Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This communication is in response to the application filed on 11/13/2020. Claims 1-20 are currently pending.
Suggestions on how to overcome any objection(s) and rejection(s) raised in this office action are found at the end of such sections. 
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11/13/2020 was filed before the mailing date of the office action on 08/13/2022.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim(s) 1-5, 10-14, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over PGPub. No. 20200401696 to Ringlein et al. (hereinafter Ringlein) in view of PGPub. No. 20190340354 to GAMBLE Jamie. (hereinafter GAMBLE).

Regarding claim 1, Ringlein discloses a method for processing information security events to detect cyberattacks on a computer system (“Security Incident and Event Management”, ¶0025) the method comprising: 
receiving information related to a plurality of information security events occurred in the computer system (“… which collect security events and provide the security event data to the SIEM computing system 110 where it is logged in a security log data structure 112”, ¶0059, FIG. 1A)
wherein each of the plurality of information security events comprises an event related to a possible violation of information security of the computer system (“perform analysis of the security events to identify event data indicative of suspicious activity that may be indicative of a security attack or vulnerability…”, ¶0059); 
determining a verdict for each of the plurality of the received information security events, wherein the verdict comprises: i) information security incident or ii) false positive (“determine whether the security alerts 120 represent an actual security threat, for which a responsive action is to be performed (e.g., escalate 134), or a false-positive generated by the SIEM rules applied by the SIEM computing system 110, for which no responsive action is necessary (e.g., do not escalate 136)”, ¶0063);
and performing analysis of the information security events having a verdict of the information security incident to determine if the computer system is under a cyberattack (“determine if the security events potentially represent attacks/threats”, ¶0102).  
However, Ringlein does not explicitly disclose the following limitations taught by GAMBLE:
“and wherein the verdict is false positive if the probability of a false positive for the corresponding information security event is greater than a first threshold” 
“changing verdicts for a subset of the plurality of information security events from the false positive to the information security incident, wherein a number of information security events in the subset is lower than a second threshold”; 
	GAMBLE discloses a weighting or probability indicating likelihood that the security event is a false positive (“the descriptive data comprises a risk rating, a weighting or probability indicating likelihood that the security event is a false positive, the time the security event occurred, what phase of an attack lifecycle the security event potentially corresponds to, and the frequency of observed occurrences”, ¶0077),
 	and a stability measure to removal false positives security events from output data structure (“The stability measure can then be used to remove false positives, or adjust measure related to the event which measure the severity, impact, or danger associated with the event”, ¶0008-wherein only the threat (security incident) are left for analysis after the removal of false positives from the data set),
	GAMBLE also discloses the use of threshold or data measure to identify the outliers (“Security platform 100 can use a threshold or data measure such as standard deviations to identify the outliers”, ¶0082-wherein the outliers represent the security events).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of Ringlein to include the concept of determination of likelihood of events being false positive and the removal of false positives from the dataset as disclosed by GAMBLE and be motivated in doing so in order to reduce an initial set of security events, and thus reducing a size of a data structure tracking a set of security events-GAMBLE ¶0012 in part.


Regarding claim 2, Ringlein in view of GAMBLE discloses the method of claim 1. 
Ringlein further discloses wherein receiving information related to the plurality of information security events further comprises receiving one or more event security notifications related to an object of the computer system (“notification message”, ¶0035) 
and wherein the one or more event security notifications include a marker characterizing an event that occurred in the computer system and a timestamp indicating time interval during which corresponding information about the event was gathered (“ If the security incident ML model is operating with acceptable quality, then the security incident ML model is ready for deployment and runtime evaluation of security incidents”, ¶0040) , 
and wherein the first threshold is related to a quality metric of the trained machine learning model (“the output generated by the trained security incident ML model may be evaluated using various metrics”, ¶0040).  



Regarding claim 3, Ringlein in view of GAMBLE discloses the method of claim 2. 
Ringlein further discloses wherein the verdict is determined using a trained machine learning model (“machine learning based model, such as a neural network model”, ¶0033) based on at least one of the following: characteristics of the one or more event security notifications, one or more sources of the one or more event - 40 -031185-01372 security notifications, characteristics of the one or more sources of the one or more event security notifications (“and predict a disposition of the security incident based on the recognized patterns”, ¶0033-wherein the recognized patterns are the characteristics/features of the event security notification) .  


