DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
2.	The information disclosure statement (IDS) submitted on 09/21/2021 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 112
3.	The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.



4.	Claims  is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

5.	Claim 13 recites in a limitation “assigning a confidence level to the detected security events” (emphasis added). It is unclear whether the applicant is trying to refer to the same detected one or more security events recited in Claim 1 or different security events, and therefore failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Note: Applicant may overcome this rejection by changing “the detected security events” to “the detected one or more security events”. For the examination purposes, the examiner is interpreting “the detected security events” as “the detected one or more security events.”

Claim Rejections - 35 USC § 102
6.	The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


7.	Claim 1-7 and 9-15 are rejected under 35 U.S.C. 102 (a) (1) as being Anticipated by Ringlein et al. (US 2020/0401696 A1, hereinafter Ringlein).

Regarding Claim 1,
Ringlein discloses a method of protecting an electronic device comprising the steps of (Ringlein: [Abstract], ¶ [0007] a method is provided, in a data processing system comprising at least one processor and at least one memory, the at least one memory comprising instructions executed by the at least one processor to cause the at least one processor to implement a security incident disposition system…, security incident disposition system operates to receive, from a source computing device of a monitored computing environment): 
generating a multi-label classification data model comprising security event groups labeled with security actions (Ringlein: [Abstract] input the extracted set of security incident features into a trained security incident machine learning model. The model generates a disposition classification output based on results of processing the extracted set of security incident features, ¶ [0091] training operation for training the SID system starts by receiving a plurality of security incidents/alerts generated by a STEM system monitoring security events occurring with regard to one or more computing resources of a monitored
computing environment, ¶ [0092] training dataset is exported to the SID computing
system for training a predictive computing model of the SID system…, generate metrics representative of the nature of the security incident/alert…, extracted features and generated metrics are input to the predictive model, e.g., a neural network model…, neural
network model processes the extracted features and metrics of the security alerts and evaluate them to generate a prediction of a disposition classification of the security
incident/alert with regard to whether or not it represents a true threat, See also Fig. 3A); 
detecting one or more security events (Ringlein: ¶ [0094] during runtime operation, a new security incident/alert is generated by the SIEM system which also generates a corresponding security knowledge graph for the security incident/alert…, ¶ [0007], See also Fig. 3B); 
predicting, using the multi-label classification data model, one or more security actions based on the detected one or more security events (Ringlein: ¶ [0010] the disposition classification is a prediction of a responsive action to perform in response to the security incident…, disposition classification is one of a predetermined set of potential disposition classifications, each disposition classification corresponding to a different responsive action in a set of responsive actions, ¶¶ [0092, 0094]); and 
implementing the predicted one or more security actions on the electronic device (Ringlein: ¶ [0035] the disposition may indicate specific actions to be taken by security systems or computing systems to thwart a threat or an attack, e.g., blocking access from a particular source to specific computing resources, ¶ [0044] responsive actions may be automatically initiated in response to the disposition output generated by the security incident ML mode…, automated processes may be initiated to perform the responsive action to protect the computing resources of the monitored environment,  ¶ [0046]).

Regarding Claim 2,
Claim 2 is dependent on Claim 1, and Ringlein discloses all the limitations of Claim 1. Ringlein further discloses wherein the predicting and implementing steps are performed without determination of a threat level (Ringlein: ¶ [0033] a machine learning based model, such as a neural network model, that is trained to recognize patterns of features extracted from the security incident itself, ¶ [0035] features are input to the trained security incident ML model which then generates a prediction of a disposition, e.g., a responsive action to perform, based on a cognitive evaluation of the patterns of features present in the input…, the disposition may indicate specific actions to be taken by security systems or computing systems to thwart a threat or an attack).

