DETAILED ACTION
This office action is in response to the application filed on 12/23/2020.  Claim(s) 1-20 is/are pending and are examined.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Priority/Benefit
Applicant’s benefit claim is hereby acknowledged of the provisional application 62/953,225 filed 12/24/2019, which papers have been placed of record in the file.

Information Disclosure Statement PTO-1449
The Information Disclosure Statement(s) submitted by applicant on 6/6/2021 has/have been considered. The submission is in compliance with the provisions of 37 CFR § 1.97. Form PTO-1449 signed and attached hereto. 
Claim Objections
Claim(s) 1, 8, and 15 is/are objected to because of the following informalities: The examiner suggests the following corrections:Claim 1, 8, and 15:
Replacement of "in threat timeline" with "in the threat timeline".

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-3, 7-10, and 14-17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Trost et al. (US 2022/0053016 A1), in view of Tsironis (US 2018/0316705 A1). 
Regarding claims 1, 8, and 15, Trost teaches:
“A method for facilitating risk mitigation of information security threats (Trost, ¶ 89-90 and 98 teach a processor, memory, and medium for executing the method steps), comprising: 	analyzing data obtained from at least one tracked data source for identifying at least one event related to a threat (Trost, Fig. 13, steps 1302 and 1304, ¶ 81 Ln. 1-9 teaches receiving information and identifying a security alert.  Trost, Fig. 4, ¶ 43-46 further describes the types and extent of data captured.  Trost, Fig. 7 ¶ 51 further describes the process to analyze information to generate an alert); 	storing the at least one event in a database (Trost, ¶ 57, 60, 65, 67, and 70 teaches storing the event and analysis data in short term and long term history databases) comprising for each threat and each event identified as related to the threat a time of the event (Trost, Fig. 13, step1306, ¶ 81 Ln. 10-11 teaches calculating event sequence time window.  Trost, ¶ 65, and 69-70 teaches pulling together the events related to a given threat), whereby generation of a threat timeline comprising temporally ordered sequence of each identified event related to a respective threat being enabled (Trost, Fig. 11, ¶ 70-72 teach generating a timeline for a given threat using a series of events related to the alert); 	extracting from events in threat timeline generated for the threat which the at least one event related thereto being identified a plurality of features selected using a correlation between features (Trost, Fig. 13 steps 1306-1312, ¶ 81 Ln. 10-12 teaches generating scores based on context and relatedness.  Trost, ¶ 58-61 further describes that this process is performed using multiple machine learning models for the event sequence time window.  Trost, ¶ 48, 50-51, 55, and 57 teach correlating the features with metadata of known security threats) extracted from a plurality of threat timelines stored in the database (Trost, ¶ 59 Ln. 1-6 teaches training the machine learning system using past incidents which one of ordinary skill would recognize to include the timelines being discussed in the present citation) and labeling assigned using a plurality of incident records each documenting a threat usage incident (Trost, ¶ 59 Ln. 1-3 teaches the labeling for the entire threat in based on past incidents.  Further, Trost, Figs. 11-12, ¶ 73-80 teaches labeling the individual events within the threat utilizing the existing incidents that occurred on the timeline); 	calculating based on the plurality of features extracted a dynamic score indicating an estimated level of risk posed by the threat using at least one machine learning model configured for providing prediction of threat usage during a time window defined (Trost, Fig. 13 steps 1310-1314, ¶ 81 Ln. 11- ¶ 83 Ln. 3 teaches calculating the risk score.  Trost, ¶ 58-61 further describes that this process is performed using multiple machine learning models for the event sequence time window.  Trost ¶ 27 teaches that this results in a numerical score.  Finally, Trost, ¶ 111 discloses that the size of the event sequence time window is dynamically adjusted which then causes the resulting scoring of risk events to be determined dynamically as well); and 	outputting an indication of the dynamic score based on which risk mitigation according to the estimated level of risk being enabled (Trost, Fig. 13 steps 1314-1324, ¶ 27 and 83-85 teach outputting the recommended mitigation courses and the numerical score for the risk related to the security event)”.
	Trost does not, but in related art, Tsironis Fig. 9, ¶ 166 depicts and describes “a date” for threat timeline data.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Trost and Tsironis, to modify the timeline based cyber event threat correlation and risk detection system of Trost to include the method to include the date in event data for cyber event timelines as taught in Tsironis.  The motivation to do so constitutes applying a known technique to known devices and/or methods ready for improvement to yield predictable results.
 