Regarding claim 4, Ringlein in view of GAMBLE discloses the method of claim 1. 
Ringlein further discloses wherein performing the analysis of the information security events further comprises performing the analysis of the information security events having a lowest probability of a false positive (“The prediction output is then provided to a security analyst, logged in a security alert database, and/or otherwise made available for further processing or evaluation by security analysts to handle security alerts that represent true security threats and avoid wasted resource expenditures on security alerts that are likely false positives (step 350)”, ¶0094,).   

Regarding claim 5, Ringlein in view of GAMBLE discloses the method of claim 1. 
Ringlein further discloses wherein the verdict comprises one of: a fuzzy verdict (“when a probability or confidence value associated with the security incident disposition recommendation is below a predetermined threshold, indicating that there is not a sufficient amount of confidence that the corresponding disposition recommendation is correct” ¶0043), a tentative verdict, a final verdict (“correct disposition classifications for the security incidents”, ¶0011, wherein correct disposition classification represents final verdict).  

Regarding claim 10, Ringlein discloses system for processing information security events to detect cyberattacks on a computer system, the system comprising: 
a hardware processor (“…one processor and at least one memory…”, ¶0007) configured to: 
receive information related to a plurality of information security events occurred in the computer system (“… which collect security events and provide the security event data to the SIEM computing system 110 where it is logged in a security log data structure 112”, ¶0059, FIG. 1A),
 wherein each of the plurality of information security events comprises an event related to a possible violation of information security of the computer system (“perform analysis of the security events to identify event data indicative of suspicious activity that may be indicative of a security attack or vulnerability…”, ¶0059); 

determine a verdict for each of the plurality of the received information security events, wherein the verdict comprises: i)information security incident or ii) false positive (“determine whether the security alerts 120 represent an actual security threat, for which a responsive action is to be performed (e.g., escalate 134), or a false-positive generated by the SIEM rules applied by the SIEM computing system 110, for which no responsive action is necessary (e.g., do not escalate 136)”, ¶0063); and 
perform analysis of the information security events having a verdict of the information security incident to determine if the computer system is under a cyberattack (“determine if the security events potentially represent attacks/threats”, ¶0102).  

However, Ringlein does not explicitly disclose the following limitation taught by GAMBLE:
“and wherein the verdict is false positive if the probability of a false positive for the corresponding information security event is greater than a first threshold” 
“change verdicts for a subset of the plurality of information security events from the false positive to the information security incident, wherein a number of information security events in the subset is lower than a second threshold”; 
	GAMBLE discloses a weighting or probability indicating likelihood that the security event is a false positive (“the descriptive data comprises a risk rating, a weighting or probability indicating likelihood that the security event is a false positive, the time the security event occurred, what phase of an attack lifecycle the security event potentially corresponds to, and the frequency of observed occurrences”, ¶0077),
 	and a stability measure to removal false positives security events from output data structure (“The stability measure can then be used to remove false positives, or adjust measure related to the event which measure the severity, impact, or danger associated with the event”, ¶0008-wherein only the threat (security incident) are left for analysis after the removal of false positives from the data set),
	GAMBLE also discloses the use of threshold or data measure to identify the outliers (“Security platform 100 can use a threshold or data measure such as standard deviations to identify the outliers”, ¶0082-wherein the outliers represent the security events).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of Ringlein include the concept of determination of likelihood of events being false positive and the removal of false positives from the dataset as disclosed by GAMBLE and be motivated in doing so in order to reduce an initial set of security events, and thus reducing a size of a data structure tracking a set of security events-GAMBLE ¶0012 in part.


Regarding claim 11, Ringlein in view of GAMBLE discloses the system of claim 10. 
Ringlein further discloses wherein the hardware processor configured to receive information related to the plurality of information security events is further configured to receive one or more event security notifications related to an object of the computer system  (“notification message”, ¶0035) 
and wherein the one or more event security notifications include a marker characterizing an event that occurred in the computer system and a timestamp indicating time interval during which corresponding information about the event was gathered (“ If the security incident ML model is operating with acceptable quality, then the security incident ML model is ready for deployment and runtime evaluation of security incidents” , ¶0040) , 
and wherein the first threshold is related to a quality metric of the trained machine learning model (“the output generated by the trained security incident ML model may be evaluated using various metrics”, ¶0040). 


