Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
This application is a continuation of U.S. patent application Ser. No. 15/011,414, filed Jan. 29, 2016, and titled “Detection Of Security Transactions,” the entire contents is hereby incorporated by reference herein.
DETAILED ACTION
This Office Action is in response to a non-provisional patent application received on 09/30/2020. Claims 1-20 have been received for consideration and have been examined. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over NPL – Document Bhatt et al., titled “Towards a Framework to Detect Multi-Stage Advanced Persistent Threat Attacks”, dated 2014) hereinafter referred as NPL in view of Treat et al., (US9641544B1).
Regarding claim 1, NPL discloses:
	A method implemented using a computing device, comprising: 
accessing a security model definition, wherein the security model definition maps transaction phases of a multiphase cyber-attack to categories of detection sources that are within an information technology (IT) environment and that are capable of detecting a security threat (NPL Page # 390; Col. 1; ‘A. Multi-Stage Attack Model’ discloses Intrusion Kill Chain Model (IKC) of seven phases; See Page # 392, Col. 2, ‘Intelligence Module’ discloses detecting multi-stage attack using algorithms for log correlation and is responsible for automatic IKC search based on potential malicious events detected; see Page # 393, Table 1 ‘Defense Plan’ discloses mapping/accessing IKC model at each stage to detect and prevent attacks); 
determining, for each event in a set of events generated from raw machine data (i.e., logs from various sensors from the security architecture; see Page # 392 ‘Logging Module’) produced by assets in the IT environment, zero or more transaction phases (i.e., Seven (7) phases of Intrusion Kill Chain (IKC) mentioned in ‘TABLE I. DEFENSE PLAN’ on page # 393) associated with the event (Page # 392, Col. 2, ‘Intelligence Module’ discloses algorithms for log correlation and is responsible for automatic IKC search based on potential malicious events detected; also see page # 393; Col. 2, where ‘Intelligence Module’ collects logs from different controls and normalize the logs to determine phases of multi-stage attack), 
wherein the event is associated with a data source in the IT environment that produced the event (Page # 393, Col. 2, Table I; The main input to the intelligence module is the collected logs from the different prevention and detection controls. Each log is normalized [6] to provide attributes that identify the control, date and time, type of attack, source, destination, and payload attributes; when attempting to rebuild the IKC the analysis identifies which control sourced the event under scrutiny, see also Page # 394, section VI. B. “explorer.exe” alert from OSSEC syscheck, which is a HIDS as per footnote 15), and 
wherein the zero or more transaction phases are determined by comparing the data source associated with event to the categories of detection sources mapped by the security model definition to the transaction phases (See page # 394, Col. 2, ‘VI. Experiments and Results’, ‘A. Experimental Intrusion Scenario’ discloses determining different phases of Intrusion Kill Chain (IKC) model such as ‘initial reconnaissance’, ‘weaponization’, ‘Exploitation’, ‘delivery’, and ‘installation’); 
determining, using the zero or more transaction phases determined for each event in the set of events, that one or more events in the subset of events are associated with one or more transaction phases defined by the security model definition (See page # 394, Col. 2, ‘VI. Experiments and Results’, ‘B. Experiment’ discloses expert selects the most promising IKC phase and calls for reconstruction; thus providing reconstructing entire security transaction of the attack chain, Table II on page # 395, Col. 1, under section VI being an example of reconstructed security transaction which set of events which are associated with one or more transaction phases); 
determining that the multi-phase cyber-attack has impacted the particular asset (i.e., e-mail of the user(s) of the university network) based on determining that the one or more events in the subset of events are associated with the one or more transaction phases (See page # 394, Col. 2, ‘VI. Experiments and Results’, ‘A. Experimental Intrusion Scenario’ which discloses an attacker sends crafted email with malicious attachment to the university professor email boxes and ‘B. Experiment’ discloses where expert selects the most promising IKC phase and calls for reconstruction; thus providing reconstructing entire security transaction of the attack chain, Table II on page # 395, Col. 1, under section VI being an example of reconstructed security transaction which set of events which are associated with one or more transaction phases).
