Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

2.	This office action is in response to communication filed on 07/13/2021.

3.	Status of claims in the instant application:

Claims 1-20 are pending.

Priority
4.	Applicant 17373916, filed 07/13/2021 is a continuation of 16383407, filed 04/12/2019, now U.S. Patent #11087014 and having 1 RCE-type filing therein16383407 Claims Priority from Provisional Application 62657542, filed 04/13/2018 16383407 Claims Priority from Provisional Application 62659031, filed 04/17/2018 16383407 Claims Priority from Provisional Application 62744956, filed 10/12/2018. Thus, the effective filing date of applicant’s claimed invention is 04/13/2018. 


Drawings
5.	The drawings filed on 07/13/2021 are acceptable for examination proceedings.

Specification
6.	The specification filed on 07/13/2021 is acceptable for examination proceedings.

Information Disclosure Statement
7.	Information Disclosure Statements (IDS) filed on 07/15/2021,12/23/2021,03/11/2022,05/31/2022 and 08/18/2022 have been considered, and a signed copies of the IDS forms have been attached to this office action.

Internet Communications
8. 	Applicant is encouraged to submit a written authorization for Internet communications (PTO/SB/439,
http://www.uspto.gov/sites/defauit/files/documents/sb0439.pdf) in the instant patent application to authorize the examiner to communicate with the applicant via email. The authorization will allow the examiner to better practice compact prosecution. The written authorization can be submitted via one of the following methods only. (1) Central Fax which can be found in the Conclusion section of this Office action; (2) regular postal mail; (3) EFS WEB; or (4) the service window on the Alexandria campus. EFS web is the recommended way to submit the form since this allows the form to be entered into the file wrapper within the same day (system dependent). Written authorization submitted via other methods, such as direct fax to the examiner or email, will not be accepted. See MPEP § 502.03. 

Double Patenting
9.	A rejection based on double patenting of the "same invention" type finds its support in the language of 35 U.S.C. 101 which states that "whoever invents or discovers any new and useful process ... may obtain a patent therefor ..."  (Emphasis added).  Thus, the term "same invention," in this context, means an invention drawn to identical subject matter.  See Miller v. Eagle Mfg. Co., 151 U.S. 186 (1894); In re Ockert, 245 F.2d 467, 114 USPQ 330 (CCPA 1957); and In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970).

A statutory type (35 U.S.C. 101) double patenting rejection can be overcome by canceling or amending the conflicting claims so they are no longer coextensive in scope.  The filing of a terminal disclaimer cannot overcome a double patenting rejection based upon 35 U.S.C. 101.

10.	Claims 1-20 are provisionally rejected under 35 U.S.C. 101 as claiming the same invention as that of claims 1-20 of co-pending US Patent No. 11,087,014.  This is a provisional double patenting rejection since the conflicting claims have not in fact been patented. 

