DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .  This Office Action is responsive to the communications filed on 25 May 2022. Claims 1-15, 18-19 and 21-23 are pending.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1, 2, 5, 6, 8, 10, 11, 19 and 21-23 are rejected under 35 U.S.C. 103 as being unpatentable over Iyer et al. (Hereinafter, Iyer, US 2016/0306965 A1) in view of Sundaresan et al. (Hereinafter, Sundaresan, US 2016/0112240 A1), and further in view of Hamby US 2016/0239665 A1).
Per claim 1, Iyer discloses a monitoring device (e.g., entity activity monitoring component 450 as shown in Fig. 4; paragraph [0083],” Entity activity monitoring component 450 may search events from source data 460A-Z to identify activity associated with an entity and may update a risk score when the activity of an entity is anomalous…”) comprising: 
at least one processor (e.g., processing device 1002 as shown in Fig. 16; paragraph [0200]);
memory storing computer executable instructions that, when executed by the at least one processor (e.g., main memory 1004 as shown in Fig. 16; paragraph [0199]), cause the at least one processor to perform operations comprising:
receiving, from a state database (e.g., scoring data store 430 as shown in Fig. 4), first state data (e.g., watch list data 432, risk scoring rules 434 and entity risk scoring data 436 as shown in Fig. 4; paragraph [0083]), wherein the first state data includes base data associated with a risk to an organization (paragraph [0074]);
receiving, via at least one network (e.g., network 470 as shown in Fig. 4), an event record (e.g., source data 460A-Z as shown in Fig. 4) from an event-source device (e.g., login events 463, email events 461, etc. as shown in Fig. 4; paragraphs [0090], [0094], [0096], [0104]), wherein the event record includes change data associated with the risk to the organization (paragraph  [0083],” Entity activity monitoring component 450 may search events from source data 460A-Z to identify activity associated with an entity and may update a risk score when the activity of an entity is anomalous ... “) ;
determining risk data, associated with the risk to the organization, based on a combination of the base data (e.g., statistical baseline; paragraph [0078]) and the change data (paragraph [0027]; paragraph [0077], “Baseline module 442 may execute a search query against some or all of the events 461 through 467 to determine a statistical baseline of entity activity.  The statistical baseline may represent the typical or normal activity of an entity or a set of entities over a predetermined duration of time.  In one example, entity activity may be compared to the statistical baseline to identify anomalous entity behavior.  In another example, the baseline may be specific to an entity and may be used to identify a change in a specific entity's behavior.”);
determining, based at least in part on the risk data, a command (e.g., actions) for a controllable computing device (paragraph [0031]; paragraph [0036]; paragraph [0043]; paragraph [0044], “Exemplary GUI 100 may further comprise a "Create risk score modifier" checkbox 145 specifying that the specified risk score modification actions should be performed based on a trigger condition resulting from execution of the search query.”;  paragraph [0051], “Exemplary GUI 100 may further comprise one or more action check-boxes 165A-165C to specify one or more actions to be performed by the system responsive to determining that at least a portion of the dataset produced by executing the specified search query satisfies the specified triggering condition.  The actions may include, for example, sending an e-mail message comprising the risk score modifier value and/or at least part of the dataset that has triggered the risk score modification, creating an RSS feed comprising the risk score modifier value and/or at least part of the dataset that has triggered the risk score modification, and/or executing a shell script having at least one parameter defined based on the score.”; paragraph [0052]; paragraph [0085]); but does not expressly disclose:
the base data is based at least in part on user responses to a set of base questions associated with the risk to the organization; 
determining, by a computational model, and based at least in part on the risk data, a command for a controllable computing device; and
transmitting, via the at least one network, the command to the controllable computing device, wherein the command causes the controllable computing device to perform an action associated with the command,  wherein the computational model is a trained machine learning model.
Sundaresan discloses transmitting, via the at least one network, the command to the controllable computing device, wherein the command causes the controllable computing device to perform an action associated with the command (e.g., block 440 as shown in Fig. 4; paragraph [0067], “… At block 440, processing logic transmits the command to the second network connected device.  The second network-connected device may then execute the command to perform the action.  The second network-connected device may perform the action even though a user may not have an active session to the user account that generated the rule. “ ).  
It would have been obvious for a person of ordinary skill in the art before the effective filing date of the claimed invention to use the flexible rules engine device of Sundaresan in the user activity monitoring device of Iyer for the purpose of including networking capabilities, role-based access control capabilities, remote interface capabilities, remote control capabilities, or related capabilities as suggested by Sundaresan (See paragraph [0001]).
