Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This Office Action is in response to the amendment filed on 08/04/2022.
Claim 1, 3, 11, 13, and 20 have been amended.
Claims 1-20 are pending for consideration.
Response to Arguments
Applicant's arguments filed on 08/04/2022 have been fully considered but they are not persuasive. 
Applicant argues on page 8 of the Remarks that Roth/ Kapelevich does not teach or suggest “determining, by the analytics engine, a second count of login failures to the system across the plurality of user identifiers within a time window, the login failures originating from a single source entity and including two or more different combinations of user identifiers and passwords” as recited per claim 1. 
In response to the above argument, Examiner respectfully disagrees. Roth does teach that the number of login failures to a system within a time window incorporates a plurality of user identifiers (Roth: ¶0020 “user can provide any of various types of credentials in order to authenticate an identity of the user to the provider. These credentials can include, for example, a username and password”; ¶33: “One threshold determination function looks to the number of correct password attempts received since the last password change to determine a current number of allowed password attempts over a period of time. The current incorrect attempt threshold value is determined 516, and a determination made 518 as to whether the current number of incorrect attempts received exceeds that threshold.”). As can be seen in the cited paragraphs, a credential in order to log into an account encapsulates a plurality of user identifiers (i.e. username and password), these credentials will then be used in order to determine the number of login failures that are allowed within a system before a certain threshold is met which will then trigger a mitigation action. Therefore, Roth does teach the disputed limitation.
Applicant argues on page 9 of the Remarks that Roth does not teach or suggest "identifying, by an analytics engine, a first count of login successes to a system across a plurality of user identifiers" and "identifying, by the analytics engine, a detection threshold for login failures to the system across the plurality of user identifiers, according to the first count" as recited in amended claim 1 as recited per claim 1.
In response to the above argument, Examiner respectfully disagrees. Roth does teach that the number of login successes to a system incorporates a plurality of user identifiers (Roth: ¶0020 “user can provide any of various types of credentials in order to authenticate an identity of the user to the provider. These credentials can include, for example, a username and password;”). Roth also teaches that the number of expected login failures is determined by the number of login success (Roth ¶33: “For example, one threshold determination function looks to the number of correct password attempts received since the last password change to determine a current number of allowed password attempts over a period of time. The current incorrect attempt threshold value is determined 516, and a determination made 518 as to whether the current number of incorrect attempts received exceeds that threshold.”).
As can be seen in the cited paragraphs, a credential in order to log into an account encapsulates a plurality of user identifiers (i.e. username and password), these credentials will then be used in order to determine the number of login failures that are allowed within a system before a certain threshold is met which will then trigger a mitigation action. Also, Roth ¶33 discloses a method of setting a threshold of the number of expected login failures based on the number of login successes. As stated earlier, a successful login will need to verify a plurality of user identifiers such as a username and password. Therefore, Roth do teach the disputed limitation.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 6, 11-14, 16 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over US 2017/0244694 (hereinafter ‘Roth’), in view of US10,931,691 (hereinafter ‘Kapelevich’), hereinafter Roth-Kapelevich.

