Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-10 are rejected under 35 U.S. C. 103 as being anticipated by Zhang (US 10,075,463 B2) in view of Thomas (US 2019/0250937 A1).
Per claim 1, Zhang teaches
A system for automated intelligent detection and mitigation of cyber security threats, the system comprising: a server computing device comprising a memory to store computer-executable instructions and a processor that executes the computer-executable instructions to (Column 2, Line 40: a system is disclosed that automatically detects bots accessing network resources. One embodiment includes encoding network request data from text to numbers and running encoded network request data as numbers though a neural network to identify whether a requester is a bot.): receive application log data from one or more application servers (Column 2, Line 51: In one embodiment, Application Server 12 generates one or more log files that document interaction with clients 14.); analyze the application log data to identify a set of one or more indicia of potential cyber security threats (Column 2, Line 55: Any of these log files can be provided from Application Server 10 to Data Analysis Server 20 for data analysis such as for automatic detection of bots and/or botnets.); execute a trained artificial intelligence threat modeler against the application log data and the set of one or more indicia of potential cyber security threats to identify a set of one or more indicia of actual cyber security threats (Column 16, Line 17: The process of FIG. 23 is one example implementation of step 602 of FIG. 20, and represents the deep learning that is performed based on historical data found in old logs); determine whether a remediation action exists for each of the identified actual cyber security threats; if a remediation action exists for of the identified actual cyber security threat, execute the remediation action at the one or more application servers to resolve the identified actual cyber security threat (Column 17, Line 53: Once bots and botnets are detected, the system can report the list of bots and botnets to an entity who can act on that information or the system can automatically act to prevent the bots and botnets from causing further harm. For example, the system can block the bots and bot nest from accessing network resources (e.g., the resources associated with the URLs in the logs) or otherwise prevent access to the network resources for the bots.); and if a remediation action does not exist for the identified actual cyber security threat: generate one or more remediation parameters based upon the one or more indicia of the actual cyber security threat (Column 10, Line 60: For each new visit that is determined to be being performed by a bot, the IP address for the bot will be reported as a potential bot, This parameter will simply mark IP addresses as malicious instead of instigating a mitigation action plan in order to counteract the IP address.) 
Zhang doesn’t disclose the following limitation “generate source code for a remediation software package based upon the one or more remediation parameters; and execute the remediation software package at the one or more application servers to resolve the identified actual cyber security threat”
Thomas discloses:
generate source code for a remediation software package based upon the one or more remediation parameters; and execute the remediation software package at the one or more application servers to resolve the identified actual cyber security threat (¶163: The secure virtual machine 804 may determine what actions are need to remediate the detected malware and select a suitable program or group of programs to complete the needed remediation.).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Zhang in order to include a feature where a software program can generate a remediation plan if a malware is detected within a system as taught by Thomas. One of ordinary skill in the art would have been motivated to do so because Thomas recognizes by implementing this feature a system can automatically take the necessary precaution in order to mitigate a malware that has been detected (¶163). 
Per claim 2, Zhang teaches
The system of claim 1, wherein the application log data comprises one or more communication events between one or more of the application servers and a remote computing device (Column 2, Line 50: Application Server 12 is in communication (via Internet 10) with a number of clients 14 (remote computing device). In one embodiment, Application Server 12 generates one or more log files that document interaction with clients 14. In addition, log files can be generated to document other actions, states or conditions of Application Server 12.).
Per claim 3, Zhang teaches
The system of claim 1, wherein the server computing device receives the application log data in real time (Column 16, Line 45: The log file is received in real time by data analysis server 20 from application server 12 (FIG. 1)).
Per claim 4, Zhang teaches
The system of claim 1, wherein the remediation action comprises one or more of: updating a security policy, blocking a communications channel or port, changing one or more application settings, deactivating one or more user accounts, or replacing one or more existing application code modules with updated code modules (Column 4, Line 44: The output decision engine 62, after any Captcha checks have been performed by module 64, are provided to reporting/blocking engine 66. In one embodiment, reporting/blocking engine 66 can generate an alert to a software entity, computer hardware entity or human with a list of one or more bots and/or botnets identified … That list is provided to application server 12. When a request is received at application server 12, the IP address of the source of the request is checked against the list of bots. If the IP address of the source of the request is on the list of bots, then the request is ignored, declined, responded to with an error message or redirected to another page (e.g., error page, reporting page indicating that it is a bot, or dummy page). The declining and redirecting can also be performed by or at the direction of application server 12.).