Regarding claim 12, Ringlein in view of GAMBLE discloses the system of claim 11. 
Ringlein further discloses wherein the verdict is determined using a trained machine learning model (“machine learning based model, such as a neural network model”, ¶0033) based on at least one of the following: characteristics of the one or more event security notifications, one or more sources of the one or more event - 42 -031185-01372 security notifications, characteristics of the one or more sources of the one or more event security notifications (“and predict a disposition of the security incident based on the recognized patterns”, ¶0033-wherein the recognized patterns are the characteristics/features of the event security notification).  


Regarding claim 13, Ringlein in view of GAMBLE discloses the system of claim 10. 
Ringlein further discloses wherein the hardware processor configured to perform the analysis of the information security events is further configured to perform the analysis of the information security events having a lowest probability of a false positive (“The prediction output is then provided to a security analyst, logged in a security alert database, and/or otherwise made available for further processing or evaluation by security analysts to handle security alerts that represent true security threats and avoid wasted resource expenditures on security alerts that are likely false positives (step 350)”, ¶0094,).  

Regarding claim 14, Ringlein in view of GAMBLE discloses the system of claim 10. 
Ringlein further discloses wherein the verdict comprises one of: a fuzzy verdict (“when a probability or confidence value associated with the security incident disposition recommendation is below a predetermined threshold, indicating that there is not a sufficient amount of confidence that the corresponding disposition recommendation is correct” ¶0043), a tentative verdict, a final verdict (“correct disposition classifications for the security incidents”, ¶0011, wherein correct disposition classification represents final verdict).  

Regarding claim 19, Ringlein discloses a non-transitory computer readable medium storing thereon computer executable instructions (¶0014) processing information security events to detect cyberattacks on a computer system (“Security Incident and Event Management”, ¶0025), including instructions for: 
receiving information related to a plurality of information security events occurred in the computer system (“… which collect security events and provide the security event data to the SIEM computing system 110 where it is logged in a security log data structure 112”, ¶0059, FIG. 1A),
 
wherein each of the plurality of information security events comprises an event related to a possible violation of information security of the computer system (“perform analysis of the security events to identify event data indicative of suspicious activity that may be indicative of a security attack or vulnerability…”, ¶0059); 
 determining a verdict for each of the plurality of the received information security events, wherein the verdict comprises: i) information security incident or ii) false positive (“determine whether the security alerts 120 represent an actual security threat, for which a responsive action is to be performed (e.g., escalate 134), or a false-positive generated by the SIEM rules applied by the SIEM computing system 110, for which no responsive action is necessary (e.g., do not escalate 136)”, ¶0063); and 
 
and performing analysis of the information security events having a verdict of the information security incident to determine if the computer system is under a cyberattack (“determine if the security events potentially represent attacks/threats”, ¶0102).  
However, Ringlein does not explicitly disclose the following limitation taught by GAMBLE:
“and wherein the verdict is false positive if the probability of a false positive for the corresponding information security event is greater than a first threshold” 
“changing verdicts for a subset of the plurality of information security events from the false positive to the information security incident, wherein a number of information security events in the subset is lower than a second threshold”; 
	GAMBLE discloses a weighting or probability indicating likelihood that the security event is a false positive (“the descriptive data comprises a risk rating, a weighting or probability indicating likelihood that the security event is a false positive, the time the security event occurred, what phase of an attack lifecycle the security event potentially corresponds to, and the frequency of observed occurrences”, ¶0077),
 	and a stability measure to removal false positives security events from output data structure (“The stability measure can then be used to remove false positives, or adjust measure related to the event which measure the severity, impact, or danger associated with the event”, ¶0008-wherein only the threat (security incident) are left for analysis after the removal of false positives from the data set),
	GAMBLE also discloses the use of threshold or data measure to identify the outliers (“Security platform 100 can use a threshold or data measure such as standard deviations to identify the outliers”, ¶0082-wherein the outliers represent the security events).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of Ringlein include the concept of determination of likelihood of events being false positive and the removal of false positives from the dataset as disclosed by GAMBLE and be motivated in doing so in order to reduce an initial set of security events, and thus reducing a size of a data structure tracking a set of security events-GAMBLE ¶0012 in part.
	