Regarding claim 1:
Roth discloses: 
A method comprising: identifying, by an analytics engine, a first count of login successes to a system across a plurality of user identifiers; identifying, by [[an]] the analytics engine, a detection threshold for login failures to the system across the plurality of user identifiers, according to the first count; determining, by the analytics engine, a second count of login failures to the system across the plurality of user identifiers within a time window (¶33: “One threshold determination function looks to the number of correct password attempts received since the last password change to determine a current number of allowed password attempts over a period of time. The current incorrect attempt threshold value is determined 516, and a determination made 518 as to whether the current number of incorrect attempts received exceeds that threshold.”),
Roth further discloses:
the login failures originating from a single source entity and including two or more different combinations of user identifiers and passwords (Roth: ¶0020 “user can provide any of various types of credentials in order to authenticate an identity of the user to the provider. These credentials can include, for example, a username and password”);
Roth doesn’t disclose the following limitation “the login failures originating from a single source entity and including two or more different combinations of user identifiers and passwords; determining, by the analytics engine, that the second count of login failures to the system across the plurality of user identifiers within the time window exceeds the detection threshold; and providing, by the analytics engine to a device, a notification indicating a potential security incident responsive to the second count of login failures exceeding the detection threshold”
Kapelevich discloses:
determining, by the analytics engine, that the second count of login failures to the system across the plurality of user identifiers within the time window exceeds the detection threshold; and providing, by the analytics engine to a device, a notification indicating a potential security incident responsive to the second count of login failures exceeding the detection threshold (Column 7, Line 6: “The credentials can be username and password pairs or any other types of identifier or login parameters”; Column 8, Line 54 “The GUI 500 can be used to set particular mitigation actions that are implemented based on a particular number of failed login attempts for particular sources” Column 8, line 50; “Referring more specifically to FIG. 5, an exemplary graphical user interface (GUI) 500 for establishing various parameters relating to detecting and mitigating brute force credential stuffing attacks is illustrated. In this example, the GUI 500 can be used to set particular mitigation actions (e.g., CAPTCHA response, an alert, and a silent drop) that are implemented based on a particular number of failed login attempts for particular sources (e.g., username, device ID, and IP address). Additionally, a mitigation action (e.g., a CAPTCHA response) can be selected that is implemented after a threshold number of failed login attempts (e.g., 100) has been observed within a particular sliding time window.”).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Roth to include plurality of user identifiers in order to establish a login failure detection threshold as well as enabling a notification indicating a potential security incident responsive to the expected number of login failures exceeding the detection threshold as taught in Kapelevich. One of ordinary skill in the art would have been motivated to do so because Kapelevich recognizes that by implementing this feature a system would require a user to enter in a plurality of identifiers in order to establish a login connection to a system, also by setting a threshold based on the failed plurality of user identifiers a system can send an alert in order to take a mitigation action in order to secure a web application from having a potential security incident (Column 7, Line 6; Column 8, Line 54; Column 8, line 50, Column 9, line 62; Accordingly, with this technology, web applications can be better protected from network attacks, and account takeovers due to misappropriated credentials can be reduced). 
Regarding claim 2: 
Roth discloses: 
	The method of claim 1, comprising determining the number of login failures to the system according to login statistics or login records (Roth: ¶0035 “During that period of time, a change in threshold value may be based solely upon the number of correct (and/or incorrect) password attempts.”).
Regarding claim 3: 
Roth disclose:	
The method of claim 1, wherein a login failure comprises one or more failed login attempts for one user identifier (Roth: ¶0020 “user can provide any of various types of credentials in order to authenticate an identity of the user to the provider. These credentials can include, for example, a username and password.  
Regarding claim 4: 
Roth discloses:
The method of claim 1, further comprising: identifying, by the analytics engine, login activity for each of a plurality of time windows, wherein the login activity includes a number of login successes and a number of login failures for a corresponding time window (Roth ¶0013: “In many cases the password may or will be changed over time, and the access may be subject to a lockout policy whereby a number of incorrect attempts received over a period of time can cause the access to be “locked out” or otherwise prevented for at least a period of time.”; Roth ¶0016 “A third embodiment analyzes the amount of time since the password change, and the number of correct password attempts during that time period, in order to determine the appropriate incorrect attempt threshold.”). 
generating, by the analytics engine using the login activity, a distribution that the number of login failures is expected to follow; and generating, by the analytics engine, the detection threshold according to the distribution (ROTH ¶0035: “In the threshold determination function 650 illustrated in FIG. 6B, the incorrect attempt threshold might be a function of the number of correct password attempts … over an initial period of time 652 the threshold value 662 might be a fixed amount or might decrease at a determined rate until a correct password attempt is received … over a next period 656 the threshold value 668 might start at a lower value due to the correct password being received … The process can continue for subsequent periods of time 658, 660 each time a correct password is received for the respective access”).

