DETAILED ACTION 
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendments
Claims 1, 4-6, 8, 11, 14, 16-18, and 20 have been amended. Claims 2, 3, 7, 12, 13, and 15 have been canceled. Former claims 2 and 7 are amended into claim 1. Former claims 12 and 15 are amended into claim 11. Claims 1, 4-6, 8-11, 14, and 16-20 have been examined are pending.
Response to Arguments
Applicant's response, see pages 26-28, filed 07/25/2022, regarding the 103 rejections of Claims 1, 3, 8-9, 16-17, 35, 37, and 49 have been fully considered and are persuasive. Applicant incorporated allowable subject matter. 
Acknowledgement of Applicant's amendments and response to nonstatutory obviousness-type double patenting and is further noted as set forth in the Non-Final Office Action mailed 01/24/2022. After further review of co-pending application 17/137193  does not specifically claim or recite a similar scope or concept. Examiner withdraws the Double Patenting rejection.
Acknowledgement to applicant’s amendment to claims 8 and 10 has been noted. The claim has been reviewed, entered and found obviating to previously raised objection for minor informalities. Objection to the claims  8 and 10 is hereby withdrawn.
Acknowledgement to applicant's amendment to claims 6, 8, 11-12, and 16-20 have been noted. The claim has been reviewed, entered and found obviating to previously raised rejection under 35 USC 112 2nd. Rejection under 35 USC 112 2nd to claims 6, 8, 11-12, and 16-20 is hereby withdrawn.
	
Examiner' s Amendments
An examiner's amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner's amendment was given via telephone from Ms. Lidia Hendy on behalf of Mr. Thomas S. Ferrill (Reg. No. 42,532) on 08/10/2022. The application has been amended as follows:
Please replace claim 1 with:
(Currently Amended) A method to protect a system from cyber threats, comprising:
plotting a behavior from a group consisting of i) one or more individual alerts, ii) one or more individual events, and iii) combinations of both, from the system into a multiple dimension space, where at least one of the dimensions is time; 
identifying one or more unusual patterns of behavior within the plotted individual alerts and/or events in the multiple dimension space; 
clustering the individual alerts and events that form the unusual pattern into a distinct item for cyber threat analysis of that cluster of distinct alerts and/or events; 
applying one or more machine learning models to infer for the cyber threat analysis on what is possibly happening with the distinct item of the cluster of distinct alerts and/or events, which came from the unusual pattern, and then assign a threat risk associated with that distinct item of the cluster of alerts and/or events forming the unusual pattern; and 
projecting on a user interface displayed on a display screen, based on the analysis by the one or more machine learning models, the assigned threat risk associated with that distinct item of the cluster of alerts and/or events forming the unusual pattern; 
where the unusual patterns of behavior are determined from a comparison of a normal pattern of life for that system corresponding to a historical normal distribution of alerts and events for that system mapped out in the same multiple dimension space as the plotted individual alerts and/or events under analysis; 
identifying similar characteristics from the individual alerts and/or events forming the distinct item made up of the cluster of alerts and/or events forming the unusual pattern;
projecting on the user interface displayed on a display screen both the assigned threat risk associated with that distinct item of the cluster of alerts and/or events forming the unusual pattern and at least a label of similar characteristics shared among the individual alerts and/or events in the distinct item of the cluster of alerts and/or events; and
projecting the individual alerts and/or events forming the cluster onto the user interface with at least three-dimensions of i) a window of time, ii) a scale indicative of the threat risk assigned for each alert and/or event in the cluster and iii) a different color for the similar characteristics shared among the individual alerts and events forming the distinct item of the cluster so that a human s what spatially and content-wise is making up a particular cluster rather than merely viewing a textual log of data.
Please replace claim 8 with:
8.	(Currently Amended) The method of claim 1 , further comprising:
displaying a slider that is scripted to filter out abnormal behavior that cause events and/or alerts. including one or more clusters, which are below a set point controlled by the slider, where the events and/or alerts that are below the setpoint controlled by the slider  is not displayed on the display screen, and thus the slider allows is scripted to allow a viewer to filter out any of i) less strongly anomalous, ii) less relevant events, and/or iii) less relevant alerts, compared to the setpoint, which enables the viewer to prioritize their time to focus on displayed events and/or alerts, including one or more clusters, that are above the setpoint set by the slider; however, algorithms in the one or more machine learning models and the cluster module are configured to continue to analyze and cluster these events and/or alerts that are below the set point.