NPL extensively discloses a framework for detection and analysis of multi-phase cyber-attack through one or more events.
NPL fails to disclose:
filtering the set of events to determine a subset of the events, wherein each event in the subset includes a field value identifying a particular asset in the IT environment; performing, in response to determining that an anomalous activity has impacted the particular asset, a predetermined automated response.
However, Treat discloses:
	filtering (i.e., monitoring and identifying Application ID and User ID from the events construed as filtering) the set of events to determine a subset of the events, wherein each event in the subset includes a field value identifying a particular asset (i.e., identified application and associated user is construed as an asset) in the IT environment (FIG. 1; Col. 10, Line 59-67 discloses monitoring and identifying network traffic and determines using an ‘App ID Check & User ID Check 108’ to filter/identify an application and a user associated with the monitored network traffic (e.g., session));
performing, in response to determining that an anomalous activity has impacted the particular asset, a predetermined automated response (Col. 30, Line # 1-7; method step 1108 & Col. 30, Line # 43-50; method step 1208 discloses performing a responsive action in response to the detected anomalous activity based on a policy).	
It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the NPL reference and include an automated system and method which is able to identify particular application and associated user in case anomalous activity, as disclosed by Treat.
The motivation to include such a system and method is to prevent unwanted activity, misuse, insider threats, and known tactics of attackers on an enterprise network.
Regarding claim 2, the combination of NPL and Treat discloses:
	The method of claim 1, wherein the subset of the events is associated with the particular asset, the one or more transaction phases associated with the subset of events are associated with the particular asset, and the determining that the multi-phase cyber-attack has impacted the particular asset is further based on: 
accessing a record of an asset table that associates the particular asset with a set of completed transaction phases for the asset (NPL Page # 395 Table II discloses completed attack phases which are associated with the email account of the university professor’s computer); 
updating the record of the asset table by including, in the set of completed transaction phases for the particular asset, the one or more transaction phases associated with the particular asset (NPL Page # 394 Col. 2, Section ‘VI. Experiments and Results’, ‘B. Experiment’ discloses updating the record related to university professor’s computer as attack phases are changed; page # 395 table II discloses stages of attack phases are updated the attack progresses); and searching the asset table to determine that the set of completed transaction phases in the record satisfies a designated condition (NPL page # 395 Table II discloses determining completed transaction phases related to the asset [which is email account of the university professor who receives email at his/her computer] which satisfies a designated conditions such as Info. Gathering, Weaponization, Delivery, Exploitation, Installation and C2).
Regarding claim 3, the combination of NPL and Treat discloses:
The method of claim 1, further comprising monitoring the IT environment on a per-asset and per-user basis by maintaining an asset table, wherein the asset table associates an asset of the assets in the IT environment and a user with a set of transaction phases, wherein the set of transaction phases are associated with a respective set of events of the set of events, and wherein events of the respective set events include a set of field values that identify the asset and the user (NPL page # 395 Table II discloses maintaining asset table that includes identifying the asset which is computer of university professor and the user which is the university professor who receives the email from the attacker).
Regarding claim 4, the combination of NPL and Treat discloses:
The method of claim 1, further comprising monitoring the IT environment on a per-asset basis by maintaining an asset table, wherein the asset table associates an asset of the assets in the IT environment with a set of transaction phases, wherein events of the respective set of events include a field value identifying the asset (NPL page # 395 Table II discloses maintaining asset table that includes identifying the asset which is computer of university professor and the user which is the university professor who receives the email from the attacker).