Regarding claim 6:
Roth discloses:  
The method of claim 4, comprising: determining, by the analytics engine for each number of login successes to the system, an expected number of login failures to the system (ROTH ¶0035: “In the threshold determination function 650 illustrated in FIG. 6B, the incorrect attempt threshold might be a function of the number of correct password attempts.”)
and generating, by the analytics engine for each number of login successes to the system, the detection threshold according to the expected number of login failures to the system (ROTH ¶0035: “and generating, by the analytics engine for each number of login successes to the system, the detection threshold according to the expected number of login failures to the system”). 
	Regarding Claim 11
A device, comprising: at least one processor comprising one or more circuits, the at least one processor configured to implement an analytics engine, the analytics engine configured to: identify a first count of login successes to a system across a plurality of user identifiers; identify a detection threshold for login failures to the system across the plurality of user identifiers, according to the first count; determine a second count of login failures to the system across the plurality of user identifiers within a time window, the login failures originating from a single source entity and including two or more different combinations of user identifiers and passwords; determine that the second count of login failures to the system across the plurality of user identifiers within the time window exceeds the detection threshold; and provide, to a first device, a notification indicating a potential security incident responsive to the second count of login failures exceeding the detection threshold (Refer to claim 1 rejection).
Regarding claim 12: 
Roth discloses: 
	The device of claim 11, wherein the analytics engine determines the number of login failures to the system according to login statistics or login records. (Roth: ¶0035 “During that period of time, a change in threshold value may be based solely upon the number of correct (and/or incorrect) password attempts.”).
	Regarding claim 13:
	The device of claim 11, wherein a login failure comprises one or more failed login attempts for one username user identifier (Roth: ¶0020 “user can provide any of various types of credentials in order to authenticate an identity of the user to the provider. These credentials can include, for example, a username and password.).  
Regarding claim 14: 
Roth discloses:
The device of claim 11, wherein the analytics engine is further configured to: identify login activity for each of a plurality of time windows, wherein the login activity includes a number of login successes and a number of login failures for a corresponding time window (Roth ¶0013: “In many cases the password may or will be changed over time, and the access may be subject to a lockout policy whereby a number of incorrect attempts received over a period of time can cause the access to be “locked out” or otherwise prevented for at least a period of time.”; Roth ¶0016 “A third embodiment analyzes the amount of time since the password change, and the number of correct password attempts during that time period, in order to determine the appropriate incorrect attempt threshold.”) 
generate, using the login activity, a distribution that the number of login failures is expected to follow; and generate the detection threshold according to the distribution (ROTH ¶0035: “In the threshold determination function 650 illustrated in FIG. 6B, the incorrect attempt threshold might be a function of the number of correct password attempts … over an initial period of time 652 the threshold value 662 might be a fixed amount or might decrease at a determined rate until a correct password attempt is received … over a next period 656 the threshold value 668 might start at a lower value due to the correct password being received … The process can continue for subsequent periods of time 658, 660 each time a correct password is received for the respective access”)

Regarding claim 16: 
Roth discloses:
The device of claim 14, wherein the analytics engine is configured to: determine, for each number of login successes to the system, an expected number of login failures to the system; (ROTH ¶0035: “In the threshold determination function 650 illustrated in FIG. 6B, the incorrect attempt threshold might be a function of the number of correct password attempts.”)
and generate, for each number of login successes to the system, the detection threshold according to the expected number of login failures to the system. (ROTH ¶0035: “and generating, by the analytics engine for each number of login successes to the system, the detection threshold according to the expected number of login failures to the system”). 
