Notice of Pre-AIA  or AIA  Status
Claims 1-33 remain for examination.  The amendment filed 5/3/22 amended claims 1, 13, & 23.  The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments, see page 7 of the amendment filed 5/3/22, with respect to the rejection(s) of claim(s) 1-33 under 35 USC 103 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration in view of the fact that claim 13 does not recite the pertinent limitation(s) regarding the network aggregator, a new ground(s) of rejection of independent claim 13 and its dependents is made in view of the newly discovered reference to Bhatt.

Claim Rejections - 35 USC § 103
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 13-22 are rejected under 35 U.S.C. 103 as being unpatentable over Pratt (U.S. Patent 10,673,880) in view of Li (U.S. Patent 11,075,929) in view of Bhatt (U.S. Patent Publication 2018/0234445).

Regarding claim 13:
Pratt discloses a computational system, device, and method comprising: a plurality of endpoint devices each comprising: 1) a processor; 2) an operating system; 3) a computer memory (e.g. the host and/or client devices of Figure 2A and col. 11, lines 40-57 & col. 12, lines 23-35; see also col. 60, lines 1-40 regarding these devices having the cited components); and 4) instructions stored in the memory and executable by the processor for defining (i) a plurality of user applications (col. 12, lines 35-52), (ii) a plurality of sensors for monitoring calls to the operating system (the monitoring component[s] of col. 12, lines 53-63;  said components specifically being able to monitor operating system calls at col. 14, lines 1-15), (iii) a plurality of actuators for causing the processor to take specified actions for mitigating a threat or anomaly (col. 9, lines 33-65, noting that although the invention has undisclosed means for automatically implementing solutions to detected anomalous events, the “actuators” could also be understood as the human operators of the various client devices who manually implement the course[s] of action suggested by the invention), and (iv) an intelligent controller for analyzing time-windowed data from the sensors based on a machine learning model to detect anomalous behavior, and upon detecting such behavior, instructing an actuator to take a specified mitigation action (e.g. the machine learning rules-based security system beginning at col. 8, lines 35-66 etc.; ability to process time-stamped data at e.g. col. 16, lines 35-55).
Pratt as cited uses machine learning models to implement his invention, and in at least some embodiments the models can make predictions on how to respond to certain event data (col. 39, lines 30-35).  Assuming arguendo that this is not sufficient to be a predictive response model, Li discloses a related invention for using machine learning models to detect anomalies in a computer network, specifically using predictive response models (e.g. col. 21, lines 5-20).  It would have been obvious prior to the effective filing date of the instant application to employ predictive response models as one or more machine language models already employed by Pratt, as doing so allows the system to add rules to better detect anomalies in ways that the human engineers creating the system may not have otherwise recognized (Li, Ibid.; cf. Pratt, col. 39, lines 20-25).
	The time-stamped data analyzed by Pratt does not appear to qualify as constituting successive time windows of sensor data.  However, Bhatt discloses a related invention for detecting anomalous activity, which can entail in some embodiments analyzing the relevant data across a series of successive time windows (Bhatt, paragraph 0028).  It would have been obvious prior to the effective filing date of the instant application to analyze successive time windows of event data to identify anomalous behavior in the Pratt invention, as doing so was a known technique in the art among those of ordinary skill in the art, in order to improve the generality of the characterization of anomalous behavior (Bhatt, Ibid, particularly the last sentence).

Regarding claim 14:	The combination further discloses wherein the sensors each include a classifier for assessing a risk associated with the monitored calls to the operating system (Pratt: col. 40, lines 5-25).

Regarding claim 15:	The combination further discloses wherein the classifier is a Bayes classifier (Pratt: col. 40, lines 5-25).

Regarding claim 16:	The combination further discloses wherein each of the applications running on an endpoint device is associated with a unique sensor and a unique actuator, each of the sensors monitoring the calls to the operating system using an API shim (Pratt: col. 14, lines 1-15).

Regarding claim 17:	The combination further discloses wherein the intelligent controllers are configured to assess, after instructing an actuator to take a specified mitigation action, a degree of effectiveness of the mitigation action (Pratt: invention receives feedback as to the accuracy of the alert at col. 9, lines 45-65; and col. 23, lines 10-17).

Regarding claim 18:	The combination further discloses wherein the predictive response models of the intelligent controllers are machine-learning models (Pratt: e.g. Abstract, etc.; Li: col. 21, lines 5-20).

Regarding claim 19:	The combination further discloses wherein at least some of the machine-learning models include a supervised learning algorithm (Pratt: col. 39, lines 20-25; Li: e.g. col. 13, lines 29-30).

Regarding claim 20:	The combination further discloses wherein at least some of the machine-learning models include an unsupervised learning algorithm (Pratt: Ibid.; Li: col. 17, lines 40-43).

Regarding claim 21:	The combination further discloses wherein the predictive response models are user-specific (Pratt: col. 35, lines 25-27).

Regarding claim 22:	The combination further discloses wherein each endpoint device further comprises a user database having fields for applications hosted by the endpoint device, permitted users for each application, and for each user, a pointer or link to a user-specific predictive model (Pratt: col. 10, lines 28-47).

Allowable Subject Matter
Claims 1-12 and 23-33 are allowable over the prior art.
The following is an examiner’s statement of reasons for allowance: Independent claims 1 and 23 recite inter alia a network aggregator that updates at least some of the predictive response models based at least in part on data received from a plurality of intelligent controllers and communicate the updated predictive response models back to the associated intelligence controllers.  The nearest prior art, Pratt (U.S. Patent 10,673,880) recites a similar invention for monitoring a system for threats and taking remedial action as necessary; however, upon further consideration the Examiner now concurs with Applicant that Pratt does not disclose communicating updated machine learning models to the individual endpoint devices, as the endpoint devices appear to rely solely on the network security platform (element 120 of Figure 2A) for all analysis based on machine learning.  Thus, Pratt’s endpoint client devices have no need of having new models communicated to them.  Neither Li nor Bhatt, nor any other reference of record, would remedy this deficiency.  Dependent claims 2-12 and 24-33 follow from independent claims 1 & 23 and are of consequence allowable.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THOMAS A GYORFI whose telephone number is (571)272-3849. The examiner can normally be reached 10:00am - 6:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

THOMAS A. GYORFI
Examiner
Art Unit 2435



/THOMAS A GYORFI/Examiner, Art Unit 2435                                                                                                                                                                                                        8/19/2022

/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435