Regarding claim 5, the combination of NPL and Treat discloses:
The method of claim 4, further comprising: 
searching the set of events to determine an initial subset of the events, wherein each event in the initial subset is associated with at least one completed transaction phase (NPL Page # 394, Col. 2, ‘B. Experiment’ discloses based on the alert, the system search through the logs to start the construction of Intrusion Kill Chain phases); 
filtering the initial subset to determine the subset of the events, wherein the subset of the events are associated with the particular asset (NPL page # 395 Table II discloses determining completed transaction phases related to the asset [which is email account of the university professor who receives email at his/her computer] which satisfies a designated conditions such as Info. Gathering, Weaponization, Delivery, Exploitation, Installation and C2); 
aggregating the at least one completed transaction phase for each event in the subset of the events to determine the one or more transaction phases, wherein the one or more transaction phases are associated with the particular asset (NPL Page # 395 Table II discloses combining attack phases in the form of table which are associated with the email account of the university professor’s computer); and 
updating a record in the asset table for the particular asset to represent the one or more transaction phases associated with the particular asset (NPL Page # 394 Col. 2, Section ‘VI. Experiments and Results’, ‘B. Experiment’ discloses updating the record related to university professor’s computer as attack phases are changed; page # 395 table II discloses stages of attack phases are updated the attack progresses).
Regarding claim 6, the combination of NPL and Treat discloses:
The method of claim 4, further comprising: identifying an additional transaction phase associated with the particular asset; and updating a record in the asset table for the particular asset to associate the particular asset with the additional transaction phase (NPL discloses these action in page # 394-395 which can be implemented in repetitive fashion by the systems as more alerts are generated by the monitoring devices regarding assets in the infrastructure).
Regarding claim 7, the combination of NPL and Treat discloses:
The method of claim 1, further comprising: creating a metadata field for each event of the set of events; and storing in the metadata field a value when at least one transaction phase is associated with the event or a null value when zero transaction phases are associated with the event (NPL Page # 395 Table II discloses creating fields as each attack phase progresses to next stage and adds information [metadata] about that stage and if there is no information for a particular stage, it denotes that with “-” as depicted in front of “Actions”).
Regarding claim 8, NPL discloses:
One or more non-transitory computer-readable storage media, storing instructions, which when executed by one or more processors cause the one or more processors to perform operations comprising:
accessing a security model definition, wherein the security model definition maps transaction phases of a multiphase cyber-attack to categories of detection sources that are within an information technology (IT) environment and that are capable of detecting a security threat (NPL Page # 390; Col. 1; ‘A. Multi-Stage Attack Model’ discloses Intrusion Kill Chain Model (IKC) of seven phases; See Page # 392, Col. 2, ‘Intelligence Module’ discloses detecting multi-stage attack using algorithms for log correlation and is responsible for automatic IKC search based on potential malicious events detected; see Page # 393, Table 1 ‘Defense Plan’ discloses mapping/accessing IKC model at each stage to prevent and detect attacks); 
determining, for each event in a set of events generated from raw machine data (i.e., logs from various sensors from the security architecture; see Page # 392 ‘Logging Module’) produced by assets in the IT environment, zero or more transaction phases (i.e., Seven (7) phases of Intrusion Kill Chain (IKC) mentioned in ‘TABLE I. DEFENSE PLAN’ on page # 393) associated with the event (Page # 392, Col. 2, ‘Intelligence Module’ discloses algorithms for log correlation and is responsible for automatic IKC search based on potential malicious events detected; also see page # 393; Col. 2, where ‘Intelligence Module’ collects logs from different controls and normalize the logs to determine phases of multi-stage attack), 
wherein the event is associated with a data source in the IT environment that produced the event (Page # 393, Col. 2, Table I; The main input to the intelligence module is the collected logs from the different prevention and detection controls. Each log is normalized [6] to provide attributes that identify the control, date and time, type of attack, source, destination, and payload attributes; when attempting to rebuild the IKC the analysis identifies which control sourced the event under scrutiny, see also Page # 394, section VI. B. “explorer.exe” alert from OSSEC syscheck, which is a HIDS as per footnote 15), and 
wherein the zero or more transaction phases are determined by comparing the data source associated with event to the categories of detection sources mapped by the security model definition to the transaction phases (See page # 394, Col. 2, ‘VI. Experiments and Results’, ‘A. Experimental Intrusion Scenario’ discloses determining different phases of Intrusion Kill Chain (IKC) model such as ‘initial reconnaissance’, ‘weaponization’, ‘Exploitation’, ‘delivery’, and ‘installation’); 