Regarding Claim 3,
Claim 3 is dependent on Claim 1, and Ringlein discloses all the limitations of Claim 1.  Ringlein further discloses wherein the predicting and implementing steps are performed without determination of a security issue (Ringlein: ¶ [0080] trained CNN model, i.e. the trained security incident ML model 148 may then be deployed for runtime execution on new security incidents/alerts to classify their corresponding extracted feature/metric patterns as to whether they represent true threats requiring escalation or are false positives that do not
require escalation, ¶ [0044] responsive actions may be automatically initiated in response to the disposition output generated by the security incident ML mode…, automated processes may be initiated to perform the responsive action to protect the computing resources of the monitored environment, ¶¶ [0085, 0103]).

Regarding Claim 4,
Claim 4 is dependent on Claim 1, and Ringlein discloses all the limitations of Claim 1. Ringlein further discloses wherein the implementing step is performed automatically (Ringlein: ¶ [0044] responsive actions may be automatically initiated in response to the disposition output generated by the security incident ML mode…, automated processes may be initiated to perform the responsive action to protect the computing resources of the monitored environment, ¶ [0103]).

Regarding Claim 5,
Claim 5 is dependent on Claim 1, and Ringlein discloses all the limitations of Claim 1. Ringlein further discloses wherein the implementing step is performed in real time (Ringlein: ¶ [0062] security alerts/graphs 120 may be logged in one or more security alert log entries or may be immediately output to a threat monitoring interface 130 as they occur, ¶ [0063] threat monitoring interface 130 is a user interface that may be utilized by a security analyst to view security alerts/graphs 120 and determine the veracity of the security alerts 120, i.e. determine whether the security alerts 120 represent an actual security threat, for which a responsive action is to be performed, ¶ [0044]).

Regarding Claim 6,
Claim 6 is dependent on Claim 1, and Ringlein discloses all the limitations of Claim 1. Ringlein further discloses notifying an administrator of the one or more security events and the predicted one or more security actions (Ringlein: ¶ [0010] the disposition classification is one of an escalate disposition classification that causes a notification of a potential threat associated with the security incident to a system administrator…,  Thus, the mechanisms of these illustrative embodiments provide indications to a human analyst and/or automated system as to the responsive actions that should be performed in response to the security incident, ¶ [0007]).

Regarding Claim 7,
Claim 7 is dependent on Claim 6, and Ringlein discloses all the limitations of Claim 6. Ringlein further discloses wherein the implementing step is initiated by the administrator (Ringlein: ¶ [0007] provides guidance to a human analyst as to what the appropriate security incident disposition should be for a given security incident, based on machine learning, ¶ [0013] human analyst, is provided with a mechanism for overriding the predicted disposition of a security incident, ¶¶ [0032, 0044]).

Regarding Claim 9,
Claim 9 is dependent on Claim 1, and Ringlein discloses all the limitations of Claim 1. Ringlein further discloses wherein at least one of the security events is a general security event and another of the security events is a specific security event (Ringlein: ¶ [0062] security event data stored in the security log 112 may specify various events associated with the particular managed computing resources 101 that represent events of interest to security evaluations, e.g., failed login attempts, password changes, network traffic patterns, system configuration changes, ¶ [0076]).

Regarding Claim 10,
Claim 10 is dependent on Claim 1, and Ringlein discloses all the limitations of Claim 1. Ringlein further discloses wherein at least one of the security events comprises multiple constituent security events (Ringlein: ¶ [0062] security event data stored in the security log 112 may specify various events associated with the particular managed computing resources 101 that represent events of interest to security evaluations, e.g., failed login attempts, password changes, network traffic patterns, system configuration changes, ¶ [0084] dynamically generated training dataset 170 may compile such user feedback over multipole security incidents/alerts over a predetermined period of time, ¶ [0073] 100 different types of graph based and security incident based features are extracted along with approximately 145 category features from security incident categories, i.e. the type of security incidences that are being looked for, e.g., failed login attempt, SMB brute force, virus triggered).

