DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
1.The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
2.  According to applicant's arguments filed on 07/11/2022, claims 11-20 and 22-30 have been amended. The amendment made the withdrawal of 101 rejection over claim 11 and claim objections over claims 12-20 and 22-30.
  
3. Applicant's arguments with respect to independent claims 1,11 and 21  have been fully considered but they are not persuasive. 

4. Applicant argues that Muddu does not discloses: “providing suggestions to the third-party concerning additional actions to be taken by the third-party concerning the investigation of the security event”, as recited in independent claim 1.

5. Examiner would like to point out that Muddu teaches this limitation, see Para:0140 teaches the security platform can detect anomalies and threats produced by a user, a device, or an application, for example, regardless of whether the entity that causes the anomalies or threats is from outside or inside the organization's network. The security analytics techniques adopted by the security platform include behavioral analytics that enable organizations to detect and respond to unknown threats. The behavioral analytics includes machine learning, behavior modeling.
Para:0151 teaches the anomalies and threats are detected by the real-time processing path, which will be employed to automatically trigger an action, such as stopping the intrusion, shutting down network access, locking out users, preventing information theft or information transfer, shutting down software and or hardware processes, and the like (para:0007, para:0163 teaches the anti-virus or anti-malware software, typically are installed on terminal devices. Data traversing the network between the terminal device is monitored by the installed products to detect malware in either inbound or outbound data [which is the third party herein, such as an antivirus/firewall software service]).  The discovered anomalies and threats will be presented to a network operator (e.g., a network security administrator or analyst or user) for decision. Furthermore, the decisions by the user (e.g., that the anomalies and threats are correctly diagnosed, or that the discovered anomalies and threats are false positives) can then be provided as feedback data [suggestions herein] in order to update and improve the models, which results in further actions to be taken by the third party [antivirus/firewall service]. 

                                                  Double Patenting
6. The non-statutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) to prevent the unjustified or improper time wise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. Anon-statutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); Inre Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); Inre Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).

A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.821(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made because of activities undertaken within the scope of a joint research agreement.

Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).

7. Claims 1,4,8-11,14 and 18-21 of the instant application are provisionally rejected on the ground of non- statutory double patenting as being unpatentable over claims 1-3,8,10-12,15,17,19-21,24 and 26 of the co-pending applications 16/939,973 and claims 1-3,8, 10-12,17,19-21,24 and 27 of the co-pending applications 16/939,993. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the current application encompass the same subject matter as the copending application claims [such as rendering a threat mitigation user interface that identifies objects within a computing platform in response to a security event, and monitoring actions taken by a third-party when investigating the security event], but with obvious wording variations.
                                                      
Claim Rejections - 35 USC § 102
8. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


9. Claim(s) 1-8,11-18 and 21-28 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Muddu (US Pub.No.2019/0158517).

10. Regarding claims 1,11 and 21 Muddu teaches a computer-implemented method executed on a computing device, a computer program product residing on a computer readable medium and a computing system comprising: rendering a threat mitigation user interface that identifies objects within a computing platform in response to a security event (Fig.1 and Para:0140 teaches the security platform can detect anomalies and threats produced by a user, a device, or an application, for example, regardless of whether the entity that causes the anomalies or threats is from outside or inside the organization's network. The security platform can include a graphical user interface (GUI) that can create visualizations of the detected anomalies and threats within an organization, and optionally, map the threats across an attack kill-chain in a visual way, which the security analysts in the organization can quickly and easily assimilate. Para:0439 teaches the security platform include a GUI generator module that gathers the generated anomaly data, threat data, and other data, and that based on such gathered data, generates display data. The GUI generator module sends the generated display data to one or more physical display devices, to cause those display devices to display the GUI features described herein. The GUI module also receives user inputs and modifies the display data based on those inputs to provide an interactive display);
monitoring actions taken by a third-party when investigating the security event; and providing suggestions to the third-party concerning additional actions to be taken by the third-party concerning the investigation of the security event (Figs.39-51, Para:0441-0442 teaches the GUI can enable the user to set watchlists to track information while navigating the various views. The GUI here generates views pertaining to threats and anomalies identified from event data generated from network activities. As examples, network activities may include log-ins, email traffic, internet browsing, or file transfers on a network operated by a corporation, university, household, or other organization (referred to collectively as an “organization”). Event data comprises timestamped machine data related to network activity by various entities, including users, devices, and applications.
Para:0137-0138 teaches the security platform is “big data” driven and employs a number of machine learning mechanisms to perform security analytics. More specifically, the security platform introduced here can perform user behavioral analytics (UBA), or more generally user/entity behavioral analytics (UEBA), to detect the security related anomalies and threats, regardless of whether such anomalies and threats are previously known or unknown. Additionally, by presenting analytical results scored with risk ratings and supporting evidence, the security platform can enable network security administrators or analysts to respond to a detected anomaly or threat, and to take action promptly. The security platform can also improve threat detection and targeted response by using a variety of threat indicators. 