determining, using the zero or more transaction phases determined for each event in the set of events, that one or more events in the subset of events are associated with one or more transaction phases defined by the security model definition (See page # 394, Col. 2, ‘VI. Experiments and Results’, ‘B. Experiment’ discloses expert selects the most promising IKC phase and calls for reconstruction; thus providing reconstructing entire security transaction of the attack chain, Table II on page # 395, Col. 1, under section VI being an example of reconstructed security transaction which set of events which are associated with one or more transaction phases); 
determining that the multi-phase cyber-attack has impacted the particular asset (i.e., e-mail of the user(s) of the university network) based on determining that the one or more events in the subset of events are associated with the one or more transaction phases (See page # 394, Col. 2, ‘VI. Experiments and Results’, ‘A. Experimental Intrusion Scenario’ which discloses an attacker sends crafted email with malicious attachment to the university professor email boxes and ‘B. Experiment’ discloses where expert selects the most promising IKC phase and calls for reconstruction; thus providing reconstructing entire security transaction of the attack chain, Table II on page # 395, Col. 1, under section VI being an example of reconstructed security transaction which set of events which are associated with one or more transaction phases).
NPL extensively discloses a framework for detection and analysis of multi-phase cyber-attack.
NPL fails to disclose:
filtering the set of events to determine a subset of the events, wherein each event in the subset includes a field value identifying a particular asset in the IT environment; performing, in response to determining that an anomalous activity has impacted the particular asset, a predetermined automated response.
However, Treat discloses:
	filtering (i.e., identifying Application ID and User ID from the events) the set of events to determine a subset of the events, wherein each event in the subset includes a field value identifying a particular asset (i.e., identified application and associated user is construed as an asset) in the IT environment (FIG. 1; Col. 10, Line 59-67 discloses monitoring and identifying network traffic and determines using an ‘App ID Check & User ID Check 108’ to filter/identify an application and a user associated with the monitored network traffic (e.g., session));
performing, in response to determining that an anomalous activity has impacted the particular asset, a predetermined automated response (Col. 30, Line # 1-7; method step 1108 & Col. 30, Line # 43-50; method step 1208 discloses performing a responsive action in response to the detected anomalous activity based on a policy).	
It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the NPL reference and include an automated system and method which is able to identify particular application and associated user in case anomalous activity, as disclosed by Treat.
The motivation to include such a system and method is to prevent unwanted activity, misuse, insider threats, and known tactics of attackers on an enterprise network.
Regarding claim 9, the combination of NPL and Treat discloses:
The one or more non-transitory computer-readable storage media of claim 8, wherein the subset of the events is associated with the particular asset, the one or more transaction phases associated with the subset of events are associated with the particular asset, and the determining that the multi-phase cyber-attack has impacted the particular asset is further based on: 
accessing a record of an asset table that associates the particular asset with a set of completed transaction phases for the asset (NPL Page # 395 Table II discloses completed attack phases which are associated with the email account of the university professor’s computer); 
updating the record of the asset table by including, in the set of completed transaction phases for the particular asset, the one or more transaction phases associated with the particular asset (NPL Page # 394 Col. 2, Section ‘VI. Experiments and Results’, ‘B. Experiment’ discloses updating the record related to university professor’s computer as attack phases are changed; page # 395 table II discloses stages of attack phases are updated the attack progresses); and searching the asset table to determine that the set of completed transaction phases in the record satisfies a designated condition (NPL page # 395 Table II discloses determining completed transaction phases related to the asset [which is email account of the university professor who receives email at his/her computer] which satisfies a designated conditions such as Info. Gathering, Weaponization, Delivery, Exploitation, Installation and C2).
 Regarding claim 10, the combination of NPL and Treat discloses:
The one or more non-transitory computer-readable storage media of claim 8, the operation further comprising monitoring the IT environment on a per-asset and per-user basis by maintaining an asset table, wherein the asset table associates an asset of the assets in the IT environment and a user with a set of transaction phases, wherein the set of transaction phases are associated with a respective set of events of the set of events, and wherein events of the respective set events include a set of field values that identify the asset and the user (NPL page # 395 Table II discloses maintaining asset table that includes identifying the asset which is computer of university professor and the user which is the university professor who receives the email from the attacker).
