models, a scanning engine, a heuristic rule, a statistical anomaly detection, fuzzy logic based models, predetermined rules.” ([KERSEBOOM, Page 13 lines 1-5] “FIGs. 1 1 and 14 are used to illustrate a process for analysis of data sent by an attacker to a node. In FIGs. 1 1 and 14, at steps S806 and 807, the node 404 is probed by an attacker 407 on a service that was setup based on the collected data, as previously described. The node 404 analyzes the data sent by the attacker 407 and tries to verify the received data to earlier known attacks.”).

Regarding claim 7, KERSEBOOM-MARTIN teach all limitations of claim 1. MARTIN further teaches “further comprising receiving, at the security agent module, guidance related to detections and/or response actions from human experts in a language model that is close to human language for allowing interaction between the human security experts and the security agent modules.” ([MARTIN, Para. 0024] “the system can execute one or more actions to handle the threat on the internal network in Block S150, such as by automatically: issuing an alert that can be combined with other alerts to trigger human involvement; prompting human security personnel at an external security operation center (or “SOC”) to begin an investigation into the threat; and/or quarantining one or more compromised computers within the network.”) ([MARTIN, Para. 0065] “The system can then: insert the alert into an email, SMS text message, or notification for a native security application, etc.; and push this alert to one or more human security personnel via their desktop computers, mobile devices, web portals, or other devices in Block S150. The system can additionally or alternatively push the alert to an alert feed or master alert feed in a SOC in Block S150. However, the system can communicate an alert and related data to an alert feed, to security personnel, to a security analyst, and/or to a SOC, etc. in any other way in Block S150.”).
The same motivation to modify MARTIN with KERSEBOOM as in the rejection of claim 1, applies. 

Regarding claim 10, KERSEBOOM-MARTIN teach all limitations of claim 1. KERSEBOOM further teaches “in case any of the security agent modules detects the need for further resources for managing the detected security threat, the method further comprises requesting resources from other security agent modules or generating new virtual security agent modules.” ([KERSEBOOM, Page 15 lines 16-26] “The nodes can include functionality that allows the nodes to be capable of individual interaction with threats, to have individual countermeasure capabilities, to be capable of synergizing with other individual nodes connected by way of the swarm so as to make group decisions on how the individual nodes should individually deal with a threat, attack, and the like. Advantageously, such individually executed countermeasures can still be the result of a group decision made by the swarm. In addition, the nodes can include functionality that allows the nodes to algorithmically rotate monitoring or attack functions, and the like, randomized or on request by other peering nodes, and the like. For example, requests by other nodes can include several tasks being divided on a per node basis to share a task, workload, function, and the like.”).

Regarding claim 12, KERSEBOOM-MARTIN teach all limitations of claim 1. KERSEBOOM further teaches “further comprising: taking further action to secure the computer network and/or any related network node, wherein the further action comprises any one or more of: preventing one or more of the network nodes from being switched off; switching on a firewall at one or more of the network nodes; slowing down or blocking network connectivity of one or more of the network nodes; removing or placing into quarantine suspicious files; collecting logs from network nodes; executing sets of command on network nodes; warning a user of one or more of the network nodes that signs of a security threat have been detected; and/or sending a software update to one or more of the network nodes.” ([KERSEBOOM, Page 12 lines 16-20] “FIGs. 8 and 14 are used to illustrate a process for collecting data by nodes. In FIGs. 8 and 14, at steps S800 and S801, the nodes 404 and 405 are introduced and connected to the network via the network router 408. The introduced nodes 404 and 405 collect data about available systems 406 within the network they re- side in.”)  ([KERSEBOOM, Page 8 lines 9-11] “A system or router connected network includes nodes that can act as signaling systems that can inform users of a pending attack, and an infected/untrusted system can be isolated from the other protected systems.”).

Regarding claim 14, this claim defines a system claim that corresponds to method claim 1. Therefore, claim 14 is rejected with the same rational as in the rejection of claim 1. 