Regarding claim 20: 
A non-transitory computer readable medium storing program instructions for causing one or more processors to: identify a first count of login successes to a system across a plurality of usernames; -5- 4880-2575-4923.1Atty. Dkt. No. 099011-4722 (19-0020-USOIBYCON) identify a detection threshold for login failures to the system across the plurality of user identifiers, according to the first count; determine a second count of login failures to the system across the plurality of user identifiers within a time window, the login failures originating from a single source entity and including two or more different combinations of user identifiers and passwords; determine that the second count of login failures to the system across the plurality of user identifiers within the time window exceeds the detection threshold; and provide, to a device, a notification indicating a potential security incident responsive to the second count of login failures exceeding the detection threshold (Refer to claim 1 rejection).
Claims 5, 10, and 15 are rejected under 35 U.S.C. 103 as being unpatentable over US 2017/0244694 (hereinafter ‘Roth’), in view of US10,931,691 (hereinafter ‘Kapelevich’), and further in view of US 2020/0195672 A1 (hereinafter ‘Mugambi’).

Regarding claim 5:
Roth and Kapelevich do not disclose “distribution comprises a Poisson distribution or a negative binomial distribution”.
Mugambi discloses:
	The method of claim 4, wherein the distribution comprises a Poisson distribution or a negative binomial distribution (¶0062: “According to an embodiment, the number of login failure events for a user can follow a Poisson distribution and can therefore be measured using the Poisson distribution. In another embodiment, the number of login failure events for a user can follow a normal distribution and can therefore be measured using the normal distribution. In an implementation, most anomalous login failure events can be found at end of the normal distribution and p-values can be used to identify such anomalous login failures. Both Poisson distribution and normal distribution can work equally well in identifying extreme values of login failure events, however, the normal distribution based approach can provide faster determination and can be easier to implement.”). 
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Roth and Kapelevich to include that the threshold of the expected number of login failures can be derived from a Poisson distribution as taught in Mugambi. One of ordinary skill in the art would have been motivated to do so because Mugambi recognizes that it would have been advantageous to identify an extreme values of login failure events (¶0062: “Both Poisson distribution and normal distribution can work equally well in identifying extreme values of login failure events.”). 

Regarding claim 10:
Roth and Kapelevich do not disclose “computing the probability using a cumulative density function of a Poisson distribution at a point in the Poisson distribution corresponding to the number of login failures to the system”. 
Mugambi discloses the following limitation:
The method of claim 9, further comprising computing the probability using a cumulative density function of a Poisson distribution at a point in the Poisson distribution corresponding to the number of login failures to the system (Mugambi ¶0062: “According to an embodiment, the number of login failure events for a user can follow a Poisson distribution and can therefore be measured using the Poisson distribution. In another embodiment, the number of login failure events for a user can follow a normal distribution and can therefore be measured using the normal distribution. In an implementation, most anomalous login failure events can be found at end of the normal distribution and p-values can be used to identify such anomalous login failures. Both Poisson distribution and normal distribution can work equally well in identifying extreme values of login failure events, however, the normal distribution based approach can provide faster determination and can be easier to implement.”; Mugambi ¶0063: “In an embodiment, the first set of users each having a number of login failure events during a given time duration greater than a first threshold value can be determined by considering multiple tuples where each tuple includes a particular user and a particular source computer. For each tuple, a total number of failed logins can be calculated for a particular time frame, e.g., a few hours, one day, or multiple days. Further, a Z-score for the tuple can be calculated using various statistics (e.g., mean and standard deviations) relating to the number of failed logins observed for the particular time frame from learning engine 318. The Z-score can be based on number of standard deviations that the total number of failed logins is away from a mean number of failed logins for the multiple tuples observed during the given the time duration during a training period. In an example, the Z-score can be calculated using Chebyshev inequality, where a certain percentage (x %) of data points can be assumed to be outliers. Generally, a value of x<1.0 is recommended. Thus, the Chebyshev inequality can use a distribution of data points to identify an optimal Z-score using the x % outlier parameter.”).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Roth and Kapelevich in order to incorporate a probability function in order to calculate the Poisson distribution that corresponds to the number of login failures to the system. One of ordinary skill in the art would have been motivated to do so because Mugambi recognizes that the Poisson distribution need a probability function in order to be derived (Mugambi ¶0063: “In an embodiment, the first set of users each having a number of login failure events during a given time duration greater than a first threshold value can be determined by considering multiple tuples where each tuple includes a particular user and a particular source computer. For each tuple, a total number of failed logins can be calculated for a particular time frame, e.g., a few hours, one day, or multiple days. Further, a Z-score for the tuple can be calculated using various statistics (e.g., mean and standard deviations) relating to the number of failed logins observed for the particular time frame from learning engine 318. The Z-score can be based on number of standard deviations that the total number of failed logins is away from a mean number of failed logins for the multiple tuples observed during the given the time duration during a training period. In an example, the Z-score can be calculated using Chebyshev inequality, where a certain percentage (x %) of data points can be assumed to be outliers. Generally, a value of x<1.0 is recommended. Thus, the Chebyshev inequality can use a distribution of data points to identify an optimal Z-score using the x % outlier parameter.”). 