Regarding claim 20, Ringlein in view of GAMBLE discloses the non-transitory computer readable medium of claim 19. 
Ringlein further discloses wherein the instructions for receiving information related to the plurality of information security events further comprise instructions for receiving one or more event security notifications related to an object of the computer system (“notification message”, ¶0035) 
and wherein the one or more event security notifications include a marker characterizing an event that occurred in the computer system and a timestamp indicating time interval during which corresponding information about the event was gathered (“If the security incident ML model is operating with acceptable quality, then the security incident ML model is ready for deployment and runtime evaluation of security incidents”, ¶0040) 
and wherein the first threshold is related to a quality metric of the trained machine learning model (“the output generated by the trained security incident ML model may be evaluated using various metrics”, ¶0040). 


Claims 6-7, 15-16, are rejected under 35 U.S.C. 103 as being unpatentable over PGPub. No. 20200401696 to Ringlein et al. (hereinafter Ringlein) in view of PGPub. No. 20190340354 to GAMBLE Jamie. (hereinafter GAMBLE) and further in view of PGPub. No. 20190207967 to Vashisht et al. (hereinafter Vashisht).

 Regarding claim 6, Ringlein in view of GAMBLE discloses the method of claim 2. 
However, Ringlein and GAMBLE does not explicitly disclose the following limitation taught by Vashisht : further discloses wherein the marker characterizing an event that occurred in the computer system includes at least one of the following: a checksum of at least a portion of the object, a source of a resource from which the object was embedded on the computer system, results of an emulation of the execution of the object, a log of calls of system functions from the object, time of appearance of the object on the computer system, data being transmitted by the object through a computer network. 
Vashisht discloses metadata of an object ID to include a checksum among other object identifiers (“…a checksum, or other representation based on content forming the object”, ¶0027). 
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of Ringlein and GAMBLE to include the concept of characterizing an event with a checksum of the object as disclosed by Vashisht and be motivated in doing so in order to verify the verdict/classification of the security incident  - Vashisht ¶0027 in part.

Regarding claim 7, Ringlein in view of GAMBLE discloses the method of claim 1. 
However, Ringlein in view of GAMBLE does not disclose the following limitation taught by Vashisht:
 wherein determining the verdict further comprises calculating hash for a corresponding object and determining if the calculated hash corresponds to a known malicious object 
Vashisht discloses a hash value of an artifact and determine whether the hash corresponds to a malicious object (“the meta-information 610 includes a hash value of the artifact (i.e., object)”, ¶0144) and
(“determines whether the artifact (represented by the hash value) is malicious, ¶0144).  

Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of Ringlein and GAMBLE in claim 1 to include the concept of hash of the object as disclosed by Vashisht and be motivated in doing so in order to verify the verdict/classification of the security incident - Vashisht ¶0027 in part.


Regarding claim 15, Ringlein in view of GAMBLE discloses the system of claim 11.
However, Ringlein and GAMBLE does not explicitly disclose the following limitation taught by Vashisht: 
further discloses wherein the marker characterizing an event that occurred in the computer system includes at least one of the following: a checksum of at least a portion of the object, a source of a resource from which the object was embedded on the computer system, results of an emulation of the execution of the object, a log of calls of system functions from the object, time of appearance of the object on the computer system, data being transmitted by the object through a computer network. 
Vashisht discloses metadata of an object ID to include a checksum among other object identifiers (“…a checksum, or other representation based on content forming the object”, ¶0027). 
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of Ringlein and GAMBLE to include the concept of characterizing an event with a checksum of the object as disclosed by Vashisht and be motivated in doing so in order to verify the verdict/classification of the security incident - Vashisht ¶0027 in part.