Regarding claim 15, this claim defines a computer network security system that corresponds to method claim 1. Therefore, claim 15 is rejected with the same rational as in the rejection of claim 1. 

Regarding claim 16, this claim defines an article of manufacture comprising a non-transitory computer readable medium claim that implements the threat detection method of claim 1. Therefore, claim 16 is rejected with the same rational as in the rejection of claim 1. 


Claims 2, 3, and 9 are rejected under 35 U.S.C. 103 as being unpatentable over  KERSEBOOM-MARTIN in view of LEON (US-20190386957-A1), based on the priority of its U.S. provisional application No. 62/685,772, hereinafter KERSEBOOM-MARTIN-LEON. 
Regarding claim 2, KERSEBOOM-MARTIN teach all limitations of claim 1. However, KERSEBOOM-MARTIN does not teach “wherein the amount of information exchanged between any two of the security agent modules in the internal swarm intelligence network is larger between the security agent modules locating close to one another than between the security agent modules locating further from one another.”.
In analogous teaching LEON does teach “wherein the amount of information exchanged between any two of the security agent modules in the internal swarm intelligence network is [larger] between the security agent modules locating close to one another than between the security agent modules locating further from one another.” ([LEON , Para. 0139] “The node 110A, however, may not be the closest node 110A-N to the entity's place of operation and/or the data center. Rather, node 110B may be at a geographic location that is closer to the entity's place of operation and/or the data center than the node 110A. Transmitting data to the node 110B rather than the node 110A may be beneficial because it can reduce the number of devices in the network paths between the on-premise location and the nodes 110A-N that can potentially maliciously capture the data, and because the data transfer rate might be faster when transmitting to the node 110B than to the node 110A. In fact, transmitting data from the on-premise location to the node 110B, and then from the node 110B to the node 110A may be faster than transmitting data from the on-premise location to the node 110B because the private network 101 may be optimized to transfer data at a faster rate than is possible via the public network 210 and/or the cellular network 220.”).
Thus, given the teaching of LEON it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of information exchanged between nodes closer to each other than between nodes farther apart as taught by LEON, into the teaching of a threat control method comprising of interconnected nodes as taught by KERSEBOOM-MARTIN because LEON recognizes the benefits of using a node-based network architecture to prevent intrusions. ([LEON, Para. 0033] “Because access to the private network 101 is restricted to just the nodes 110A-N, the risk of a network-based intrusion of the nodes 110A-N or the data transmitted between the nodes 110A-N is greatly diminished.” ).
LEON does not explicitly teach that the amount information exchanged between security agent modules closer to each other is specifically “larger” than between the security agent modules locating further from one another”, however it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Leon to include “larger” because when, instead of sharing data between nodes farther apart such as between on-premise node to (110A), the system shares the data between nodes closer to each other such as between the on-premise node to (110B) then between (110B) to (110A), it is an expected result that sharing between closest nodes is larger. 

Regarding claim 3, KERSEBOOM-MARTIN-LEON teach all limitations of claim 2. Furthermore, LEON teaches “wherein the models used by the security agent modules that are located close to one another are more similar in behaviour to those located further away as a consequence of more intense information sharing”([LEON, 0036] “In an embodiment, each node 110A-N is identical in composition and operation. The nodes 110A-N can operate in real-time to replicate data between or among the various nodes 110A-N to ensure that the sum of aggregate data is present in both or all node 110A-N locations. This redundancy not only improves the reliability of the multi-node environment, but also enhances the threat-detecting capability of the nodes 110A-N. For example, the nodes 110A-N may independently identify Internet Protocol (IP) addresses from which one or more attacks on the respective node 110A-N (e.g., to disable or impair the functionality of the respective node 110A-N) or attempted intrusions into the respective node 110A-N have originated. A node, such as the node 110A, may transmit a routing table that includes the IP addresses that the node 110A has identified as a threat to one or more of the other nodes 110B-N so that the other nodes 110B-N can update their routing tables accordingly. Thus, by sharing routing tables between nodes 110A-N, an address identified as a threat at one node can be blocked by the other nodes in the environment.”).
The same motivation to modify KERSEBOOM-MARTIN with LEON as in the rejection of claim 2, applies. 