Hamby discloses:
the base data is based at least in part on user responses to a set of base questions associated with the risk to the organization (e.g., Step 411 as shown in Fig, 4; paragraphs [0073-0076]; paragraph [0091], “ …In other embodiments, security control server 100 may employ the reasoning engine 230 to automatically generate a questionnaire to submit to the user device 105 regarding the implemented security controls on the covered or insured device 115. In such embodiments, the security control server 100 may then transform the questionnaire responses into individual DLL axioms. “; paragraph [0094]; paragraph [0095], “ … For example, the reasoning engine 230 may access the insurance policy 223 in knowledgebase 220 and use the information on the implemented and non-implemented security controls 225 (e.g., user responses to the questionnaire) to determine a list of mitigated and non-mitigated cyber-risks.  “; paragraph [0120];  Examiner’s Note: Hamby discloses a  knowledgebase 220 based at least in part on user responses to a questionnaire associated with the risk to the organization. ); 
determining, by a computational model(e.g., Steps 501 to 503 as shown in Fig. 5A; as shown in Fig. 5A ; paragraph [0006]; paragraph [0066]; paragraph [0071];  paragraphs [0098-0099]; paragraph [0146]), and based at least in part on the risk data, a command for a controllable computing device (Abstract; paragraph [0008];paragraph [0064], “Security Control: A security control may be a device, system, software, or other “control” that secures a system from being vulnerable to a specific vulnerability. For example, a security control may be the OWASP SQL injection pattern, which codes SQL calls from web servers in a specific way to prevent hackers from hijacking the SQL call.”; Examiner’s Note: Examiner is broadly and reasonably interpreting “a command for a controllable computing device” to be analogous to the “recommended security control” disclosed in Hamby.  Hamby uses a computational model, i.e., programmed heuristics,  to recommend a security control relevant to a cyber-liability insurance transaction, see paragraph [0097]) ; and
 wherein the computational model is a trained machine learning model (e.g., Step 505 as shown Fig. 5A; paragraph [0011], “…The method may further include the step of calculating, at the security control server, a first ranking for each of the recommended security controls using a programmed heuristic. The method may further include the step of calculating, at the security control server, a second ranking for each of the recommended security controls using a machine learning algorithm...    “; paragraph [0019]; paragraph [0024]; paragraph [0103], “  …In some embodiments, the security control server 100 may employ the security control ranking module 235 of reasoning engine 230 to create a training set of historical cyber liability transactions of similar coverages and rules. This training set may highlight the cyber-insurance policy premium amount based on the coverages and the security controls implemented by the insured with the resulting list of mitigated and non-mitigated risks. The machine learning algorithm may use the median cost of implementing the control for all occurrences in the training set where the control was implemented. “)
It would have been obvious for a person of ordinary skill in the art before the effective filing date of the claimed invention to use the automated and continuous risk assessment device of Hamby in the user activity monitoring device of Iyer and  Sundaresan for the purpose of providing the most relevant security controls  needed  to mitigate security risk  and reduce cost to an organization as suggested by Hamby(See paragraph [0008]).
Per claim 2, Iyer, Sundaresan, and Hamby disclose the monitoring device according to claim 1, wherein the operations further comprise, in response to the receiving the event record, causing a  user interface to present a representation of at least a portion of the event record (Iyer, e.g., block 550 as shown in Fig. 5; paragraph [0119], “ At block 550, the processing device may provide a graphical user interface (GUI) for displaying the risk score associated with an entity within the subset of entities ...   “).
Per claim 5, Iyer, Sundaresan, and Hamby disclose the monitoring device according to claim 1, wherein the command comprises at least one of: creation of a user account; deletion of a user account; modification of the access privileges of a user account; 30modification of firewall rules; modification of routing rules; enabling of a device (Sundaresan, paragraph [0064], “At block 420, processing logic determines an action to be performed by the rule.  The action may be an action that is to be performed by a second network-connected device.  Any type of action may be performed, such as turning on or off the second network-connected device, changing a setting of the second network-connected device, and so on.  Additionally, the action may be an immediate action or may be a scheduled future action.  “); disabling of a device (Sundaresan, paragraph [0064]); enabling of a device driver; disabling of a device driver; enabling of a port; disabling of a port; installation of an update; presentation by a user interface of a toast, request to login, or another notification; presentation by a user interface of a prompt for yes/no or agree/disagree input, or other 55WO 2019/183371PCT/US2019/023394 selection from a fixed list of choices; presentation by a user interface of a prompt for textual input; downloading of document file or other file; or requesting authorization for a change to the state database.  Examiner’s Note: Sundaresan discloses at least enabling of disabling of a device).