Regarding claim 16, Ringlein in view of GAMBLE discloses the system of claim 10. 
 	However, Ringlein in view of GAMBLE does not disclose the following limitation taught by Vashisht:
 wherein the hardware processor configured to determine the verdict is further configured to calculate fuzzy hash for a corresponding object and to determine if the calculated hash corresponds to a known malicious object. 
Vashisht discloses a hash value of an artifact and determine whether the hash corresponds to a malicious object (“the meta-information 610 includes a hash value of the artifact (i.e., object)”, ¶0144) and
(“determines whether the artifact (represented by the hash value) is malicious, ¶0144).  

Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of Ringlein and GAMBLE in claim 10 to include the concept of hash of the object as disclosed by Vashisht and be motivated in doing so in order to verify the verdict/classification of the security incident - Vashisht ¶0027 in part
 
Claims 8-9, and 17-18, are rejected under 35 U.S.C. 103 as being unpatentable over PGPub. No. 20200401696 to Ringlein et al. (hereinafter Ringlein) in view of PGPub. No. 20190340354 to GAMBLE Jamie. (hereinafter GAMBLE) and further in view of PGPub. No. 20170262633 to Miserendino et al. (hereinafter Miserendino).


Regarding claim 8, Ringlein in view of GAMBLE discloses the method of claim 3. 
However, Ringlein in view of GAMBLE does not explicitly disclose the following limitation taught by Miserendino: further comprising determining the second threshold based on the results of the analysis performed on the first set of the information security events.  
	Miserendino discloses an algorithm that first calculates a threshold that maximizes the measure of quality to optimal, and establishing two additional default threshold options based on the provided minimum and maximum, optimal threshold and the acceptable deviation (“The algorithm works by first calculating the threshold that maximizes the measure of quality to optimal, and establishing two additional default threshold options based on the provided minimum and maximum, optimal threshold and the acceptable deviation”, ¶0144, wherein the additional threshold is determined based on the analysis of events that produced the calculated threshold).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of Ringlein and GAMBLE to include the concept of determination of second threshold based on the result of the analysis performed on the first set of security events as disclosed by Miserendino and be motivated in doing so because it allows users to automatically adjust the threshold setting towards either lower false positive or lower false negative- Miserendino ¶0118 in part.

Regarding claim 9, Ringlein in view of GAMBLE and further in view of Miserendino discloses the method of claim 8.
 Ringlein further discloses “further comprising modifying a training sample of the trained machine learning model based on the results of the analysis performed on the first set of information security events” (“…modify the operational parameters of the security incident ML model…”, ¶0030).  
	

Regarding claim 17, Ringlein in view of GAMBLE discloses the system of claim 12.
However, Ringlein in view of GAMBLE does not explicitly disclose the following limitation taught by Miserendino: 
wherein the hardware processor is further configured to determine the second threshold based on the results of the analysis performed on the first set of the information security events.  
Miserendino discloses an algorithm that first calculates a threshold that maximizes the measure of quality to optimal, and establishing two additional default threshold options based on the provided minimum and maximum, optimal threshold and the acceptable deviation (“The algorithm works by first calculating the threshold that maximizes the measure of quality to optimal, and establishing two additional default threshold options based on the provided minimum and maximum, optimal threshold and the acceptable deviation”, ¶0144, wherein the additional threshold is determined based on the analysis of events that produced the calculated threshold).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of Ringlein and GAMBLE to include the concept of determination of second threshold based on the result of the analysis performed on the first set of security events as disclosed by Miserendino and be motivated in doing so because it allows users to automatically adjust the threshold setting towards either lower false positive or lower false negative- Miserendino ¶0118 in part.

Regarding claim 18, Ringlein in view of GAMBLE and further in view of Miserendino discloses the system of claim 17. 
Ringlein further discloses wherein the hardware processor is further configured to modify a training sample of the trained machine learning model based on the results of the analysis performed on the first set of information security events (“…modify the operational parameters of the security incident ML model…”, ¶0030).



Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. U.S. PGPub. No. 20190064752, 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MUDASIRU K OLAEGBE whose telephone number is (571)272-2082. The examiner can normally be reached MON-FRI. 7.30AM-5.30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 5712723739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MUDASIRU K OLAEGBE/Examiner, Art Unit 2495                                                                                                                                                                                                        
/FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495