11.	Below is a table of comparison between claims of the instant application and that of US patent No. 11,087,014.

‘014 US Patent
Instant / current application No.17/373,916
1. A computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of: storing an entity model for an entity at a threat management facility for an enterprise network, the entity including at least one of an identity and access management system, a domain controller, 
a physical device, a user, an operating system, or an application associated with the enterprise network, and the entity model characterizing a baseline of expected events based on events from the entity over an historical window as a vector in an event vector space; 
instrumenting a compute instance associated with the entity to report event vectors based on one or more events from one or more sensors associated with the compute instance;
 receiving an event stream at the threat management facility, the event stream including a plurality of event vectors from the compute instance; 
monitoring the event stream and creating the entity model based on a baseline of event vectors for the entity in the event stream over an interval, wherein the interval is algorithmically determined; calculating a risk score for the compute instance based on a distance between the entity model and one or more event vectors in the event stream in the event vector space; and adjusting a policy for the compute instance based on the risk score, the policy including one or more security settings for the compute instance.
1. A computer program product comprising computer executable code embodied in a non- transitory computer readable medium that, when executing on one or more computing devices, performs the steps of: storing an entity model for an entity at a threat management facility for an enterprise network, the entity including at least one of an identity and access management system, 
a domain controller, a physical device, a user, an operating system, or an application associated with the enterprise network, and the entity model characterizing a baseline of expected events based on events from the entity over an historical window as a vector in an event vector space; 
instrumenting a compute instance associated with the entity to report event vectors based on one or more events from one or more sensors associated with the compute instance; 
receiving an event stream at the threat management facility, the event stream including a plurality of event vectors from the compute instance; 
monitoring the event stream and creating the entity model based on a baseline of event vectors for the entity in the event stream over an interval, wherein the interval is algorithmically determined; calculating a risk score for the compute instance based on a distance between the entity model and one or more event vectors in the event stream in the event vector space; and adjusting local monitoring activity on the compute instance to increase a level of local activity monitoring when the risk score indicates a deviation from the baseline.  
7. The computer program product of claim 6, wherein the step of refining the entity model is based on an interval determined from information contained in the additional event vectors.  
8. The computer program product of claim 7, wherein refining the entity model is based on a distance in the event vector space between the entity model and one or more of the additional event vectors in the event stream.  
2. The computer program product of claim 1 wherein the historical window is algorithmically determined.
2. The computer program product of claim 1, wherein the historical window is algorithmically determined.  
4. The computer program product of claim 1 wherein the threat management facility stores a plurality of entity models for a plurality of different entity types within the enterprise network.
3. The computer program product of claim 1, wherein the threat management facility stores a plurality of entity models for a plurality of different entity types within the enterprise network.  
5. The computer program product of claim 1 wherein the event stream includes event vectors from a plurality of compute instances associated with the enterprise network.
4. The computer program product of claim 1, wherein the event stream includes event vectors from a plurality of compute instances associated with the enterprise network.  
6. The computer program product of claim 1 wherein the event stream includes event vectors from two or more different entities associated with the compute instance.
5. The computer program product of claim 1, wherein the event stream includes event vectors from two or more different entities associated with the compute instance.  
7. The computer program product of claim 1 further comprising code that performs the step of refining the entity model based on additional event vectors in the event stream received after the entity model is created.
6. The computer program product of claim 1, further comprising code that performs the step of refining the entity model based on additional event vectors in the event stream received after the entity model is created.  
8. The computer program product of claim 1 wherein instrumenting the compute instance includes configuring the compute instance to normalize at least one of the events from at least one of the sensors.
9. The computer program product of claim 1, wherein instrumenting the compute instance includes configuring the compute instance to normalize at least one of the events from at least one of the one or more sensors.  
9. The computer program product of claim 1 wherein instrumenting the compute instance includes configuring the compute instance to tokenize at least one of the events from at least one of the sensors.
10. The computer program product of claim 1, wherein instrumenting the compute instance includes configuring the compute instance to tokenize at least one of the events from at least one of the one or more sensors.  
10. The computer program product of claim 1 wherein instrumenting the compute instance includes configuring the compute instance to encrypt at least one of the events from at least one of the sensors.
11. The computer program product of claim 1, wherein instrumenting the compute instance includes configuring the compute instance to encrypt at least one of the events from at least one of the one or more sensors.  
11. The computer program product of claim 1 wherein instrumenting the compute instance includes prioritizing at least one of the events from at least one of the sensors.
12. The computer program product of claim 1, wherein instrumenting the compute instance includes prioritizing at least one of the events from at least one of the one or more sensors.  
12. The computer program product of claim 1 wherein the distance is at least one of a Mahalanobis distance, a Euclidean distance, and a Minkowski distance.
13. The computer program product of claim 1, wherein the distance is at least one of a Mahalanobis distance, a Euclidean distance, and a Minkowski distance.  

13. The computer program product of claim 1 wherein the distance is evaluated using a k-nearest neighbor algorithm.
14. The computer program product of claim 1, wherein the distance is evaluated using a k- nearest neighbor algorithm.  
14. A method comprising: storing an entity model at a threat management facility for an enterprise network,
 the entity model characterizing expected events for an entity; instrumenting a compute instance in the enterprise network to detect one or more events and report a number of event vectors including the one or more events to the threat management facility; 
receiving an event stream of the number of event vectors from the compute instance at the threat management facility; monitoring the event stream and creating the entity model based on a baseline of event vectors for the entity in the event stream over an interval, wherein the interval is algorithmically determined; calculating a risk score for the compute instance based on a comparison of one or more of the event vectors in the event stream with the entity model for the entity; and adjusting a policy for the compute instance based on the risk score.


15. A method, comprising: storing an entity model at a threat management facility for an enterprise network, 
the entity model characterizing expected events for an entity; instrumenting a compute instance in the enterprise network to detect one or more events and report a number of event vectors including the one or more events to the threat management facility; 
receiving an event stream of the number of event vectors from the compute instance at the threat management facility; monitoring the event stream and creating the entity model based on a baseline of event vectors for the entity in the event stream over an interval, wherein the interval is algorithmically determined;
calculating a risk score for the compute instance based on a comparison of one or more of the event vectors in the event stream with the entity model for the entity; and adjusting local monitoring activity on the compute instance to increase a level of local activity monitoring when the risk score indicates a deviation from the baseline.  