Per claim 6, Iyer discloses at least one tangible, non-transitory computer-readable medium (e.g., main memory 1004 as shown in Fig. 16; paragraph [0199]) comprising instructions (paragraph [0037]) executable by at least one processor (e.g., processing device 1002 as shown in Fig. 16; paragraph [0200] to cause the at least one processor to perform operations comprising: 
receiving first state data (e.g., scoring data store 430 as shown in Fig. 4) from a state database (e.g., watch list data 432, risk scoring rules 434 and entity risk scoring data 436 as shown in Fig. 4; paragraph [0083]), wherein the first state data includes base data associated with a risk to an organization (paragraph [0074]);
receiving an event record (e.g., source data 460A-Z as shown in Fig. 4) from an event-source device (e.g., login events 463, email events 461, etc. as shown in Fig. 4; paragraphs [0090], [0094], [0096], [0104]) , via at least one network (e.g., network 470 as shown in Fig. 4), wherein the event record includes change data associated with the risk to the organization (paragraph  [0083],” Entity activity monitoring component 450 may search events from source data 460A-Z to identify activity associated with an entity and may update a risk score when the activity of an entity is anomalous ... “) ;
determining risk data, associated with the risk to the organization, based on a combination of the base data (e.g., statistical baseline; paragraph [0078]) and the change data (paragraph [0027]; paragraph [0077], “Baseline module 442 may execute a search query against some or all of the events 461 through 467 to determine a statistical baseline of entity activity.  The statistical baseline may represent the typical or normal activity of an entity or a set of entities over a predetermined duration of time.  In one example, entity activity may be compared to the statistical baseline to identify anomalous entity behavior.  In another example, the baseline may be specific to an entity and may be used to identify a change in a specific entity's behavior.”); but does not expressly disclose:
the base data is based at least in part on user responses to a set of base questions associated with the risk to the organization; 
determining, using a computational model, and based at least in part on the risk data, a command for a controllable computing device; and
causing the controllable computing device to carry out the command.
Sundaresan discloses causing the controllable computing device to carry out the command (e.g., block 440 as shown in Fig. 4; paragraph [0067], “… At block 440, processing logic transmits the command to the second network connected device.  The second network-connected device may then execute the command to perform the action.  The second network-connected device may perform the action even though a user may not have an active session to the user account that generated the rule. “ ).  
It would have been obvious for a person of ordinary skill in the art before the effective filing date of the claimed invention to use the flexible rules engine device of Sundaresan in the user activity monitoring device of Iyer for the purpose of including networking capabilities, role-based access control capabilities, remote interface capabilities, remote control capabilities, or related capabilities as suggested by Sundaresan (See paragraph [0001]).
Hamby discloses:
the base data is based at least in part on user responses to a set of base questions associated with the risk to the organization (e.g., Step 411 as shown in Fig, 4; paragraphs [0073-0076]; paragraph [0091], “ …In other embodiments, security control server 100 may employ the reasoning engine 230 to automatically generate a questionnaire to submit to the user device 105 regarding the implemented security controls on the covered or insured device 115. In such embodiments, the security control server 100 may then transform the questionnaire responses into individual DLL axioms. “; paragraph [0094]; paragraph [0095], “ … For example, the reasoning engine 230 may access the insurance policy 223 in knowledgebase 220 and use the information on the implemented and non-implemented security controls 225 (e.g., user responses to the questionnaire) to determine a list of mitigated and non-mitigated cyber-risks.  “; paragraph [0120];  Examiner’s Note: Hamby discloses a  knowledgebase 220 based at least in part on user responses to a questionnaire associated with the risk to the organization. ); 
determining, using a computational model(e.g., Steps 501 to 503 as shown in Fig. 5A; as shown in Fig. 5A ; paragraph [0006]; paragraph [0066]; paragraph [0071];  paragraphs [0098-0099]; paragraph [0146]), and based at least in part on the risk data, a command for a controllable computing device (Abstract; paragraph [0008], “  “;paragraph [0064], “Security Control: A security control may be a device, system, software, or other “control” that secures a system from being vulnerable to a specific vulnerability. For example, a security control may be the OWASP SQL injection pattern, which codes SQL calls from web servers in a specific way to prevent hackers from hijacking the SQL call.”; Examiner’s Note: Examiner is broadly and reasonably interpreting “a command for a controllable computing device” to be analogous to the “recommended security control” disclosed in Hamby.  Hamby uses a computational model, i.e., programmed heuristics,  to recommend a security control relevant to a cyber-liability insurance transaction, see paragraph [0097]) ; and
 wherein the computational model is a trained machine learning model (e.g., Step 505 as shown Fig. 5A; paragraph [0011], “…The method may further include the step of calculating, at the security control server, a first ranking for each of the recommended security controls using a programmed heuristic. The method may further include the step of calculating, at the security control server, a second ranking for each of the recommended security controls using a machine learning algorithm...    “; paragraph [0019]; paragraph [0024]; paragraph [0103], “  …In some embodiments, the security control server 100 may employ the security control ranking module 235 of reasoning engine 230 to create a training set of historical cyber liability transactions of similar coverages and rules. This training set may highlight the cyber-insurance policy premium amount based on the coverages and the security controls implemented by the insured with the resulting list of mitigated and non-mitigated risks. The machine learning algorithm may use the median cost of implementing the control for all occurrences in the training set where the control was implemented. “).
