Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
This action is in response to the correspondence filed 07/23/2020.
Claims 1-20 are presented for examination.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-17 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
As to claim 1, the claim recites querying, or causing to be queried, a security intelligence database for sector-wise historical norms for an indicator of compromise (IoC); obtaining sector-wise expected prevalence data for the IoC; receiving observed sector-wise prevalence data for the IoC; computing a first test statistic from a goodness-of-fit test between the observed and expected prevalences; from the observed sector-wise prevalence data, computing a second test statistic from a difference between a highest prevalence and a next- highest prevalence; computing a third test statistic from a difference between the observed prevalence of a highest prevalence sector and the expected prevalence for the highest prevalence sector; selecting a least significant statistic from among the first, second, and third test statistics; and determining from the least significant statistic whether to notify a subscriber.
The limitations of “querying” data, “obtaining” data, “computing” a first, second and third test statistic, selecting a least significant statistic and making a determination, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. That is, other than reciting “computer-implemented,” nothing in the claim element precludes the step from practically being performed in the mind. For example, but for the “computer-implemented” language, “querying” “obtaining” and “receiving” in the context of this claim, encompasses the user manually looking at or observing data and remembering or writing data. Also, “computing” in the context of this claim, encompasses the user manually solving a problem. Similarly, “selecting” and “determining” in the context of this claim, encompasses the user manually making an evaluation, judgement and/or opinion. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
This judicial exception is not integrated into a practical application. The claim does not include any addition elements. The claim is directed to an abstract idea. The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because it does not include any addition elements that impose any meaningful limits on practicing the abstract idea. Therefore, the claim is not eligible.
As to claim 6, the claim includes similar limitations to those of claim 1 except for the additional limitation of “A skewness analyzer, comprising: a hardware platform; and a skewness analysis engine to execute on the hardware platform, and configured to:” and “if the final p-value meets the notification criterion, notify a subscriber of a security event associated with the final p-value.” The skewness analyzer, hardware platform and skewness analysis engine are recited at a high-level of generality (i.e., as a generic engine performing a generic computer function of executing on a hardware platform) such that it amounts no more than mere instructions to apply the exception using a generic computer component. The limitation of “if the final p-value meets the notification criterion, notify a subscriber of a security event associated with the final p-value” merely informs a subscriber of a security event associated with the abstract idea. This is the equivalent of only apply the abstract idea. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
Claims 2-5 do not cure the deficiency of claim 1 and are rejected under 35 USC § 101 for their dependency upon claim 1.
Claims 7-13 do not cure the deficiency of claim 6 and are rejected under 35 USC § 101 for their dependency upon claim 6.
Claims 14-17 would cure the deficiency of claims 1 and 6 regarding rejection under 35 USC § 101, if the function(s) are performed based on the selected least significant statistic (claim 1) and the final p-value (claim 6). However, they are rejected based on their dependency on claim 6.