Please replace claim 16 with:
16.	(Currently Amended) A cyber threat defense system configured to protect a system against cyber security threats, comprising:
a mapping module configured to plot a behavior from a group consisting of i) one or more individual alerts, ii) one or more individual events, and iii) combinations of both, from the system into a multiple dimension space, where at least one of the dimensions is time, where the mapping module has one or more inputs configured to receive as a source of the plotted individual alerts and/or events from an output of one or more cyber security analysis tools analyzing the system, where the one or more cyber security analysis tools send and communicate the individual alerts and/or events of the system to the mapping module of the cyber threat defense system in order for the clustering module and one or more machine models to perform the analysis on the distinct item of clustering the alerts and/or events;
a clustering module configured to cooperate with the mapping module, where the clustering module is configured to identify one or more unusual patterns of behavior within the plotted individual alerts and/or events in the multiple dimension space mapped out in the same multiple dimension space as the plotted individual alerts and/or events under analysis;

where the clustering module is further configured to cluster the individual alerts and events that form the unusual pattern into a distinct item for cyber threat analysis of that cluster of distinct alerts and/or events;
where the clustering module is further configured to cooperate with one or more machine learning models, where the one or more machine learning models are configured to infer for the cyber threat analysis on what is possibly happening with the distinct item of the cluster of distinct alerts and/or events which came from the unusual pattern, and then assign a threat risk associated with that distinct item of the cluster of alerts and/or events forming the unusual pattern; and
an output module to project on a user interface displayed on a display screen, based on the analysis by the one or more machine learning models, the assigned threat risk associated with that distinct item of the cluster of alerts and/or events forming the unusual pattern, 
where each of the individual alerts and/or events in the distinct item of clustering the alerts and/or events that form the unusual pattern s subtle abnormal behavior; and thus, where the distinct item indicating the subtle abnormal behavior is a low threat risk associated with that individual alert and/or event, are determined to now have a higher threat risk than any of the individual alerts and/or events in the cluster; and accordingly, be projected by the output module onto the user interface to be brought to a viewer's attention. 

Please replace claim 17 with:
17	(Currently Amended) The apparatus of claim 11, where the output module is further configured to project the individual alerts and/or events forming the cluster onto the user interface with at least three-dimensions of i) a window of time, ii) a scale indicative of the threat risk assigned for each alert and/or event in the cluster and a third dimension of iii) a different color for the similar characteristics shared among the individual alerts and events forming the distinct item of the cluster so that a human s what spatially and content-wise is making up a particular cluster rather than merely viewing a textual log of data.

Please replace claim 18 with:
18.	(Currently Amended) The apparatus of claim 11, where the user interface is configured to also display a slider that is scripted to filter out abnormal behavior that cause events and/or alerts, including one or more clusters, which are  below a set point controlled by the slider, where the events and/or alerts that are below the setpoint controlled by the slider is not 
    PNG
    media_image1.png
    5
    2
    media_image1.png
    Greyscale
configured to continue to analyze and cluster these events and/or alerts below the set point.
Examiner’s Comments
Applicant's amendments and arguments see pages 26-28, filed 07/25/2022 of remarks have been fully considered and are persuasive. In response to Applicant's response regarding the amended independent claims 1, 11, 14, and 16 after a complete search of the entire relevant prior art the examiner has determined the claims are in condition for allowance. The previous 103 rejections of claims 1-3, 8-13, and 18-20 have been withdrawn.
The claims are now in condition for allowance.
Allowable Subject Matter
Claims 1, 4-6, 8-11, 14, and 16-20 are allowed.
This communication warrants No Examiner's Reason for Allowance, applicant's reply make evident the reasons for allowance, satisfying the “record as a whole” provision of the rule 37 CFR 1.104(e). Specifically, the substance of Applicant’s amendments and response filed on 07/25/2022 are persuasive, as such the reasons for allowance are in all probability evident from the record and no statement is deemed necessary (see MPEP 1302.14).
None of the prior art of record, including the references cited in the Applicant's Information Disclosure Statement either taken by itself or in any combination, would have anticipated or made obvious the invention of the present application at or before the time it was filed.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance."
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAKINAH W TAYLOR whose telephone number is (571)270-0682.  The examiner can normally be reached on Monday-Friday, 9:45-5:45.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ELENI SHIFERAW can be reached on 571-272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/Sakinah White Taylor/Primary Examiner, Art Unit 2497