DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
	Applicant argues that Vaystikh does not teach “where the cyber-threat risk parameter is determined based at least in part on: an absence of expected behavior and a presence of an unexpected behavior”.  
The examiner respectfully disagrees.  Vaystikh teaches normal and abnormal behavior profiles (i.e., unexpected behavior) used to determine the risk score - see figure 3 and figure 5.  Therefore, Vaystikh does teach the newly added claim limitation.  Please see new 112 rejections.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 23-42 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 23-26, 29-36, and 38-42 of copending Application No. 16/390801. Although the claims at issue are not identical, they are not patentably distinct from each other because they are each drawn towards similar machine learning models with threat detections systems which self learn to spot anomalies.
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.
Claims 23-42 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-17 of U.S. Patent No. 10,268,821. Although the claims at issue are not identical, they are not patentably distinct from each other because they are each drawn towards similar machine learning models with threat detections systems which self learn to spot anomalies.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 23-42 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 23 and 33 recite “where the cyber-threat risk parameter is determined based at least in part on…”  However, the previous limitations only recite the output of a risk parameter, not a determination.  Perhaps the claims should recite “wherein the outputted cyber-threat risk parameter is based at least in part on…”  
Claims 30 and 40 recite “the devices that are being monitored” which lacks sufficient antecedent basis.  No recitation of devices or device monitoring was previously recited.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 23-25, 27, 29-31, 33-35, 37, and 39-41 are rejected under 35 U.S.C. 103 as being unpatentable over Vaystikh et al. (US 9,154,516) in view of Dubow et al. (US 9,401,926).	
Regarding claims 23 and 33, Vaystikh teaches a method for a cyber threat detection system (and said system), comprising: 
Modelling at least one of a human, machine, and other activity with a machine learning model by ingesting data from network packet data inspection, wherein the model is configured to be a self-learning model and configured to be updated when new data is received (HTTP attributes from HTTP messages (i.e., network packet data inspection) are evaluated - see column 2 lines 18-27.  This can be done by machine learning - see column 2 lines 46-51 and column 4 lines 58-65.  Operating parameters are adjusted based on previous results to more accurately discern normal behavior from abnormal behavior (i.e., updates when new data is received) - see column 4 lines 61-65).
Updating with the new data to self-learn as well as using a normality of the ingested data in order to spot true anomalies by understand a behavior of users and machines (Operating parameters are adjusted based on previous results to more accurately discern normal behavior from abnormal behavior (i.e., updates when new data is received, spot true anomalies) - see column 4 lines 61-65.  Risk engine can be adjusted in a machine learning manner.  Feedback from earlier risk engine results can be input back into the risk engine as teaching/training/re-training and thus used to detect suspicious communications in the future - see column 9 lines 41-46.)
Outputting a cyber-threat risk parameter indicative of a cyber threat (Riskiness detection server generates risk scores.  Determined based on threshold which indicates when a communication is deemed risky (i.e., cyber threat) - see column 1 line 54 - column 2 line 5 and column 4 lines 24-36).
And where the cyber threat risk parameter is determined based at least in part on: an absence of expected behavior and a presence of an unexpected behavior (Normal and abnormal behavior profiles (i.e., unexpected behavior) used to determine risk score) - see figure 3 and figure 5.
Vaystikh does not teach ingesting data from a number of sources including endpoint parameters.
Dubow teaches a system which monitors for cyber security via machine learning, wherein a continuous monitoring system includes data sources such as the DHS Continuous Diagnostics and Monitoring suite and endpoint sensors that obtain data from the computer devices that comprise the IT system of a monitored organization.  This data collection includes data from mobile devices, enterprise devices such as servers and printers, workstations and network devices such as routers - see abstract, column 3 lines 4-21, and column 3 lines 56-60.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Vaystikh by ingesting data from a number of sources including endpoint parameters, in order to monitor more of the network, which would increase security for the network, based upon the beneficial teachings provided by Dubow.  

Regarding claims 24 and 34, Dubrow teaches using probes to take input from an environment selected combination of at least the network packet data inspection and the endpoint parameters (Endpoint sensors and additional networking sensors) - see column 3 lines 4-30.

Regarding claims 25 and 35, Vaystikh teaches building and maintaining a dynamic, ever-changing model of a normal behavior or each user and each machine protected by the cyber threat detection system (Feedback from earlier risk engine results can be input back into the risk engine as teaching/training/re-training and thus used to detect suspicious communications in the future - see column 9 lines 41-46).

Regarding claims 27 and 37, Vaystikh teaches developing a pattern of life, based on the data gathered regarding a first user, with a first machine learning model (Behavior profiles describe normal behaviors - see column 7 lines 31-38.  Feedback from earlier risk engine results can be input back into the risk engine as teaching/training/re-training (i.e., constructs pattern of life) and thus used to detect suspicious communications in the future - see column 9 lines 41-46.  User string profiles are used for monitoring user behavior - see column 3 lines 10-18).