18. The method of claim 14 wherein the event stream includes event vectors from a plurality of compute instances associated with the enterprise network.
18. The method of claim 15, wherein the event stream includes event vectors from a plurality of compute instances associated with the enterprise network.  
19. The method of claim 14 wherein the event stream includes event vectors from two or more different entities associated with the compute instance.
19. The method of claim 15, wherein the event stream includes event vectors from two or more different entities associated with the compute instance.  
20. A system comprising: a compute instance in an enterprise network, the compute instance configured to detect one or more events associated with the compute instance and to report an event vector including the one or more events to a remote resource; 
and a threat management facility, the threat management facility including a memory storing an entity model characterizing expected events for an entity, and the threat management facility configured to receive an event stream including the event vector, to monitor the event stream, to create the entity model based on a baseline of event vectors for the entity in the event stream over an algorithmically determined interval, to calculate a risk score for the compute instance based on a comparison of the event vector with the entity model, and to adjust a policy for the compute instance based on the risk score.
20. A system, comprising: a compute instance in an enterprise network, the compute instance configured to detect one or more events associated with the compute instance and to report an event vector including the one or more events to a remote resource; 
and a threat management facility, the threat management facility including a memory storing an entity model characterizing expected events for an entity, and the threat management facility configured to receive an event stream including the event vector, to monitor the event stream, to create the entity model based on a baseline of event vectors for the entity in the event stream over an algorithmically determined interval, 
to calculate a risk score for the compute instance based on a comparison of the event vector with the entity model, and to adjust local monitoring activity on the compute instance to increase a level of local activity monitoring when the risk score indicates a deviation from the baseline.  


Allowable Subject Matter
12.	Based on the previously allowed parent case 16/383,407 now patent No. 11,087,014 and prior art search of records, claims 1-20 of the instant application are allowable over prior arts, provided the Applicant files terminal disclaimer and resolves all other issues/rejections listed in the current office action.
13.	As allowable subject matter has been indicated, applicant's reply must either comply with all formal requirements or specifically traverse each requirement not complied with.  See 37 CFR 1.111(b) and MPEP § 707.07(a).
14.	Reasons for allowance will be furnished upon allowance.

Pertinent Art 
15.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.  Ray (US 2016/0173509 A1) provide the method enables eliminating inevitable overlaps and gaps in protection caused by treating viruses and spyware as separate problems, while simultaneously simplifying administration and minimizing desktop load. The method enables providing web security and control to detect or block viruses, spyware, malware and unwanted applications and control web browsing, thus providing comprehensive web access control enabling safe productive web browsing. The method enables filtering updating of productivity applications, changes from a trusted user and changes by a trusted installer by a filter, thus reducing storage and computational overhead and potentially increasing sensitivity of malware detection by eliminating signal noise associated with marginally relevant or irrelevant system activity.

Gupta et al. (US 2018/0048668 A1) provide the medium enables determining the risk to the enterprise presented by each network-connected asset to develop and maintain an enterprise risk model that models the risk to the security and integrity of the enterprise presented by each asset and to gather intelligence about risks of security breaches so as to improve the risk profile of the enterprise network until an acceptable level of risk is achieved. The medium enables comparing the relative risk values of for the human resources server and for the desktop personal computer, which browses the Internet, an administer or personal responsible for ensuring the safety of enterprise network even though the human resources server is already better guarded.
Ray et al. (US 2016/0173509 A1) provide the method enables eliminating inevitable overlaps and gaps in protection caused by treating viruses and spyware as separate problems, while simultaneously simplifying administration and minimizing desktop load. The method enables providing web security and control to detect or block viruses, spyware, malware and unwanted applications and control web browsing, thus providing comprehensive web access control enabling safe productive web browsing. The method enables filtering updating of productivity applications, changes from a trusted user and changes by a trusted installer by a filter, thus reducing storage and computational overhead and potentially increasing sensitivity of malware detection by eliminating signal noise associated with marginally relevant or irrelevant system activity.

Kashyap (US patent 8,769,676 B1) provide similarity score for application being evaluated is determined using a computer processor based on a hamming distance between a bit vector of a requested permission set application being evaluated and a bit vector of a requested permission set center application of the closest cluster, which provides an indication of safety of the application, and thus enables to evaluate the security and safety of an application before paying for the application, downloading and installing the application to ensure system security. 

Conclusion
16.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABIY GETACHEW whose telephone number is (571)272-6932. The examiner can normally be reached Mon.-Fri. 9:00 AM - 5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571) 272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





A.G.
September 19, 2022
/ABIY GETACHEW/Primary Examiner, Art Unit 2434