It would have been obvious for a person of ordinary skill in the art before the effective filing date of the claimed invention to use the automated and continuous risk assessment device of Hamby in the user activity monitoring device of Iyer and  Sundaresan for the purpose of providing the most relevant security controls  needed  to mitigate security risk  and reduce cost to an organization as suggested by Hamby(See paragraph [0008]).
Per claim 8, Iyer, Sundaresan, and Hamby disclose the at least one tangible, non-transitory computer-readable medium according to claim 6, the operations further comprising:
training the  In some embodiments, the security control server 100 may employ the security control ranking module 235 of reasoning engine 230 to create a training set of historical cyber liability transactions of similar coverages and rules. This training set may highlight the cyber-insurance policy premium amount based on the coverages and the security controls implemented by the insured with the resulting list of mitigated and non-mitigated risks.  … “; Examiner’s Note: Hamby teaches using past responses as training sets. ); and 

Per claim 10, Iyer discloses a method (Abstract), comprising: 
storing first state data in a state database(e.g., watch list data 432, risk scoring rules 434 and entity risk scoring data 436 as shown in Fig. 4; paragraph [0074]; paragraph [0083]), 
receiving an event record associated with the organization(e.g., login events 463, email events 461, etc. as shown in Fig. 4; paragraphs [0090], [0094], [0096], [0104]),   the event record (paragraph [0074]); 
receiving an event record associated with the organization, a second data source, the event record indicating change data associated with the[[a]] risk to the[[an]] organization;
Iyer does not expressly disclose:                                                                                   
wherein the first state data associated with a plurality of organizations;
determining a computational model, wherein the computational model is a machine learning model that is trained based at least in part on the first state data;
 storing second state data in the state database, wherein the second state data includes base data associated with a risk to an organization, and the base data is based at least in part on user responses to a set of base questions associated with the risk to the organization;
determining a command, by operating the computational model based at least in part on the second risk data 
presenting, via a user interface, a representation of the command.
Sundaresan discloses:
presenting, via a user interface, a representation of the command (e.g., output feeds 391 as shown in Fig. 3; paragraph [0036], “…. The remote control application 105 may include a graphical user interface (GUI) that enables users to interact with and control devices 135A-C in an intuitive and user-friendly manner.  A user may interact with the GUI to cause the remote control application to generate notifications, commands, property updates and other messages for the devices represented in the GUI.  “; paragraph [0046]).
It would have been obvious for a person of ordinary skill in the art before the effective filing date of the claimed invention to use the flexible rules engine device of Sundaresan in the user activity monitoring device of Iyer for the purpose of including networking capabilities, role-based access control capabilities, remote interface capabilities, remote control capabilities, or related capabilities as suggested by Sundaresan (See paragraph [0001]).