 Regarding claim 11, the combination of NPL and Treat discloses:
The one or more non-transitory computer-readable storage media of claim 8, the operations further comprising monitoring the IT environment on a per-asset basis by maintaining an asset table, wherein the asset table associates an asset of the assets in the IT environment with a set of transaction phases, wherein events of the respective set of events include a field value identifying the asset (NPL page # 395 Table II discloses maintaining asset table that includes identifying the asset which is computer of university professor and the user which is the university professor who receives the email from the attacker).
Regarding claim 12, the combination of NPL and Treat discloses:
The one or more non-transitory computer-readable storage media of claim 11, the operations further comprising:
searching the set of events to determine an initial subset of the events, wherein each event in the initial subset is associated with at least one completed transaction phase (NPL Page # 394, Col. 2, ‘B. Experiment’ discloses based on the alert, the system search through the logs to start the construction of Intrusion Kill Chain phases); 
filtering the initial subset to determine the subset of the events, wherein the subset of the events are associated with the particular asset (NPL page # 395 Table II discloses determining completed transaction phases related to the asset [which is email account of the university professor who receives email at his/her computer] which satisfies a designated conditions such as Info. Gathering, Weaponization, Delivery, Exploitation, Installation and C2); 
aggregating the at least one completed transaction phase for each event in the subset of the events to determine the one or more transaction phases, wherein the one or more transaction phases are associated with the particular asset (NPL Page # 395 Table II discloses combining attack phases in the form of table which are associated with the email account of the university professor’s computer); and 
updating a record in the asset table for the particular asset to represent the one or more transaction phases associated with the particular asset (NPL Page # 394 Col. 2, Section ‘VI. Experiments and Results’, ‘B. Experiment’ discloses updating the record related to university professor’s computer as attack phases are changed; page # 395 table II discloses stages of attack phases are updated the attack progresses).
Regarding claim 13, the combination of NPL and Treat discloses:
The one or more non-transitory computer-readable storage media of claim 11, the operations further comprising: identifying an additional transaction phase associated with the particular asset; and updating a record in the asset table for the particular asset to associate the particular asset with the additional transaction phase (NPL discloses these action in page # 394-395 which can be implemented in repetitive fashion by the systems as more alerts are generated by the monitoring devices regarding assets in the infrastructure).
Regarding claim 14, the combination of NPL and Treat discloses:
The one or more non-transitory computer-readable storage media of claim 8, the operations further comprising: creating a metadata field for each event of the set of events; and storing in the metadata field a value when at least one transaction phase is associated with the event or a null value when zero transaction phases are associated with the event (NPL Page # 395 Table II discloses creating fields as each attack phase progresses to next stage and adds information [metadata] about that stage and if there is no information for a particular stage, it denotes that with “-” as depicted in front of “Actions”).