Para:0151 teaches the anomalies and threats are detected by the real-time processing path, which will be employed to automatically trigger an action, such as stopping the intrusion, shutting down network access, locking out users, preventing information theft or information transfer, shutting down software and or hardware processes, and the like (para:0007, para:0163 teaches the anti-virus or anti-malware software, typically are installed on terminal devices. Data traversing the network between the terminal device is monitored by the installed products to detect malware in either inbound or outbound data [which is the third party herein, such as an antivirus/firewall software service]).  The discovered anomalies and threats will be presented to a network operator (e.g., a network security administrator or analyst or user) for decision. Furthermore, the decisions by the user (e.g., that the anomalies and threats are correctly diagnosed, or that the discovered anomalies and threats are false positives) can then be provided as feedback data [suggestions herein] in order to update and improve the models, which results in further actions to be taken by the third party [antivirus/firewall service]).

11. Regarding claims 2, 12 and 22 Muddu teaches the computer-implemented method, the computer program product residing on a computer readable medium and the computing system comprising wherein monitoring actions taken by a third-party when investigating the security event include: monitoring artifacts gathered by the third-party when investigating the security event (Para:0137-0138 and Para:0171 teaches these anomalies, threat indicators and threats may be provided to a user interface (UI) system 350 for review by a human operator 352. As an example, a visualization map and a threat alert may be presented to the human operator 352 for review and possible action. The output of the analysis module 330 may also automatically trigger actions such as terminating access by a user, terminating file transfer, or any other action that may neutralize the detected threats. In certain embodiments, only notification is provided from the analysis module 330 to the UI system 350 for review by the human operator 352. The event data that underlies those notifications or that gives rise to the detection made by the analysis module 330 are persistently stored in a database 378. If the human operator decides to investigate a particular notification, he or she may access from database 378 the event data (including raw event data and any associated information) that supports the anomalies or threat detection. On the other hand, if the threat detection is a false positive, the human operator 352 may so indicate upon being presented with the anomaly or the threat. The rejection of the analysis result may also be provided to the database 378. The operator feedback information (e.g., whether an alarm is accurate or false) may be employed to update the model to improve future evaluation).

12. Regarding claims 3,13 and 23 Muddu teaches the computer-implemented method, the computer program product residing on a computer readable medium and the computing system wherein the artifacts include one or more of: raw data; screen shots; graphics; notes; annotations; audio recordings; and video recordings (Para:0171, Para:0175 and Para:0159 teaches the artifacts includes raw data, graphics, annotation etc.). 

13. Regarding claims 4,14 and 24 Muddu teaches the computer-implemented method, the computer program product residing on a computer readable medium and the computing system wherein monitoring actions taken by a third-party when investigating the security event include: monitoring objects reviewed by the third-party when investigating the security event (Para:0151 teaches the anomalies and threats are detected by the real-time processing path, which will be employed to automatically trigger an action, such as stopping the intrusion, shutting down network access, locking out users, preventing information theft or information transfer, shutting down software and or hardware processes, and the like (para:0007, para:0163 teaches the anti-virus or anti-malware software, typically are installed on terminal devices. Data traversing the network between the terminal device is monitored by the installed products to detect malware in either inbound or outbound data [which is the third party herein, such as an antivirus/firewall software service]).  The discovered anomalies and threats will be presented to a network operator (e.g., a network security administrator or analyst or user) for decision. Furthermore, the decisions by the user (e.g., that the anomalies and threats are correctly diagnosed, or that the discovered anomalies and threats are false positives) can then be provided as feedback data [suggestions herein] in order to update and improve the models, which results in further actions to be taken by the third party [antivirus/firewall service]).