Hamby discloses:
wherein the first state data associated with a plurality of organizations (e.g., knowledgebase 220 as shown in Fig. 2; paragraph [0058], “The knowledgebase 220 may contain generic knowledge of cyber threats, vulnerabilities, and security controls that are represented as generic axioms 221. The generic axioms 221 may be from any of a family of Description Logics Languages (DLL). The generic or description logic (DL) axioms may consist or comprise of minimal concept and role axioms that define the structure of cyber threats, cyber risks, cyber vulnerabilities, security controls, and role axioms, each described in turn below.”; paragraph [0069]; paragraph [0092]Examiner’s Note: Hamby teaches first state data indicating first risk data generic to a plurality of organizations );
determining a computational model, wherein the computational model is a machine learning model that is trained based at least in part on the first state data (e.g., Step 413 as shown in Fig. 4; paragraph [0095]; paragraph [0103], “Method 500a may further include step 505, which includes calculating a second ranking for each of the recommended security controls using a machine learning algorithm. In some embodiments, the security control server 100 may employ the security control ranking module 235 of reasoning engine 230 to create a training set of historical cyber liability transactions of similar coverages and rules ...”);
 storing second state data in the state database, wherein the second state data includes base data associated with a risk to an organization (e.g., step 411 as shown in Fig. 4; paragraph [0071]\;  paragraph [0094], “Method 400 further includes step 411 of storing the set of policy axioms in a knowledgebase. For example, the security control server 100 may store the policy axioms as an insurance policy 223 with associated security controls 225 in knowledgebase 220.”), and the base data is based at least in part on user responses to a set of base questions associated with the risk to the organization(e.g., Step 411 as shown in Fig, 4; paragraphs [0073-0076]; paragraph [0091], “ …In other embodiments, security control server 100 may employ the reasoning engine 230 to automatically generate a questionnaire to submit to the user device 105 regarding the implemented security controls on the covered or insured device 115. In such embodiments, the security control server 100 may then transform the questionnaire responses into individual DLL axioms. “; paragraph [0094]; paragraph [0095], “ … For example, the reasoning engine 230 may access the insurance policy 223 in knowledgebase 220 and use the information on the implemented and non-implemented security controls 225 (e.g., user responses to the questionnaire) to determine a list of mitigated and non-mitigated cyber-risks.  “; paragraph [0120];  Examiner’s Note: Hamby discloses a  knowledgebase 220 based at least in part on user responses to a questionnaire associated with the risk to the organization. ); and
determining a command, by operating the computational model based at least in part on the second risk data Security Control: A security control may be a device, system, software, or other “control” that secures a system from being vulnerable to a specific vulnerability. For example, a security control may be the OWASP SQL injection pattern, which codes SQL calls from web servers in a specific way to prevent hackers from hijacking the SQL call.”; Examiner’s Note: Examiner is broadly and reasonably interpreting “a command for a controllable computing device” to be analogous to the “recommended security control” disclosed in Hamby.  Hamby uses a computational model, i.e., programmed heuristics,  to recommend a security control relevant to a cyber-liability insurance transaction, see paragraph [0097]).
It would have been obvious for a person of ordinary skill in the art before the effective filing date of the claimed invention to use the automated and continuous risk assessment device of Hamby in the user activity monitoring device of Iyer and  Sundaresan for the purpose of providing the most relevant security controls  needed  to mitigate security risk  and reduce cost to an organization as suggested by Hamby(See paragraph [0008]).
Per claim 11, Iyer, Sundaresan, and Hamby disclose the method according to claim 10, further comprising 
transmitting the command to a controllable 5computing device to change operation of the controllable computing device (Sundaresan, e.g., block 535 as shown in Fig. 5; paragraph [0070], “… At block 535, processing logic transmits the commands to the additional network-connected devices and/or to the services.  These devices and/or services may then execute the commands to perform the determined actions.   “ ); or
cause the controllable computing device to perform an action associated with the command (e.g., block 440 as shown in Fig. 4; paragraph [0067], “… At block 440, processing logic transmits the command to the second network connected device.  The second network-connected device may then execute the command to perform the action.  The second network-connected device may perform the action even though a user may not have an active session to the user account that generated the rule. “ ).
Per claim 19, Iyer, Sundaresan, and Hamby disclose the method according to claim 10, wherein the command comprises at least one of: creation of a user account; deletion of a user account; modification of the access privileges of a user account; 30modification of firewall rules; modification of routing rules; enabling of a device (Sundaresan, paragraph [0064], “At block 420, processing logic determines an action to be performed by the rule.  The action may be an action that is to be performed by a second network-connected device.  Any type of action may be performed, such as turning on or off the second network-connected device, changing a setting of the second network-connected device, and so on.  Additionally, the action may be an immediate action or may be a scheduled future action.  “); disabling of a device (Sundaresan, paragraph [0064]); enabling of a device driver; disabling of a device driver; enabling of a port; disabling of a port; installation of an update; presentation by a user interface of a toast, request to login, or another notification; presentation by a user interface of a prompt for yes/no or agree/disagree input, or other 55WO 2019/183371PCT/US2019/023394 selection from a fixed list of choices; presentation by a user interface of a prompt for textual input; downloading of document file or other file; or requesting authorization for a change to the state database.  Examiner’s Note: Sundaresan discloses at least enabling of disabling of a device).