Regarding Claim 11,
Claim 11 is dependent on Claim 1, and Ringlein discloses all the limitations of Claim 1. Ringlein further discloses training the multi-label classification data model with security events and security actions from multiple electronic devices (Ringlein: ¶ [0025] identify deviations in the operation of the computing devices associated with these data sources from a normal operational state, and then take appropriate responsive actions to the identified deviations, ¶ [0059] obtains security log information from managed computing resources 101 in the end user computing environment 105, e.g., servers, client computing devices, computing network devices, firewalls, database systems, software applications executing on computing devices, ¶ [0064] training dataset, comprising the security alerts, the security knowledge graphs, and their corresponding correct disposition classifications, ¶ [0011]).

Regarding Claim 12,
Claim 12 is dependent on Claim 1, and Ringlein discloses all the limitations of Claim 1. Ringlein further discloses reinforcing the multi-label classification data model with security events and security actions from multiple electronic devices (Ringlein: ¶ [0080] trained CNN model, i.e. the trained security incident ML model 148 may then be deployed for runtime execution on new security incidents/alerts to classify their corresponding extracted feature/metric patterns, ¶ [0084] a training update may be initiated with regard to the trained security incident ML model 148 so that the training of the trained security incident ML model 148 is repeated with a baseline training of the already trained security incident ML model 148 but whose operational parameters are further trained using the dynamically generated training dataset 170, ¶ [0042]).

Regarding Claim 13,
Claim 13 is dependent on Claim 1, and Ringlein discloses all the limitations of Claim 1. Ringlein further discloses:
assigning a confidence level to the detected security events (Ringlein: ¶ [0033] predict a disposition of the security incident based on the recognized pattern, ¶ [0041] a plurality of dispositions and their corresponding probability or confidence values as determined by
the trained security incident ML model); 
when the confidence level is above a threshold, automatically proceeding to the implementing step  (Ringlein: ¶ [0044] responsive actions may be automatically initiated in response to the disposition output generated by the security incident ML model. For example, in cases where the confidence or probability associated with the disposition output is greater than a predetermined threshold, i.e. the security incident ML model has significant confidence that the disposition is correct for the security incident, automated processes may be initiated to perform the responsive action to protect the computing resources of the monitored environment); 
when the confidence level is below the threshold, notifying an administrator and proceeding to the implementing step upon instruction from the administrator (Ringlein: ¶ [0095] user
feedback may only be solicited from the user in response to the predicted disposition having a rating, e.g., confidence value, probability value, etc., that is below a predetermined threshold value…, if the highest rated predicted disposition still has a confidence or probability value that is less than this threshold value, then the user interface that is
presented to the user may include the fields for obtaining user feedback information as to the correctness/incorrectness of the predicted disposition, ¶ [0010] causes a notification of a potential threat associated with the security incident to a system administrator…,  Thus, the mechanisms of these illustrative embodiments provide indications to a human analyst and/or automated system as to the responsive actions that should be performed in response to the security incident, ¶ [0012] human analyst may interface with the graphical representation and investigate the security incident further to determine the appropriate security incident disposition and/or responsive action to perform, ¶ [0007]).

Regarding Claim 14,
Ringlein discloses a system for protecting an electronic device comprising (Ringlein: [Abstract], ¶ [0007] in a data processing system comprising at least one processor and at least one memory, the at least one memory comprising instructions executed by the at least one processor to cause the at least one processor to implement a security incident disposition system…, security incident disposition system operates to receive, from a source computing device of a monitored computing environment): 
a processor (Ringlein: ¶ [0007] in a data processing system comprising at least one processor and at least one memory, ¶[0100]); 
computer readable memory storing computer readable instructions that, when executed by the processor, cause the processor to (Ringlein: ¶ [0007] in a data processing system comprising at least one processor and at least one memory, he at least one memory comprising instructions executed by the at least one processor to cause the at least one processor to implement a security incident disposition system, ¶ [0100]): and discloses all the limitations of  Claim 14 as disclosed in Claim 1. Ringlein further discloses instruct the electronic device to implement the predicted one or more security actions (Ringlein: ¶ [0035] the disposition may indicate specific actions to be taken by security systems or computing systems to thwart a threat or an attack, e.g., blocking access from a particular source to specific computing resources, ¶ [0044] responsive actions may be automatically initiated in response to the disposition output generated by the security incident ML mode…, automated processes may be initiated to perform the responsive action to protect the computing resources of the monitored environment,  ¶ [0046] the logic represented by computer code or instructions embodied in or on the computer program product is executed by one or more hardware devices in order to implement the functionality or perform the operations, ¶ [0007]).