Regarding claim 9, KERSEBOOM-MARTIN teach all limitations of claim 1. However, KERSEBOOM-MARTIN does not teach “further comprising the security agent modules being configured to activate one or more components of their modular architecture and to replicate themselves.”.
In analogous teaching, LEON teaches “further comprising the security agent modules being configured to activate one or more components of their modular architecture and to replicate themselves.”. ([LEON, Para. 0050] “the one or more backup repository servers 209 of one node, such as node 110A, stores data backups of data associated with another node, such as node 110B Likewise, the one or more backup repository servers 209 of the node 110B stores data backups of data associated with the node 110A. Thus, the data backup stored in one node is a mirror of the data of another node (and allows the node with the stored data backup to act as a redundant node). A circuit, such as a virtual circuit (not shown) can monitor the status of each of the nodes 110A-N. If a first node becomes inactive, the circuit notifies a second node that stores the data backup of the inactive first node and the second node temporarily operates as the first node (and the second node). Thus, if the node 110A becomes inactive, the one or more backup repository servers 209 of the node 110B operate as the node 110A, providing the functionality that the node 110A normally would provide.”).
Thus, given the teaching of LEON, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of modules able to replicate themselves as taught by LEON into the teaching of a threat control method comprising of interconnected nodes as taught by KERSEBOOM-MARTIN. One of ordinary skill in the art would have been motivated to do so because LEON recognizes the benefits of using a node-based network architecture to prevent intrusions. ([LEON, Para. 0033] “Because access to the private network 101 is restricted to just the nodes 110A-N, the risk of a network-based intrusion of the nodes 110A-N or the data transmitted between the nodes 110A-N is greatly diminished.” ).

Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over  KERSEBOOM- MARTIN in view of DRISSI (US-20130198840-A1), and further in view of LIU (WO-2019015615-A1). 
Regarding claim 5, KERSEBOOM-MARTIN teach all limitations of claim 1. However, KERSEBOOM-MARTIN does not teach “further comprising using one or more meta- learning models defining how learning is performed for generating the new threat, action or response model and sharing only higher-level representations of learned information in the internal swarm intelligence network and with the local centre node.”.
In an analogous teaching DRISSI teaches “further comprising using one or more meta- learning models defining how learning is performed for generating the new threat, action or response model” ([DRISSI, Para. 0049] “In this aspect of the invention a learning controller 400 is part of or connected with the governing system 100. The learning controller 400 sends training-related information 400A to the meta-learner element or component 300 and receives success/failure feedback information 400B therefrom. Over time the meta-learning system operates to evolve more and improved counter-measures to detected actual and potential cyber-threats.”).
Thus, given the teaching of DRISSI, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of using meta-learning to detect cyber-attacks as taught by MARTIN into the teaching of a threat control method comprising of interconnected nodes as taught by KERSEBOOM-MARTIN. One of ordinary skill in the art would have been motivated to do so because DRISSI recognizes to defend and stop against cyber-attacks. ([DRISSI, Para. 0003] “It has been documented that the occurrence of malicious attacks has recently surpassed the occurrence of human error. As a result of these trends providing effective cyber-security has become an important priority for many public and private enterprises in order to reduce intellectual property, monetary and other types of losses.”).
However, KERSEBOOM-MARTIN-DRISSI does not teach “and sharing only higher-level representations of learned information in the internal swarm intelligence network and with the local centre node.”.
In analogous teaching LIU teaches “and sharing only higher-level representations of the learned information in the internal swarm intelligence network and with the local centre node.” ([LIU, Page 10 Para. 38] “The high-level fog node performs machine learning according to the data regularity information of the middle layer to obtain high-level data rule information, and then generates a high-level control command according to the high-level data rule information, and sequentially passes through the middle layer fog node and the edge. The layer fog node sends it to the execution class device to implement high level control of the execution class device.”)
Thus, given the teaching of LIU, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of  as taught by LIU into the teaching of a threat control method comprising of interconnected nodes as taught by KERSEBOOM-MARTIN-DRISSI. One of ordinary skill in the art would have been motivated to do so because LIU recognizes the benefits of moving to more sensors/nodes approach in order to provide additional processing. ([LIU, Page 6 Para. 1] “The shift, which shifts to a new computing model, is about moving from the cloud to the edge, even on IoT sensors and actuators. The computation, network, storage, and acceleration units of the new model can all be fog nodes. Each layer in the layered architecture consisting of fog nodes provides additional processing, storage, and networking capabilities for vertical application at that layer.”)