Per claim 21, Iyer, Sundaresan, and Hamby disclose the  monitoring device according to claim 1, wherein the computational model is trained based on a training data set of risk data associated with a plurality of organizations (Hamby, e.g., Step 411 as shown in Fig, 4; paragraphs [0073-0076]; paragraph [0091], “ …In other embodiments, security control server 100 may employ the reasoning engine 230 to automatically generate a questionnaire to submit to the user device 105 regarding the implemented security controls on the covered or insured device 115. In such embodiments, the security control server 100 may then transform the questionnaire responses into individual DLL axioms. “; paragraph [0094]; paragraph [0095], “ … For example, the reasoning engine 230 may access the insurance policy 223 in knowledgebase 220 and use the information on the implemented and non-implemented security controls 225 (e.g., user responses to the questionnaire) to determine a list of mitigated and non-mitigated cyber-risks.  “; paragraph [0120];  Examiner’s Note: Hamby discloses using a questionnaire responses as a training data set of risk data associated with a plurality of organizations. ).
Per claim 22, Iyer, Sundaresan, and Hamby disclose the monitoring device according to claim 1, wherein at least some base questions in the set of base questions are determined based on the user responses to preceding base questions (Hamby, paragraph [0095], “ … For example, the reasoning engine 230 may access the insurance policy 223 in knowledgebase 220 and use the information on the implemented and non-implemented security controls 225 (e.g., user responses to the questionnaire) to determine a list of mitigated and non-mitigated cyber-risks.  “).
Per claim 23, Iyer, Sundaresan, and Hamby disclose the at least one tangible, non-transitory computer-readable medium according to claim 8, wherein the stored training event records and the respective training response records are indicated by crowdsourced risk data associated with a plurality of organizations (Hamby, e.g., generic axioms 221; paragraph [0069]; Examiner’s Note: Examiner is interpreting the generic axioms 221 to be crowdsourced data)
Claims 3-4, 7 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Iyer et al. (Hereinafter, Iyer, US 2016/0306965 A1) in view of Sundaresan et al. (Hereinafter, Sundaresan, US 2016/0112240 A1),  Hamby (US 2016/0239665 A1), and further in view of Seago et al. (Hereinafter, Seago, US 2014/0129698 A1).
Per claim 3, Iyer, Sundaresan, and Hamby disclose the monitoring device  according to claim 1, but do not expressly disclose wherein the operations further comprise:
determining second state data based at least in part on the event record; and 25
add the second state data to the state database.  
Seago discloses wherein the monitoring device is further configured to: 
determining second state data based at least in part on the event record (e.g., block 301 as shown in Fig. 3; paragraph [0031], “…The detection module 201 may detect an event based on event data received from agent 191 or cloud provider system 104.  “); and 25
adding the second state data to the state database (e.g., block 303 as shown in Fig. 3; paragraph [0032], “At block 303, the detection module may record the event data using a predefined format ....   “; paragraph [0034], “The detection module 201 may add the event data in the event log 251 in the data store 250 ....  “).  
It would have been obvious for a person of ordinary skill in the art before the effective filing date of the claimed invention to use the event notification of Seago in the flexible rules engine device of the user activity monitoring device of Iyer, Sundaresan, and Hamby for the purpose of providing fresher and more interesting filters for reducing the amount of time and work dedicated to tracking, logging, and parsing events as suggested by Seago (See paragraph [0002]). 
Per claim 4, Iyer, Sundaresan, Hamby, and Seago disclose the system according to claim 3, wherein the monitoring device is further configured to record an indication of the adding of the second state data in a changelog data store (Seago, block 307 as shown in Fig. 3; paragraph [0036], “At block 307, processing logic provides event data about the detected event to the identified applications ...”).  5
Per claim 7, Iyer, Sundaresan, and Hamby disclose the at least one tangible, non-transitory computer-readable medium according to claim 6, but do not expressly disclose the operations further comprising: 
determine second state data based at least in part on the event record; and 25
add the second state data to the state database.  
Seago discloses wherein the monitoring device is further configured to: 
determining second state data based at least in part on the event record (e.g., block 301 as shown in Fig. 3; paragraph [0031], “…The detection module 201 may detect an event based on event data received from agent 191 or cloud provider system 104.  “); and 25
adding the second state data to the state database (e.g., block 303 as shown in Fig. 3; paragraph [0032], “At block 303, the detection module may record the event data using a predefined format ....   “; paragraph [0034], “The detection module 201 may add the event data in the event log 251 in the data store 250 .... “).  