Regarding claim 15, NPL discloses:
A system, comprising: one or more processors; and one or more non-transitory computer-readable storage media storing instructions, which when executed by the one or more processors cause the one or more processors to perform operations comprising:
accessing a security model definition, wherein the security model definition maps transaction phases of a multiphase cyber-attack to categories of detection sources that are within an information technology (IT) environment and that are capable of detecting a security threat (NPL Page # 390; Col. 1; ‘A. Multi-Stage Attack Model’ discloses Intrusion Kill Chain Model (IKC) of seven phases; See Page # 392, Col. 2, ‘Intelligence Module’ discloses detecting multi-stage attack using algorithms for log correlation and is responsible for automatic IKC search based on potential malicious events detected; see Page # 393, Table 1 ‘Defense Plan’ discloses mapping/accessing IKC model at each stage to prevent and detect attacks); 
determining, for each event in a set of events generated from raw machine data (i.e., logs from various sensors from the security architecture; see Page # 392 ‘Logging Module’) produced by assets in the IT environment, zero or more transaction phases (i.e., Seven (7) phases of Intrusion Kill Chain (IKC) mentioned in ‘TABLE I. DEFENSE PLAN’ on page # 393) associated with the event (Page # 392, Col. 2, ‘Intelligence Module’ discloses algorithms for log correlation and is responsible for automatic IKC search based on potential malicious events detected; also see page # 393; Col. 2, where ‘Intelligence Module’ collects logs from different controls and normalize the logs to determine phases of multi-stage attack), 
wherein the event is associated with a data source in the IT environment that produced the event (Page # 393, Col. 2, Table I; The main input to the intelligence module is the collected logs from the different prevention and detection controls. Each log is normalized [6] to provide attributes that identify the control, date and time, type of attack, source, destination, and payload attributes; when attempting to rebuild the IKC the analysis identifies which control sourced the event under scrutiny, see also Page # 394, section VI. B. “explorer.exe” alert from OSSEC syscheck, which is a HIDS as per footnote 15), and 
wherein the zero or more transaction phases are determined by comparing the data source associated with event to the categories of detection sources mapped by the security model definition to the transaction phases (See page # 394, Col. 2, ‘VI. Experiments and Results’, ‘A. Experimental Intrusion Scenario’ discloses determining different phases of Intrusion Kill Chain (IKC) model such as ‘initial reconnaissance’, ‘weaponization’, ‘Exploitation’, ‘delivery’, and ‘installation’); 
determining, using the zero or more transaction phases determined for each event in the set of events, that one or more events in the subset of events are associated with one or more transaction phases defined by the security model definition (See page # 394, Col. 2, ‘VI. Experiments and Results’, ‘B. Experiment’ discloses expert selects the most promising IKC phase and calls for reconstruction; thus providing reconstructing entire security transaction of the attack chain, Table II on page # 395, Col. 1, under section VI being an example of reconstructed security transaction which set of events which are associated with one or more transaction phases); 
determining that the multi-phase cyber-attack has impacted the particular asset (i.e., e-mail of the user(s) of the university network) based on determining that the one or more events in the subset of events are associated with the one or more transaction phases (See page # 394, Col. 2, ‘VI. Experiments and Results’, ‘A. Experimental Intrusion Scenario’ which discloses an attacker sends crafted email with malicious attachment to the university professor email boxes and ‘B. Experiment’ discloses where expert selects the most promising IKC phase and calls for reconstruction; thus providing reconstructing entire security transaction of the attack chain, Table II on page # 395, Col. 1, under section VI being an example of reconstructed security transaction which set of events which are associated with one or more transaction phases).
NPL extensively discloses a framework for detection and analysis of multi-phase cyber-attack.
NPL fails to disclose:
filtering the set of events to determine a subset of the events, wherein each event in the subset includes a field value identifying a particular asset in the IT environment; performing, in response to determining that an anomalous activity has impacted the particular asset, a predetermined automated response.
However, Treat discloses:
	filtering (i.e., identifying Application ID and User ID from the events) the set of events to determine a subset of the events, wherein each event in the subset includes a field value identifying a particular asset (i.e., identified application and associated user is construed as an asset) in the IT environment (FIG. 1; Col. 10, Line 59-67 discloses monitoring and identifying network traffic and determines using an ‘App ID Check & User ID Check 108’ to filter/identify an application and a user associated with the monitored network traffic (e.g., session));
performing, in response to determining that an anomalous activity has impacted the particular asset, a predetermined automated response (Col. 30, Line # 1-7; method step 1108 & Col. 30, Line # 43-50; method step 1208 discloses performing a responsive action in response to the detected anomalous activity based on a policy).	
It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the NPL reference and include an automated system and method which is able to identify particular application and associated user in case anomalous activity, as disclosed by Treat.
The motivation to include such a system and method is to prevent unwanted activity, misuse, insider threats, and known tactics of attackers on an enterprise network.