14. Regarding claims 5,15 and 25  Muddu teaches the computer-implemented method, the computer program product residing on a computer readable medium and the computing system wherein providing suggestions to the third-party concerning additional actions to be taken by the third-party concerning the investigation of the security event includes: providing suggestions to the third-party concerning additional objects to be reviewed by the third-party when investigating the security event (Para:0137-0138teaches the security platform is “big data” driven and employs a number of machine learning mechanisms to perform security analytics. More specifically, the security platform introduced here can perform user behavioral analytics (UBA), or more generally user/entity behavioral analytics (UEBA), to detect the security related anomalies and threats, regardless of whether such anomalies and threats are previously known or unknown. Additionally, by presenting analytical results scored with risk ratings and supporting evidence, the security platform can enable network security administrators or analysts to respond to a detected anomaly or threat, and to take action promptly. The security platform can 
Para:0159 and Para:0151 teaches Para:0151 teaches the anomalies and threats are detected by the real-time processing path, which will be employed to automatically trigger an action, such as stopping the intrusion, shutting down network access, locking out users, preventing information theft or information transfer, shutting down software and or hardware processes, and the like (para:0007, para:0163 teaches the anti-virus or anti-malware software, typically are installed on terminal devices. Data traversing the network between the terminal device is monitored by the installed products to detect malware in either inbound or outbound data [which is the third party herein, such as an antivirus/firewall software service]).  The discovered anomalies and threats will be presented to a network operator (e.g., a network security administrator or analyst or user) for decision. Furthermore, the decisions by the user (e.g., that the anomalies and threats are correctly diagnosed, or that the discovered anomalies and threats are false positives) can then be provided as feedback data [suggestions herein] in order to update and improve the models, which results in further actions to be taken by the third party [antivirus/firewall service]).

15. Regarding claims 6,16 and 26 Muddu teaches the computer-implemented method, the computer program product residing on a computer readable medium and the computing system wherein providing suggestions to the third-party concerning additional actions to be taken by the third-party concerning the investigation of the security event includes: providing suggestions to the third-party concerning additional artifacts to be gathered by the third-party when investigating the security event (Para:0137-0138 and Para:0171 teaches these anomalies, threat indicators and threats may be provided to a user interface (UI) system 350 for review by a human operator 352. As an example, a visualization map and a threat alert may be presented to the human operator 352 for review and possible action. The output of the analysis module 330 may also automatically trigger actions such as terminating access by a user, terminating file transfer, or any other action that may neutralize the detected threats. In certain embodiments, only notification is provided from the analysis module 330 to the UI system 350 for review by the human operator 352. The event data that underlies those notifications or that gives rise to the detection made by the analysis module 330 are persistently stored in a database 378. If the human operator decides to investigate a particular notification, he or she may access from database 378 the event data (including raw event data and any associated information) that supports the anomalies or threat detection. On the other hand, if the threat detection is a false positive, the human operator 352 may so indicate upon being presented with the anomaly or the threat. The rejection of the analysis result may also be provided to the database 378. The operator feedback information (e.g., whether an alarm is accurate or false) may be employed to update the model to improve future evaluation.
Para:0151 teaches the anomalies and threats are detected by the real-time processing path, which will be employed to automatically trigger an action, such as stopping the intrusion, shutting down network access, locking out users, preventing information theft or information transfer, shutting down software and or hardware processes, and the like (para:0007, para:0163 teaches the anti-virus or anti-malware software, typically are installed on terminal devices. Data traversing the network between the terminal device is monitored by the installed products to detect malware in either inbound or outbound data [which is the third party herein, such as an antivirus/firewall software service]).  The discovered anomalies and threats will be presented to a network operator (e.g., a network security administrator or analyst or user) for decision. Furthermore, the decisions by the user (e.g., that the anomalies and threats are correctly diagnosed, or that the discovered anomalies and threats are false positives) can then be provided as feedback data [suggestions herein] in order to update and improve the models, which results in further actions to be taken by the third party [antivirus/firewall service]).