Regarding claims 2, 9, and 16, Trost in view of Tsironis teaches:
“The method of claim 1 (Trost in view of Tsironis teaches the limitations of the parent claims as discussed above), wherein the features being extracted from the plurality of threat timelines according to an event classification defined (Trost, ¶ 58-61 further describes that this process is performed using multiple machine learning models for the event sequence time window.  Trost, ¶ 59 Ln. 1-6 teaches training the machine learning system using past incidents labeled as  which one of ordinary skill would recognize to include the timelines being discussed in the present citation)”.

Regarding claims 3, 10, and 17, Trost in view of Tsironis teaches:
“The method of claim 1 (Trost in view of Tsironis teaches the limitations of the parent claims as discussed above), wherein the at least one machine learning model being trained using a training set constructed using the plurality of incident records (Trost, ¶ 58-61 further describes that this process is performed using multiple machine learning models for the event sequence time window.  Trost, ¶ 59 Ln. 1-6 teaches training the machine learning system using past incidents labeled as  which one of ordinary skill would recognize to include the timelines being discussed in the present citation)”.

Regarding claims 7 and 14, Trost in view of Tsironis teaches:
	“The method of claim 1 (Trost in view of Tsironis teaches the limitations of the parent claims as discussed above), wherein the at least one tracked data source being selected from the group consisting of: 	a threats database (Trost, ¶ 49 teaches threat database)”.
Claim(s) 4-6, 11-13, and 18-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Trost, in view of Tsironis, in view of Pourmohammad (US 2022/0165143 A1). 
Regarding claims 4, 11, and 18, Trost in view of Tsironis teaches:
“The method of claim 3 (Trost in view of Tsironis teaches the limitations of the parent claims as discussed above) Trost, in view of Tsironis does not, but in related art, Pourmohammad teaches:
“wherein for at least one record of the plurality of incident records documenting a threat usage incident, a time window in which the threat usage incident occurred being determined, and the database being sampled for obtaining and adding to the training set construction at least one threat timeline of a threat which being mapped based thereon to an adjacent non-overlapping time window relative to the time window determined (Pourmohammad, Figs. 14, 21-22, ¶ 124, 302-305, and 386 disclose a dynamic threat scoring system for different threats which can be handled as separate threats in separate time windows.  Pourmohammad, ¶ 231 teaches a database which stores the threat information)”.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Trost, Tsironis and Pourmohammad, to modify the threat detection system of Trost, Tsironis to include the moving time window as taught in Pourmohammad.  The motivation to do so constitutes applying a known technique to known devices and/or methods ready for improvement to yield predictable results.
Regarding claims 5, 12, and 19, Trost in view of Tsironis teaches:
“The method of claim 1 (Trost in view of Tsironis teaches the limitations of the parent claims as discussed above), wherein the dynamic score being calculated using a plurality of machine learning models (Trost, ¶ 58-61 further describes that this process is performed using multiple machine learning models for the event sequence time window)”.
Trost, in view of Tsironis does not, but in related art, Pourmohammad teaches:
“each being configured for providing prediction of threat usage during a different time window defined (Pourmohammad, Figs. 14, 21-22, ¶ 124, 302-305, and 386 teach having a dynamic threat scoring system for different threats which can be grouped as a single threat or handled as separate threats in separate time windows)”.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Trost, Tsironis and Pourmohammad, to modify the threat detection system of Trost, Tsironis to include the moving time window as taught in Pourmohammad.  The motivation to do so constitutes applying a known technique to known devices and/or methods ready for improvement to yield predictable results.

Regarding claims 6, 13, and 20, Trost in view of Tsironis teaches:
“The method of claim 1 (Trost in view of Tsironis teaches the limitations of the parent claims as discussed above)”.
Trost, in view of Tsironis does not, but in related art, Pourmohammad teaches:
“generating and storing at least one change record based on identified new or modified information item in the at least one tracked data source; and processing the at least one change record according to a defined set of rules for extracting event information therefrom (Pourmohammad, Figs. 14, 21-22, ¶ 124, 302-305, and 386 disclose handling separate threats for a given asset which are spaced apart for a given time such that their risk is calculated independently)”.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Trost, Tsironis and Pourmohammad, to modify the threat detection system of Trost, Tsironis to include the moving time window as taught in Pourmohammad.  The motivation to do so constitutes applying a known technique to known devices and/or methods ready for improvement to yield predictable results.
Conclusion
	In the case of amending the claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention.
	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure: See PTO-892.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to STEPHEN GUNDRY whose telephone number is (571)270-0507 and can normally be reached on Monday - Friday 8:30 AM - 5PM EST.
	If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571) 272-3685.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
	Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.
/STEPHEN T GUNDRY/Examiner, Art Unit 2435