Regarding claim 16, the combination of NPL and Treat discloses:
The system of claim 15, wherein the subset of the events is associated with the particular asset, the one or more transaction phases associated with the subset of events are associated with the particular asset, and the determining that the multi-phase cyber-attack has impacted the particular asset is further based on: 
accessing a record of an asset table that associates the particular asset with a set of completed transaction phases for the asset (NPL Page # 395 Table II discloses completed attack phases which are associated with the email account of the university professor’s computer); 
updating the record of the asset table by including, in the set of completed transaction phases for the particular asset, the one or more transaction phases associated with the particular asset (NPL Page # 394 Col. 2, Section ‘VI. Experiments and Results’, ‘B. Experiment’ discloses updating the record related to university professor’s computer as attack phases are changed; page # 395 table II discloses stages of attack phases are updated the attack progresses); and searching the asset table to determine that the set of completed transaction phases in the record satisfies a designated condition (NPL page # 395 Table II discloses determining completed transaction phases related to the asset [which is email account of the university professor who receives email at his/her computer] which satisfies a designated conditions such as Info. Gathering, Weaponization, Delivery, Exploitation, Installation and C2).
Regarding claim 17, the combination of NPL and Treat discloses:
The system of claim 15, the operations further comprising monitoring the IT environment on a per-asset and per-user basis by maintaining an asset table, wherein the asset table associates an asset of the assets in the IT environment and a user with a set of transaction phases, wherein the set of transaction phases are associated with a respective set of events of the set of events, and wherein events of the respective set events include a set of field values that identify the asset and the user (NPL page # 395 Table II discloses maintaining asset table that includes identifying the asset which is computer of university professor and the user which is the university professor who receives the email from the attacker).
Regarding claim 18, the combination of NPL and Treat discloses:
The system of claim 15, the operations further comprising monitoring the IT environment on a per-asset basis by maintaining an asset table, wherein the asset table associates an asset of the assets in the IT environment with a set of transaction phases, wherein events of the respective set of events include a field value identifying the asset (NPL page # 395 Table II discloses maintaining asset table that includes identifying the asset which is computer of university professor and the user which is the university professor who receives the email from the attacker).
Regarding claim 19, the combination of NPL and Treat discloses:
The system of claim 18, the operations further comprising: 
searching the set of events to determine an initial subset of the events, wherein each event in the initial subset is associated with at least one completed transaction phase (NPL Page # 394, Col. 2, ‘B. Experiment’ discloses based on the alert, the system search through the logs to start the construction of Intrusion Kill Chain phases); 
filtering the initial subset to determine the subset of the events, wherein the subset of the events are associated with the particular asset (NPL page # 395 Table II discloses determining completed transaction phases related to the asset [which is email account of the university professor who receives email at his/her computer] which satisfies a designated conditions such as Info. Gathering, Weaponization, Delivery, Exploitation, Installation and C2); 
aggregating the at least one completed transaction phase for each event in the subset of the events to determine the one or more transaction phases, wherein the one or more transaction phases are associated with the particular asset (NPL Page # 395 Table II discloses combining attack phases in the form of table which are associated with the email account of the university professor’s computer); and 
updating a record in the asset table for the particular asset to represent the one or more transaction phases associated with the particular asset (NPL Page # 394 Col. 2, Section ‘VI. Experiments and Results’, ‘B. Experiment’ discloses updating the record related to university professor’s computer as attack phases are changed; page # 395 table II discloses stages of attack phases are updated the attack progresses).
Regarding claim 20, the combination of NPL and Treat discloses:
The system of claim 18, the operations further comprising: identifying an additional transaction phase associated with the particular asset; and updating a record in the asset table for the particular asset to associate the particular asset with the additional transaction phase (NPL discloses these action in page # 394-395 which can be implemented in repetitive fashion by the systems as more alerts are generated by the monitoring devices regarding assets in the infrastructure).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018. The examiner can normally be reached 8:30 AM - 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffery L. Nickerson can be reached on 469-295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/SYED M AHSAN/       Patent Examiner, Art Unit 2432
08/23/2022