Regarding claims 29 and 39, Vaystikh teaches that a presence of the anomalous behavior is indicative of the cyber threat and factored into the cyber threat risk parameter, and wherein the pattern of life analysis identifies how the human/and or machine behaves over time (Riskiness detection server generates risk scores.  Determined based on threshold which indicates when a communication is deemed risky (i.e., cyber threat) - see column 1 line 54 - column 2 line 5 and column 4 lines 24-36.  Feedback from earlier risk engine results can be input back into the risk engine as teaching/training/re-training (i.e., constructs pattern of life) and thus used to detect suspicious communications in the future - see column 9 lines 41-46).

Regarding claims 30 and 40, Vaystikh teaches converting the data inputs into a normative model of individual devices (Behavior profiles describe normal behaviors - see column 7 lines 31-38.  Feedback from earlier risk engine results can be input back into the risk engine as teaching/training/re-training (i.e., constructs pattern of life) and thus used to detect suspicious communications in the future - see column 9 lines 41-46.  User string profiles are used for monitoring user behavior - see column 3 lines 10-18).

Regarding claims 31 and 41, Vaystikh teaches analyzing patterns in information and activity and building an understanding of what is normal at any one time, and what is genuinely anomalous, based on a current threat and network environment in order to control a number of false positives (Feedback from earlier risk engine results can be input back into the risk engine as teaching/training/re-training (i.e., constructs pattern of life) and thus used to detect suspicious communications in the future - see column 9 lines 41-46.  The Examiner notes that teaching/training/retraining would intrinsically reduce false positive as normal versus truly anomalous behavior is learned).

Claims 26 and 36 are rejected under 35 U.S.C. 103 as being unpatentable over Vaystikh et al. (US 9,154,516) in view of Dubow et al. (US 9,401,926), and further in view of Cohen-Ganor (US 8,661,538).
The teachings of Vaystikh and Dubow are relied upon for the reasons set forth above.
Regarding claims 26 and 36, Vaystikh and Dubow do not teach analyzing links between data associated with a first entity and data associated with a second entity, where the link between these entities in a system are taken into consideration when performing a threat detection determination.
Cohen-Ganor teaches a system wherein first and second fraud related risk scores associated with first and second nodes are provided. A relation strength (link) related to a relation between the first and second nodes may be determined. The relation strength and the node risk scores may be used to calculate a cluster risk score for a cluster of nodes — see [0006] and [0007].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Vaystickh and Dubow by analyzing links and using this to perform threat detection, in order to have a more accurate risk score based on connections with other entities, based upon the beneficial teachings provided by Cohen-Ganor. This would result in increased security.

Claims 28 and 38 are rejected under 35 U.S.C. 103 as being unpatentable over Vaystikh et al. (US 9,154,516) in view of Dubow et al. (US 9,401,926), and further in view of Brezinski (US 9,348,742).
The teachings of Vaystikh and Dubow are relied upon for the reasons set forth above.
Regarding claims 28 and 38, Vaystikh further teaches using the first machine learning model modelling the pattern of life of the first user as a moving benchmark, which allows the cyber threat detection system to spot behavior of the first user that seems to fall outside of the normal pattern of life and then flagging this behavior as anomalous (Feedback from earlier risk engine results can be input back into the risk engine as teaching/training/re-training (i.e., moving benchmark) and thus used to detect suspicious communications in the future (i.e., outside normal pattern of life) - see column 9 lines 41-46.  Riskiness detection server generates risk scores.  Determined based on threshold which indicates when a communication is deemed risky (i.e., flagging as anomalous) - see column 1 line 54 - column 2 line 5 and column 4 lines 24-36).
Vaystikh and Dubow do not teach that the machine learning model modelling the pattern of life uses unsupervised machine learning.
Brezinski teaches an unsupervised machine learning module (self-learning model) based on normal or typical behavior in order to detect anomalous behavior — see column 10 lines 18-36.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Vaystickh and Dubow by using unsupervised machine learning, in order to increase efficiency, based upon the beneficial teachings provided by Brezinski.
			
Claims 32 and 42 are rejected under 35 U.S.C. 103 as being unpatentable over Vaystikh et al. (US 9,154,516) in view of Dubow et al. (US 9,401,926), and further in view of Mayer et al. (US 7,890,869).
The teachings of Vaystikh and Dubow are relied upon for the reasons set forth above.
Regarding claims 32 and 42, Vaystikh and Dubow do not teach projecting the cyber threat risk parameter on a graphical user interface that conveys cyber threats across a packet flow and connection topology corresponding to a computer system being protected by the cyber threat detection system.
Mayer teaches a system that provides visualization of network wide risk analysis in the form of a GUI with customizable at a glance views of the network — see figures 4A and 4B (threat views), abstract, and column 13 lines 1-8. Mayer does not teach that the GUI depicts in 3D. This is however considered a design choice well within the purview of the skilled artisan.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings provided by Vaystikh and Dubow by displaying the cyber threats across packet flow and connections of a network on a GUI, for the purpose of visualization, thus enhancing user experience, based upon the beneficial teachings provided by Mayer.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LISA C LEWIS whose telephone number is (571)270-7724. The examiner can normally be reached Monday - Thursday 7am-2pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/LISA C LEWIS/Primary Examiner, Art Unit 2495