Regarding claim 15:
Roth and Kapelevich do not disclose “the distribution comprises a Poisson distribution”, Mugambi discloses the following limitation:
	The device of claim 14, wherein the distribution comprises a Poisson distribution or a negative binomial distribution. (Mugambi ¶0062: “According to an embodiment, the number of login failure events for a user can follow a Poisson distribution and can therefore be measured using the Poisson distribution. In another embodiment, the number of login failure events for a user can follow a normal distribution and can therefore be measured using the normal distribution. In an implementation, most anomalous login failure events can be found at end of the normal distribution and p-values can be used to identify such anomalous login failures. Both Poisson distribution and normal distribution can work equally well in identifying extreme values of login failure events, however, the normal distribution based approach can provide faster determination and can be easier to implement.”). 
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Roth and Kapelevich to include that the threshold of the expected number of login failures can be derived from a Poisson distribution as taught in Mugambi. One of ordinary skill in the art would have been motivated to do so because Mugambi recognizes that it would have been advantageous to identify an extreme values of login failure events (Mugambi ¶0062: “Both Poisson distribution and normal distribution can work equally well in identifying extreme values of login failure events.”). 

Claims 7 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over US 2017/0244694 (hereinafter ‘Roth’), in view of US10,931,691 (hereinafter ‘Kapelevich’), and further in view of US 10,579,938 (hereinafter ‘Zoldi’).
Regarding claim 7: 
Kapelevich, and Mugambi do not disclose “the detection threshold corresponds to a defined quantile of the distribution”. 
Zoldi discloses the following limitation:
	The method of claim 4, wherein the detection threshold corresponds to a defined quantile of the distribution (Column 8, line 26; “To determine the outlier values in transactions, one needs to quantify the threshold point in the distribution of values of the variables where, if the variable value exceeded that point, it would be considered as an outlier. In past implementations, the 95% quantile of the distribution has been used to determine the threshold where the value is considered an outlier.”). 
	It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Roth and Kapelevich wherein a threshold value can correspond from a defined quantile of a distribution, as taught in Zoldi. One of ordinary skill in the art would have been motivated to do so because Zoldi recognizes it would have been advantageous to identify outliers from the threshold (Column 8, line 26; To determine the outlier values in transactions, one needs to quantify the threshold point in the distribution of values of the variables where, if the variable value exceeded that point, it would be considered as an outlier.). 

Regarding claim 17: 
Kapelevich, and Mugambi do not disclose “the detection threshold corresponds to a defined quantile of the distribution”. 
Zoldi discloses the following limitation:
	The device of claim 14, wherein the detection threshold corresponds to a defined quantile of the distribution. (Zoldi Column 8, line 26; “To determine the outlier values in transactions, one needs to quantify the threshold point in the distribution of values of the variables where, if the variable value exceeded that point, it would be considered as an outlier. In past implementations, the 95% quantile of the distribution has been used to determine the threshold where the value is considered an outlier.”). 