It would have been obvious for a person of ordinary skill in the art before the effective filing date of the claimed invention to use the event notification of Seago in the flexible rules engine device of user activity monitoring device of Iyer, Sundaresan, and Hamby for the purpose of providing fresher and more interesting filters for reducing the amount of time and work dedicated to tracking, logging, and parsing events as suggested by Seago (See paragraph [0002]). 
Per claim 18, Iyer, Sundaresan, and Seago disclose the method according to claim 17, further comprising recording an indication of storing At block 307, processing logic provides event data about the detected event to the identified applications ...”).  
Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Iyer et al. (Hereinafter, Iyer, US 2016/0306965 A1) in view of Sundaresan et al. (Hereinafter, Sundaresan, US 2016/0112240 A1), Hamby (US 2016/0239665 A1)and further in view of Wang et al. (Hereinafter, Wang, US 2015/0373043 A1).
Per claim 9, Iyer, Sundaresan, and Hamby disclose the at least one tangible, non-transitory computer-readable medium according to claim 6, the operations further comprising: 
presenting a representation of at least a portion of the command via a user interface (Sundaresan, paragraph [0036], “…. The remote control application 105 may include a graphical user interface (GUI) that enables users to interact with and control devices 135A-C in an intuitive and user-friendly manner.  A user may interact with the GUI to cause the remote control application to generate notifications, commands, property updates and other messages for the devices represented in the GUI.  “); but do not expressly disclose:
receiving, via the user interface, a response record associated with the command and a score record associated with the command; and 25
determining a second computational model based at least in part on the command, the response record, and the score record.  
Wang discloses1520 the operations further comprising: 
receiving, via the user interface, a response record associated with the command and a score record (e.g., risk modeling score) associated with the command (e.g., Step 440 as shown in Fig. 4; paragraph [0059]; paragraph [0082], “The data analysis engine 220 receives the network sensor data (the metadata and/or the other items of interest) from the network sensor engine 200 at operation 440.  It should be understood that the data analysis engine 220 may receive network sensor data from multiple network sensor engines and the data may be repeatedly and periodically received.”; paragraph [0083], “… The results of training the local model(s) may be displayed in a user interface such as a dashboard for the customer ….   “; Examiner’s Note: Wang teaches items of interest such a response record associated with the command and a score record (e.g., risk modeling score) associated with the command train local models during operation 445 as shown in Fig. 4); and 25
determining a second computational model based at least in part on the command, the response record, and the score record (e.g., Operation 480 as shown in Fig. 4; paragraph [0091], “Flow moves from operation 475 to operation 480 where the centralized controller 240 trains one or more global models using at least the data received from the data analysis engines of multiple customers.  An example of a global model includes a combination of features that are included in multiple local models ….  “; Examiner’s Note: Wang uses the data received from the data analysis engines of multiple customers to determine a second computational model.).  
It would have been obvious for a person of ordinary skill in the art before the effective filing date of the claimed invention to use the collaborative and adaptive threat intelligence of Wang with the user activity monitoring device of Iyer, Sundaresan, and Hamby for the purpose of providing better detection of computer security threats as suggested by Wang (See paragraph [0005]).
Claims 13 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Iyer et al. (Hereinafter, Iyer, US 2016/0306965 A1) in view of Sundaresan et al. (Hereinafter, Sundaresan, US 2016/0112240 A1), Hamby (US 2016/0239665 A1), Wang et al. (Hereinafter, Wang, US 2015/0373043 A1), and further in view of Ayyagari et al. (Hereinafter, Ayyagari, US 2014/0380485 A1).
Per claim 13, Iyer and Sundaresan discloses the method according to claim 10, further comprising 
determining the computational model at least partly by: determining, based at least in part on the first state data, one or more training event records and respective training response records (Sundaresan, paragraph [0063], “… At block 415, processing logic determines whether the event on the first network-connected device satisfies a criterion of the rule.  If the criterion is satisfied by the event, the method continues to block 420.  Otherwise the method ends.  “), wherein the respective training response records indicate actions (Sundaresan, e.g., Block 420 as shown in Fig. 4; paragraph [0064], “At block 420, processing logic determines an action to be performed by the rule.  The action may be an action that is to be performed by a second network-connected device.  Any type of action may be performed, such as turning on or off the second network-connected device, changing a setting of the second network-connected device, and so on.  Additionally, the action may be an immediate action or may be a scheduled future action.”); 15wherein: 20
the computational model is configured to receive as input at least a portion of the event record (Sundaresan, paragraph [0063], “At block 410, processing logic identifies a rule for which the event is an input.  The rule may be set up such that the first network-connected device is an input feed for the rule.  When events are reported by the first network-connected device, processing logic compares those events to a criterion (or multiple criteria) of the rule…”; Examiner’s Note: Examiner is broadly and reasonably interpreting the rules described by Sundaresan to be computational models.); and 
the computational model is configured to output the command, the command indicating an action of the plurality of actions (e.g., Block 435 as shown in Fig. 4; paragraph [0067]).   