16. Regarding claims 7, 17 and 27 Muddu teaches the computer-implemented method, the computer program product residing on a computer readable medium and the computing system wherein providing suggestions to the third-party concerning additional actions to be taken by the third-party concerning the investigation of the security event includes: providing suggestions to the third-party concerning a remedial action to be taken by the third-party when investigating the security event (Para:0151 teaches the anomalies and threats are detected by the real-time processing path, which will be employed to automatically trigger an action, such as stopping the intrusion, shutting down network access, locking out users, preventing information theft or information transfer, shutting down software and or hardware processes, and the like (para:0007, para:0163 teaches the anti-virus or anti-malware software, typically are installed on terminal devices. Data traversing the network between the terminal device is monitored by the installed products to detect malware in either inbound or outbound data [which is the third party herein, such as an antivirus/firewall software service]).  The discovered anomalies and threats will be presented to a network operator (e.g., a network security administrator or analyst or user) for decision. Furthermore, the decisions by the user (e.g., that the anomalies and threats are correctly diagnosed, or that the discovered anomalies and threats are false positives) can then be provided as feedback data [suggestions herein] in order to update and improve the models, which results in further actions to be taken by the third party [antivirus/firewall service]).

17. Regarding claims 8,18 and 28 Muddu teaches the computer-implemented method, the computer program product residing on a computer readable medium and the computing system further comprising: enabling the third-party to select an object within the threat mitigation user interface, thus defining a selected object (Figs.39-51, Para:0441-0442 teaches the GUI also can enable the user to set watchlists to track information while navigating the various views. Watchlists can be used, for example, to remind the user that certain data already has been reviewed and considered by the user. Once a user reviews sufficient information to draw a conclusion about a threat, the GUI also enables a user to “take action,” for example, by re-designating the identified threat as “Not a Threat,” or by emailing threat data or exporting it to another data mining platform. The GUI provides these capabilities and many more to facilitate effective network security monitoring via simple user inputs. The GUI here generates views pertaining to threats and anomalies identified from event data generated from network activities. As examples, network activities may include log-ins, email traffic, internet browsing, or file transfers on a network operated by a corporation, university, household, or other organization (referred to collectively as an “organization”). Event data comprises timestamped machine data related to network activity by various entities, including users, devices, and applications);

and rendering an inspection window that defines object information concerning the selected object (Para:0453-0454 teaches the home screen view 3900 can additionally include summary charts and illustrations, such as, as shown in FIG. 39A, a “Threats by Threat Type” box 3912, a “Latest Threats” box 3913, and an “Events Trend” graphic 3914. The “Threats by Threat Type” box 3912 compares by number each different type of threat that has been identified. The listing in the “Latest Threats” box 3913 identifies the most recent threats by date. The “Events Trend” graphic 3914 is a timeline showing the volume of events along a timeline.
The example home screen view 3900 also prompts a user, via status bar 3911, to begin a “Threat Review” or view an “Analytics Dashboard.” Upon clicking, via the graphical user interface, on the “Start Threat Review” button 3915, a “Threats Review” view 4000 is provided, as described with reference to FIG. 40A).

Claim Rejections - 35 USC § 103
18.The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

19. Claims 9-10,19-20 and 29-30 rejected under 35 U.S.C. 103 as being unpatentable over Muddu (US Pub.No.2019/0158517) in view of Chandrashekar (US Pub.No.2010/0169476).

20. Regarding claims 9,19 and 29 Muddu teaches the computer-implemented method, the computer program product residing on a computer readable medium and the computing system of having inspection window (see, para: 0454), but fails to disclose the inspection window is a popup inspection window.

Chandrashekar teaches the computer-implemented method, the computer program product residing on a computer readable medium and the computing system wherein the inspection window is a popup inspection window (Para:0027 teaches a popup window is displayed to user to inform that the destination address has been blacklisted and is identified as harmful).

Therefore, to would have been obvious to one of the ordinary skills in the art before the effective filing date of the invention was filed to modify the teachings of Muddu to include the inspection window is a popup inspection window as taught by Chandrashekar such a setup would yield a predictable result of detecting unauthorized activity of computing system.

21. Regarding claims 10,20 and 30 Muddu teaches the computer-implemented method, the computer program product residing on a computer readable medium and the computing system of having inspection window (see, para: 0454), but fails to disclose the inspection window is a slide out inspection window. 

Chandrashekar teaches the computer-implemented method wherein the inspection window is a slide out inspection window (Para:0021 teaches the observation window is a sliding window).

Therefore, to would have been obvious to one of the ordinary skills in the art before the effective filing date of the invention was filed to modify the teachings of Muddu to include the inspection window is a sliding window as taught by Chandrashekar such a setup would yield a predictable result of detecting unauthorized activity of computing system.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEREENA T CATTUNGAL whose telephone number is (571)270-0506. The examiner can normally be reached Mon-Fri: 7:30 AM-5 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/DEREENA T CATTUNGAL/Primary Examiner, Art Unit 2431