	It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Roth, Kapelevich, Mugambi, Zoldi, Viljoen and Sergei wherein a threshold value can correspond from a defined quantile of a distribution, as taught in Zoldi. One of ordinary skill in the art would have been motivated to do so because Zoldi recognizes it would have been advantageous to identify outliers from the threshold (Zoldi Column 8, line 26; To determine the outlier values in transactions, one needs to quantify the threshold point in the distribution of values of the variables where, if the variable value exceeded that point, it would be considered as an outlier.”). 

Claims 8 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over US 2017/0244694 (hereinafter ‘Roth’), in view of US10,931,691 (hereinafter ‘Kapelevich’), and further in view of US 10,834,110 (hereinafter ‘Edelstein).

Regarding claim 8:
Roth and Kapelevich do not disclose “a sensitivity value corresponding to the detection threshold; and generating the detection threshold at a quantile of the distribution corresponding to the sensitivity value”. 
Edelstein discloses the following limitation: 
The method of claim 6, further comprising: receiving, by the analytics engine, a sensitivity value corresponding to the detection threshold; and generating the detection threshold at a quantile of the distribution corresponding to the sensitivity value (Edelstein Column 9, line 19; “Next in step 315, the network traffic manager apparatus 14 can adjust the floating threshold for each of the reference attributes and the protocol attributes based on a sensitivity value that indicates the likelihood of being under a DDoS attack, although the network traffic manager apparatus 14 can adjust the floating threshold based on other parameters.”).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Roth and Kapelevich wherein a quantile of the distribution corresponding to the sensitivity value generates the detection threshold, as taught in Edelstein. One of ordinary skill in the art would have been motivated to do so because Edelstein recognizes it would have been advantageous to attribute sensitivity values into a detection threshold in order to detect a security incident within a system (Column 9, line 19; a sensitivity value that indicates the likelihood of being under a DDoS attack). 

Regarding claim 18:
Roth and Kapelevich do not disclose “a sensitivity value corresponding to the detection threshold; and generating the detection threshold at a quantile of the distribution corresponding to the sensitivity value”.
Edelstein discloses the following limitation:
The device of claim 16, wherein the analytics engine is further configured to: receive a sensitivity value corresponding to the detection threshold; and generate the detection threshold at a quantile of the distribution corresponding to the sensitivity value (Edelstein Column 9, line 19; “Next in step 315, the network traffic manager apparatus 14 can adjust the floating threshold for each of the reference attributes and the protocol attributes based on a sensitivity value that indicates the likelihood of being under a DDoS attack, although the network traffic manager apparatus 14 can adjust the floating threshold based on other parameters.”).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Roth and Kapelevich wherein a quantile of the distribution corresponding to the sensitivity value generates the detection threshold, as taught in Edelstein. One of ordinary skill in the art would have been motivated to do so because Edelstein recognizes it would have been advantageous to attribute sensitivity values into a detection threshold in order to detect a security incident within a system (Edelstein Column 9, line 19; “Next in step 315, the network traffic manager apparatus 14 can adjust the floating threshold for each of the reference attributes and the protocol attributes based on a sensitivity value that indicates the likelihood of being under a DDoS attack, although the network traffic manager apparatus 14 can adjust the floating threshold based on other parameters.”).

Claims 9 is rejected under 35 U.S.C. 103 as being unpatentable over US 2017/0244694 (hereinafter ‘Roth’), in view of US 10,735,468 (hereinafter ‘Kapelevich’), and further in view of US 10,579,938 (hereinafter ‘Viljoen).
Regarding claim 9:
Roth and Kapelevich do not disclose “a probability that the potential security incident is not a real security incident; triggering, by the analytics engine, an action for the system responsive to the probability satisfying a threshold”.