Regarding Claim 15,
Claim 15 is dependent on Claim 14, and Ringlein discloses all the limitations of Claim 14. Ringlein further discloses a server that hosts the processor and computer readable memory (Ringlein: ¶ [0100] one or more of the computing devices, e.g., one or more of the servers 404A-404C, may be specifically configured to implement a SIEM system 420 in combination with one or more computing resources of a monitored computing environment 440…, software applications stored in one or more storage devices and loaded into memory of a computing device, such as server 404A-404C and/or 406, for causing one or more hardware processors of the computing device to execute the software applications that configure the processors to perform the operations and generate the outputs); and 
the electronic device, wherein a copy of the multi-label classification data model is installed in the electronic device (Ringlein: ¶ [0102] One or more computing devices of the monitored computing environment 440, e.g., one of the client devices 410-414, a server (not shown), or the like, may execute a security monitoring engine which applies SIEM rules to security events occurring with regard to the computing resources of the monitored computing environment to determine if the security events potentially represent attacks/threats).

Claim Rejections - 35 USC § 103
8.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



9.	The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

10.	This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

11.	Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Ringlein et al. (US 2020/0401696 A1, hereinafter Ringlein) in view of Kerzner et al. (US 10,249,069 B1, hereinafter Kerzner). 

Regarding Claim 8,
Claim 8 is dependent on Claim 1, and Ringlein discloses all the limitations of Claim 1. Ringlein further discloses wherein the one or more security events occur within a fixed time period ending in a present time (Ringlein: ¶ [0084] dynamically generated training dataset 170 may compile such user feedback over multipole security incidents/alerts over a predetermined period of time).
However, it is noted that Ringlein does not explicitly disclose wherein the one or more security events occur within a fixed time period ending in a present time.
However, Kerzner from the same field of endeavor as the claimed invention discloses receives a selection of a particular time period, identifies security events detected by a monitoring system during the selected time period, and classifies a subset of the identified security events as abnormal events (Kerzner: [Abstract]), may aggregate the collected sensor events over any
period of time, including all sensor events collected over years, sensor events collected over a period of one or more months, sensor events collected over a period of one or more weeks, or other suitable time periods (Kerzner: [Col. 16 Lines: 32-36]), timeline may show intervals that are ranges of time. For instance, the length of a range of time may be fifteen minutes, thirty minutes, an hour, two hours, or a day. The length of a range of a time may vary based on a scale specified by a user. For instance, a user may select to view a timeline that spans a single day, two days, a week, or a
month, and the ranges of the timeline may be varied in response to the user's selection (Kerzner: [Col. 4 Lines: 12-19]), a timeline that represents events that are associated with automated actions. For instance, the timeline may show icons at particular times, where the icons represent events that are associated with automated actions (Kerzner: [Col. 7 Lines: 4-7], See Fig. 1B—53, 54, 58, 62 i.e. Today, February 11, 2015).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Kerzner in the teachings of Ringlein. A person having ordinary skill in the art would have been motivated to do so to detect recurring events (Kerzner: [Col. 16 Line 37]) and to detect most recent abnormalities.

	
Conclusion
12.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US-10242201-B1
US-10542017-B1
US-10091231-B1
US-11048979-B1
US-20200285737-A1
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAMEERA WICKRAMASURIYA whose telephone number is (571)272-1507.  The examiner can normally be reached on MON-FRI 8AM-4:30PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG W. KIM can be reached on (571)272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/SAMEERA WICKRAMASURIYA/
Examiner, Art Unit 2494

/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        8-26-2022