Per claim 5, Zhang doesn’t disclose the following limitation “wherein execution of the remediation software package at the one or more application servers to resolve the identified actual cyber security threat comprises: updating a security policy, blocking a communications channel or port, changing one or more application settings, deactivating one or more user accounts, or replacing one or more existing application code modules with updated code modules”. 
Thomas teaches
The system of claim 1, wherein execution of the remediation software package at the one or more application servers to resolve the identified actual cyber security threat comprises: updating a security policy, blocking a communications channel or port, changing one or more application settings, deactivating one or more user accounts, or replacing one or more existing application code modules with updated code modules (¶45: “The security management facility 122 (software package) may provide for web security and control, e.g., to help to detect or block viruses, spyware, malware, unwanted applications, help control web browsing, and the like. Web security and control may include Internet use policies, reporting on suspect devices, security and content filtering, active monitoring of network traffic, URI filtering, and the like. In an embodiment, the security management facility 122 may provide for network access control, which may provide control over network connections”).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Zhang in order to include a feature where a software program can upgrade internet security policy in order to help detect or block viruses from entering into a system as taught by Thomas. One of ordinary skill in the art would have been motivated to do so because Thomas recognizes by implementing this feature a system can automatically take the necessary precaution in order to mitigate the chances of malware infecting a system (¶45). 
Per claim 6, Zhang teaches
A computerized method of automated intelligent detection and mitigation of cyber security threats, the method comprising: receiving, by a server computing device, application log data from one or more application servers; analyzing, by the server computing device, the application log data to identify a set of one or more indicia of potential cyber security threats; executing, by the server computing device, a trained artificial intelligence threat modeler against the application log data and the set of one or more indicia of potential cyber security threats to identify a set of one or more indicia of actual cyber security threats; determining, by the server computing device, whether a remediation action exists for each of the identified actual cyber security threats; if a remediation action exists for of the identified actual cyber security threat, executing, by the server computing device, the remediation action at the one or more application servers to resolve the identified actual cyber security threat; and if a remediation action does not exist for the identified actual cyber security threat: generating, by the server computing device, one or more remediation parameters based upon the one or more indicia of the actual cyber security threat; generating, by the server computing device, source code for a remediation software package based upon the one or more remediation parameters; and executing, by the server computing device, the remediation software package at the one or more application servers to resolve the identified actual cyber security threat (Refer to Claim 1 for Rejection).
Per claim 7, Zhang teaches
The method of claim 6, wherein the application log data comprises one or more communication events between one or more of the application servers and a remote computing device (Refer to Claim 2 for Rejection).
Per claim 8, Zhang teaches
The method of claim 6, wherein the server computing device receives the application log data in real time (Refer to Claim 3 for Rejection).
Per claim 9, Zhang teaches
The method of claim 6, wherein the remediation action comprises one or more of: updating a security policy, blocking a communications channel or port, changing one or more application settings, deactivating one or more user accounts, or replacing one or more existing application code modules with updated code modules (Refer to Claim 4 for Rejection).
Per claim 10, Zhang teaches
The method of claim 6, wherein execution of the remediation software package at the one or more application servers to resolve the identified actual cyber security threat comprises: updating a security policy, blocking a communications channel or port, changing one or more application settings, deactivating one or more user accounts, or replacing one or more existing application code modules with updated code modules (Refer to Claim 5 for Rejection).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAAD ABDULLAH whose telephone number is 571-272-1531. The examiner can normally be reached on Monday-Friday 9am-5pm EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, LYNN FIELD can be reached on 571-272-2092.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800- 786-9199 (IN USA OR CANADA) or 571-272-1000.
/SAAD AHMAD ABDULLAH/Examiner, Art Unit 2431                                                                                                                                                                                                        

/SHIN-HON (ERIC) CHEN/Primary Examiner, Art Unit 2431