Viljoen discloses the following limitation: 
The method of claim 1, further comprising: computing, by the analytics engine, a probability that the potential security incident is not a real security incident (Viljoen Column 12, line 9; “In addition, application Ser. No. 15/431,795 describes calculating rates of false positives and false negatives within initial classifications of computing events. As described in application Ser. No. 15/431,795, a false positive may represent a computing event whose initial classification is malicious and whose updated classification is non-malicious.”) triggering, by the analytics engine, an action for the system responsive to the probability satisfying a threshold (Viljoen Column 12, line 18; In some examples, evaluation module 108 may further evaluate the ability of a backend security server to detect security threats based on an analysis of the false positive rates and false negative rates produced by one or more threshold disposition scores implemented by the backend security server.).
	It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Roth and Kapelevich in order to incorporate a feature that can determine the probability of potential security incident is not a real security incident by satisfying the detection threshold, as taught in Viljoen. One of ordinary skill in the art would have been motivated to do so because Viljoen recognizes it would have been advantageous to assure that a false security incident isn’t triggered as it can cause an enterprise’s productivity to diminish (Viljoen Column 12, line 65; In some embodiments, security module 110 may adjust a threshold disposition score within an enterprise based on rates of false positives and/or false negatives identified within the enterprise. For example, an enterprise may indicate, to security module 110, a desired rate or ratio of false positives and/or false negatives that corresponds to a desired level of strictness or severity for security services implemented within the enterprise. In general, a high rate of false positives (ora high ratio of false positives to false negatives) indicates a strict security service. For example, a security service that detects a greater number of false positives than false negatives will be more likely to detect true positives. However, large numbers of false positives may inconvenience users and/or hinder productivity within an enterprise. Accordingly, an enterprise that handles highly classified or sensitive information may request a higher ratio of false positives to false negatives than an enterprise that handles less confidential information.).

Claims 19 is rejected under 35 U.S.C. 103 as being unpatentable over US 2017/0244694 (hereinafter ‘Roth’), in view of US 10,735,468 (hereinafter ‘Kapelevich’), in view of US 10,579,938 (hereinafter ‘Viljoen’), and in further view of US 2020/0195672 (hereinafter ‘Mugambi’).
Regarding claim 19:
Roth and Kapelevich do not disclose “compute a probability that the potential security incident is not a real security incident”.
Viljoen discloses the following limitation:
	The device of claim 11, wherein the analytics engine is further configured to: compute a probability that the potential security incident is not a real security incident (Viljoen Column 12, line 9; “In addition, application Ser. No. 15/431,795 describes calculating rates of false positives and false negatives within initial classifications of computing events. As described in application Ser. No. 15/431,795, a false positive may represent a computing event whose initial classification is malicious and whose updated classification is non-malicious.”),
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Roth and Kapelevich in order to incorporate a feature that can determine the probability of potential security incident is not a real security incident, as taught in Viljoen. One of ordinary skill in the art would have been motivated to do so because Viljoen recognizes it would have been advantageous to assure that a false security incident isn’t triggered as it can cause an enterprise’s productivity to diminish (Viljoen Column 12, line 65; In some embodiments, security module 110 may adjust a threshold disposition score within an enterprise based on rates of false positives and/or false negatives identified within the enterprise. For example, an enterprise may indicate, to security module 110, a desired rate or ratio of false positives and/or false negatives that corresponds to a desired level of strictness or severity for security services implemented within the enterprise. In general, a high rate of false positives (ora high ratio of false positives to false negatives) indicates a strict security service. For example, a security service that detects a greater number of false positives than false negatives will be more likely to detect true positives. However, large numbers of false positives may inconvenience users and/or hinder productivity within an enterprise. Accordingly, an enterprise that handles highly classified or sensitive information may request a higher ratio of false positives to false negatives than an enterprise that handles less confidential information.). 