Relevant Prior Art
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
(Goonatilake et al., Intrusion Detection Using the Chi-Square Goodness-Of-Fit Test for Information Assurance, Network, Forensics and Software Security. Journal of Computing Sciences in Colleges [online], October 2007 [retrieved on 2022-08-18]. Retrieved from the Internet:< URL: https: //dl. acm.org /doi/ pdf/10.5555/ 1289280.1289329>. >.)  teaches the use of chi-square test, goodness-to-fit test, to detect network intrusions.
US 10,284,601 to Bar-Menachem et al. teaches a method of managing deviations between expected and normal operations of authentication systems wherein at least one policy may also comprise a second policy that requires a Kolmogorov-Smirnov statistic between the first and second distributions to be larger than a conversion function associated with a required assurance level of a goodness-of-fit test in order to output the alert.
US 2018/0191747 to Nachenberg et al. teaches a method of gathering indicators of compromise for security threat detection wherein each of the received indicators of compromise can include data specifying one or more characteristics of one or more computer security threats. Each indicator of compromise can be configured to, when processed by a computer, cause the computer to detect the presence of the specified one or more characteristics of the one or more computer security threats. Telemetry data for computing systems of users can be received. The telemetry data can include data describing at least one event detected at the computing system. A determination is made that the telemetry data for a given user includes the one or more characteristics specified by a given indicator of compromise.
US 10,587,647 to Khalid et al. teaches a method of malware detection in which observed IoC’s are compared with expected IoC’s to detect malicious attacks.
(Ye et al., An Anomaly Detection Technique Based on a Chi-Square Statistic for Detecting Intrusions into Information Systems. Quality and Reliability Engineering International [online], March 2001 [retrieved on 2022-08-18]. Retrieved from the Internet:< URL: https: //onlinelibrary. wiley. com/doi /epdf/ 10.1002/ qre.392>. >.) teaches intrusive events showing departures (anomalies) from normal events in an information system and an anomaly detection technique based on a chi-square statistic to detect the anomalies. This technique builds a profile of normal events in an information system—a norm profile computes the departure of events in the recent past from the norm profile and detects a large departure as an anomaly—a likely intrusion.
US 2020/0382525 to Scheideler et al. teaches a method for SIEM (Security Information and Event Management) rule sorting and conditional execution including processing security events by applying a rule-based alarm scheme for determining whether a received security event is considered as offense, the method including: generating a rule index of rules, the rules to be applied when receiving an incoming security event; generating an indicator of compromise index for each of the rules, each entry of the indicator of compromise index including an indicator value to be used for a comparison against an attribute of a security event.
US 2020/0336497 to Seaul et al. teaches a method of detecting sensitive data exposure including receiving a sequence of security events, determining, a first cyber-attack pattern by applying a set of predefined rules for detecting an indicator of compromise of a first partial cyber-attack of the cyber-attack chain—thereby, identifying a specific cyber-attack chain—and determining a type and an attribute in the pattern of the first partial cyber-attack.
US 2020/0366689 to Lotia et al. teaches a method of botnet detection and mitigation wherein threat information is obtained, the threat information identifying one or more indicators of compromise (IOC) corresponding to suspected or known malicious network traffic. A control list (CL) corresponding to the threat information is generated, the CL describing rules for identifying network flows to be logged in a network log. The network log identifying the network flows is obtained and a suspect network flow identified by both the threat information and the network log is identified. An address corresponding to the suspect network flow is identified and the address is correlated with a user identifier. A notification is issued to a user associated with the user identifier, the notification indicating a suspected existence of a malicious bot.
US 2017/0187741 to Desch et al. teaches a method for prioritizing indicators of compromise including generating, by the server computer, an alert based at least in part on the information identifying the indicator of compromise for the network resource and a watchlist of indicators of compromise maintained by the organization, the alert including the information, and transmitting, by the server computer, the alert to a user device of an entity associated with the organization.
US 2020/0186569 to Milazzo et al. teaches a method of generating security rules based on cognitive and industry analysis including determining whether an IoC is indicative of an attack or threat. In addition, the attack characteristics extracted from ingested data may be used to match to entries in the security event history trend database to determine if a similar set of attack characteristics were encountered previously and the corresponding action taken, e.g., existing SIEM rule used, new SIEM rule generated by the SIEM rules management system, or the like.

Allowable Subject Matter
After a complete search of the entire relevant prior art, the examiner has determined that the claims are in condition for allowance. Accordingly, claims 18-20 are allowed over the prior art of record.
Claims 1 and 6 would be allowable if rewritten or amended to overcome the rejections under 35 U.S.C. 101, set forth in this Office action.
The following is a statement of reasons for the indication of allowable subject matter:
Independent claim 1, and its respective dependent claims, are allowable over the prior art of record, including Goonatilake, Bar-Menachem, Nachenberg, Khalid, Ye and the remaining references cited by the Examiner, since the prior art, taken individually or in combination, fails to particularly disclose, fairly suggest or render obvious from the observed sector-wise prevalence data, computing a second test statistic from a difference between a highest prevalence and a next- highest prevalence, computing a third test statistic from a difference between the observed prevalence of a highest prevalence sector and the expected prevalence for the highest prevalence sector and selecting a least significant statistic from among the first, second, and third test statistics, in view of the other limitations of the claim, as specified in the independent claims;
Independent claim 6, and its respective dependent claims, are allowable over the prior art of record, including Goonatilake, Bar-Menachem, Nachenberg, Khalid, Ye and the remaining references cited by the Examiner, since the prior art, taken individually or in combination, fails to particularly disclose, fairly suggest or render obvious from the observed prevalences, calculate a two-proportions statistic between a highest prevalence sector and a next-highest- prevalence sector to provide a second p-value; compute a two-proportions statistic between the observed prevalence and an expected prevalence, based on the historical prevalences, for the highest prevalence sector to provide a third p- value; select a final p-value being the least significant of the three provided p-values, in view of the other limitations of the claim, as specified in the independent claims; and
Independent claim 18, and its respective dependent claims, are allowable over the prior art of record, including Goonatilake, Bar-Menachem, Nachenberg, Khalid, Ye and the remaining references cited by the Examiner, since the prior art, taken individually or in combination, fails to particularly disclose, fairly suggest or render obvious compute a plurality of statistical p-values from the historical prevalences, the updated prevalences, and the expected prevalences, the plurality of statistical p-values including at least a goodness-of-fit and a two-proportions test; select a largest magnitude p-value from the plurality of statistical p- values, in view of the other limitations of the claim, as specified in the independent claims.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MALCOLM CRIBBS whose telephone number is (571)270-1566. The examiner can normally be reached Monday-Friday 930a-330p; 430p-630p.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hadi Armouche can be reached on (571)270-3618. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

MALCOLM . CRIBBS
Examiner
Art Unit 2497



/MALCOLM CRIBBS/Primary Examiner, Art Unit 2497