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over  KERSEBOOM-MARTIN in view of MEZACK (US-20080148398-A1).
Regarding claim 6, KERSEBOOM-MARTIN teach all limitations of claim 1. However, KERSEBOOM-MARTIN does not teach “further comprising sharing information on alerts, statuses and other relevant entities by using at least one language model for enabling the information to be interpretable by both computer systems and human experts.”.
In an analogous teaching MEZACK teaches “further comprising sharing information on alerts, statuses and other relevant entities by using at least one language model for enabling the information to be interpretable by both computer systems and human experts.” ([MEZACK, Abstract] “A network security analysis tool and related systems and methods are disclosed. The disclosed invention can accept user input to define network security threat models. The system can collect event data from one or more network devices and analyze that data for the existence of activity matching the defined threat models. The collected data can be translated into a common format for storage in a database of the invented system. The system can create threat models to track network threats found in the collected data that both partially and completely match one or more threat model definitions. The resulting threat models can be displayed on a console to show threat progression in near real time.”).
Thus, given the teaching of MEZACK, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of using a common language format that is interpretable by both human and computers as taught by MEZACK into the teaching of a threat control method comprising of interconnected nodes as taught by KERSEBOOM-MARTIN. One of ordinary skill in the art would have been motivated to do so because MEZACK recognizes the need to be able to describe data into a common form from disparate types of data sources. ([MEZACK, Para. 0012] “Accordingly, there is a need in digital security for a method and process for defining threat models to digital assets. A further need exists in the art for a method by which threat models can be defined that can describe data from disparate types of data sources.”)([MEZACK, Para. 0013] “Another need exists for a method and system for identifying and monitoring both the partial and complete existence of defined threat model activity in ongoing data activity. That is, there is a need in the art for security personnel to identify their understanding of an adversary's view, characterize the security of their system and potential sources of visibility to threats, and identify and monitor ongoing threats that are modeled.”).

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over  KERSEBOOM-MARTIN in view of KILPATRICK (US-6742124-B1).

Regarding claim 8, KERSEBOOM-MARTIN teach all limitations of claim 1. However, KERSEBOOM-MARTIN does not teach “further comprising building event abstractions of the collected data for enabling the use of data across exact data set, device and version.”. 

In an analogous teaching KILPATRICK teaches “further comprising building event abstractions of the collected data for enabling the use of data across exact data set, device and version.” ([KILPATRICK, Col. 3 lines 21 - 27] “In a preferred embodiment, the intrusion detection system is incorporated as part of a system call software wrapper. It is a further feature of the present invention that event abstraction enables the intrusion detection system to apply generically across various computing platforms.”) ([KILPATRICK, Col. 5 lines 50-53] “In general, event abstraction allows the wrapper writer to specify the events to be intercepted in a very generic way. This allows the algorithm to function on any system that supports generic software wrappers.”). 
Thus, given the teaching of KILPATRICK, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of using event abstractions to allow collected data to be used across various other entities as taught by KILPATRICK into the teaching of a threat control method comprising of interconnected nodes as taught by KERSEBOOM-MARTIN. One of ordinary skill in the art would have been motivated to do so because KILPATRICK recognizes the need to improve efficiency of intrusion detection systems. ([KILPATRICK, Col. 3 lines 3-7] “This inefficiency has a great impact on the ability of the intrusion detection system to operate effectively in real time. Accordingly, what is needed is a mechanism for increasing the operational efficiency of a sequence-based anomaly intrusion detection system.”). 

Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over  KERSEBOOM-MARTIN in view of DUBUC (US-20170289179-A1).
Regarding claim 11, KERSEBOOM-MARTIN teach all limitations of claim 1. However, KERSEBOOM-MARTIN does not teach “wherein the security agent modules are further configured to use sandboxing techniques for determining a remedy for the detected security threat and/or further analysing the behaviour of potentially malicious entities.”.
In an analogous teaching DUBUC teaches “wherein the security agent modules are further configured to use sandboxing techniques for determining a remedy for the detected security threat and/or further analysing the behaviour of potentially malicious entities.” ([DUBUC, Para. 0042] “According to one embodiment, the threat analysis engine analyzes the file in a contained environment to determine the threat status of the file. In particular, the threat analysis engine performs sandboxing analysis (e.g., run-time heuristic analysis and/or emulation) on the file so as to determine behaviors exhibited by the file in the contained environment and to determine the threat status based on the observed behavior.”).
Thus, given the teaching of DUBUC, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of using sandboxing techniques to analyze malicious entities as taught by DUBUC into the teaching of a threat control method comprising of interconnected nodes as taught by KERSEBOOM-MARTIN. One of ordinary skill in the art would have been motivated to do so because DUBUC recognizes the need to provide efficient security to endpoint systems. ([DUBUC, Para. 0005] “It is therefore desirable to provide an efficient, comprehensive, pro-active, and integrated technique to address the above issues and provide enhanced security to endpoint systems.”). 

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over  KERSEBOOM- MARTIN in view of DRISSI (US-20130198840-A1).
Regarding claim 13, KERSEBOOM-MARTIN teach all limitations of claim 1. However, KERSEBOOM-MARTIN does not teach “further comprising training machine learning models used in the detection of threats and/or as a response to threats by utilizing one or more following approaches for training machine learning models: distributed learning via combining local and global information and model parts; reinforcement learning via getting feedback on successful end results; meta-learning via utilizing external information in the learning process; and/or information sharing to bootstrap models and adjust learning behavior.”.
In analogous teaching, DRISSI teaches “further comprising training machine learning models used in the detection of threats and/or as a response to threats by utilizing one or more following approaches for training machine learning models: distributed learning via combining local and global information and model parts; reinforcement learning via getting feedback on successful end results; meta-learning via utilizing external information in the learning process; and/or information sharing to bootstrap models and adjust learning behavior.” ([DRISSI, Para. 0049] “In this aspect of the invention a learning controller 400 is part of or connected with the governing system 100. The learning controller 400 sends training-related information 400A to the meta-learner element or component 300 and receives success/failure feedback information 400B therefrom. Over time the meta-learning system operates to evolve more and improved counter-measures to detected actual and potential cyber-threats.”) ([DRISSI, Para. 0050] “There are two major aspects of the meta-learner element or component 300 and the learning controller 400. A first aspect runs various threat scenarios 402 based on: (a) generated or synthesized possible threats 404 and on (b) a record of historical threats 406 (e.g., known viruses, known system outage/failure occurrences, known user errors, etc.) A second aspect of the meta-learner element or component 300 is an element 408 that runs various counter-measures configurations in response to the generated and historical threat scenarios.”). 
The same motivation to modify KERSEBOOM-MARTIN with DRISSI as in the rejection of claim 5, applies. 

The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.  
BARNES (US-20190007447-A1) a method for peer device protection. In which a first device comprising a digital security agent is connect to other set of devices to collect data. In order to detect and prevent anomalous network behavior. 

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
 	A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
 	Any inquiry concerning this communication or earlier communications from the examiner should be directed to AFAQ ALI whose telephone number is (571)272-1571. The examiner can normally be reached Mon - Fri 7:30am - 5:30pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/AFAQ ALI/Examiner, Art Unit 2434                                                                                                                                                                                               

/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434