Roth, Kapelevich, and Viljoen do not disclose “computing the probability using a cumulative density function of a Poisson distribution at a point in the Poisson distribution corresponding to the number of login failures to the system; and trigger an action for the system responsive to the probability satisfying a threshold”. 
Mugambi discloses the following limitation:
the analytics engine computing the probability using a cumulative density function of a Poisson distribution at a point in the Poisson distribution corresponding to the number of login failures to the system; and trigger an action for the system responsive to the probability satisfying a threshold (Mugambi ¶0062: “According to an embodiment, the number of login failure events for a user can follow a Poisson distribution and can therefore be measured using the Poisson distribution. In another embodiment, the number of login failure events for a user can follow a normal distribution and can therefore be measured using the normal distribution. In an implementation, most anomalous login failure events can be found at end of the normal distribution and p-values can be used to identify such anomalous login failures. Both Poisson distribution and normal distribution can work equally well in identifying extreme values of login failure events, however, the normal distribution based approach can provide faster determination and can be easier to implement.”; Mugambi ¶0063: “In an embodiment, the first set of users each having a number of login failure events during a given time duration greater than a first threshold value can be determined by considering multiple tuples where each tuple includes a particular user and a particular source computer. For each tuple, a total number of failed logins can be calculated for a particular time frame, e.g., a few hours, one day, or multiple days. Further, a Z-score for the tuple can be calculated using various statistics (e.g., mean and standard deviations) relating to the number of failed logins observed for the particular time frame from learning engine 318. The Z-score can be based on number of standard deviations that the total number of failed logins is away from a mean number of failed logins for the multiple tuples observed during the given the time duration during a training period. In an example, the Z-score can be calculated using Chebyshev inequality, where a certain percentage (x %) of data points can be assumed to be outliers. Generally, a value of x<1.0 is recommended. Thus, the Chebyshev inequality can use a distribution of data points to identify an optimal Z-score using the x % outlier parameter.”).  
	It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Roth, Kapelevich, and Viljoen in order to incorporate a probability function in order to calculate the Poisson distribution that corresponds to the number of login failures to the system. One of ordinary skill in the art would have been motivated to do so because Mugambi recognizes that the Poisson distribution need a probability function in order to be derived (Mugambi ¶0063: “In an embodiment, the first set of users each having a number of login failure events during a given time duration greater than a first threshold value can be determined by considering multiple tuples where each tuple includes a particular user and a particular source computer. For each tuple, a total number of failed logins can be calculated for a particular time frame, e.g., a few hours, one day, or multiple days. Further, a Z-score for the tuple can be calculated using various statistics (e.g., mean and standard deviations) relating to the number of failed logins observed for the particular time frame from learning engine 318. The Z-score can be based on number of standard deviations that the total number of failed logins is away from a mean number of failed logins for the multiple tuples observed during the given the time duration during a training period. In an example, the Z-score can be calculated using Chebyshev inequality, where a certain percentage (x %) of data points can be assumed to be outliers. Generally, a value of x<1.0 is recommended. Thus, the Chebyshev inequality can use a distribution of data points to identify an optimal Z-score using the x % outlier parameter.”). 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Burch (US 2020/0351299 A1) discloses that a high-frequency hashed incorrect passwords are determined on a per-time period basis. As noted above, a high-frequency hashed incorrect password is a one-way hash of an incorrect password that was entered in more than a threshold number of unsuccessful access attempts. Burch also discloses that a computing systems (figure 1002) may receive alert notifications if it detects a high-frequency of hashed incorrect passwords.
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAAD ABDULLAH whose telephone number is 571-272-1531.  The examiner can normally be reached on Monday-Friday 9am-5pm EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LYNN FEILD can be reached on 571-272-2092. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SAAD AHMAD ABDULLAH/Examiner, Art Unit 2431                                                                                                                                                                                                        
/SHIN-HON (ERIC) CHEN/Primary Examiner, Art Unit 2431