Sundaresan does not expressly disclose:
receiving one or more training score records associated with respective training event records of the one or more training event records; and
 mathematically optimizing at least one parameter with respect to a cost function based at least in part on the training event records, the training response records, and the training score records to determine the computational model,
Wang discloses:
receiving one or more training score records associated with respective training event records of the one or more training event records (e.g., Step 440 as shown in Fig. 4; paragraph [0059]; paragraph [0082], “The data analysis engine 220 receives the network sensor data (the metadata and/or the other items of interest) from the network sensor engine 200 at operation 440.  It should be understood that the data analysis engine 220 may receive network sensor data from multiple network sensor engines and the data may be repeatedly and periodically received.”; paragraph [0083], “… The results of training the local model(s) may be displayed in a user interface such as a dashboard for the customer ….   “; Examiner’s Note: Wang teaches items of interest such a response record associated with the command and a score record (e.g., risk modeling score) associated with the command train local models during operation 445 as shown in Fig. 4); and
the training score records to determine the computational model(e.g., Operation 480 as shown in Fig. 4; paragraph [0091], “Flow moves from operation 475 to operation 480 where the centralized controller 240 trains one or more global models using at least the data received from the data analysis engines of multiple customers.  An example of a global model includes a combination of features that are included in multiple local models ….  “; Examiner’s Note: Wang uses the data received from the data analysis engines of multiple customers to determine a second computational model.).  
It would have been obvious for a person of ordinary skill in the art before the effective filing date of the claimed invention to use the collaborative and adaptive threat intelligence of Wang with the user activity monitoring device of Iyer, Sundaresan, and Hamby for the purpose of providing better detection of computer security threats as suggested by Wang (See paragraph [0005]).
Ayyagari discloses mathematically optimizing at least one parameter with respect to a cost function based at least in part on the training event records (Abstract, “…The method also includes defining a cost function for a cyber-security threat to traverse each link and defining a requirements function for a cyber-security threat to exploit each node ….  “; paragraph [0005]; paragraph [0044]; paragraph [0047]; Examiner’s Note: Ayyagari has a method for analyzing cyber security threats (abstract) and discloses parameters with respect to a cost function.)
It would have been obvious for a person of ordinary skill in the art before the effective filing date of the claimed invention to use the methods and systems of Ayyagari with the user activity monitoring device of Iyer, Sundaresan, Hamby, and Wang for the purpose of limiting the traversal of threats as suggested by Ayyagari (See paragraph [0044]).
Per claim 14, Iyer, Sundaresan, Hamby, Wang, and Ayyagari disclose the method according to claim 13, further comprising: 25

operating the computational model based at least in part on at least some of the second state data to provide an event prediction (Wang, paragraph [0049],” Predictive analytics comprises statistical modeling, machine learning and/or data mining for analyzing current and/or historical events in order to formulate determinations as to certain network devices, users, and/or services within an enterprise network are compromised. For instance, data analysis engine 220 may analyze how certain events along with subsequent detected events may increase or decrease the likelihood of one or more of the endpoint devices being compromised and infected with malware.”); and 
presenting, via the user interface, a representation of the event prediction (Wang, paragraph [0048], “The ad hoc analytics includes generation of a search display that enables network security personnel to conduct a keyword search to determine if a particular indicator of compromise (IOC) has already been received and processed by an endpoint device.”; paragraph [0083], “…The results of training the local model(s) may be displayed in a user interface such as a dashboard for the customer …”).  
Claims 12 is rejected under 35 U.S.C. 103 as being unpatentable over Iyer et al. (Hereinafter, Iyer, US 2016/0306965 A1) in view of Sundaresan et al. (Hereinafter, Sundaresan, US 2016/0112240 A1), Hamby (US 2016/0239665 A1), and further in view of Fulker et al. (Hereinafter, Fulker, US 2010/0245107 A1).
Per claim 12, Iyer, Sundaresan, and Hamby disclose the method according to claim 10, but do not expressly disclose the method as further comprising: 
transmitting, via a network to the user interface, a prompt; and 
receiving the event record from the user interface after transmitting the prompt, wherein the user interface associated with the organization 
 Fulker is in the field of integrated security systems (Abstract) and discloses:
transmitting, via a network to the user interface (paragraph [0354-0358] , “…the first time the customer uses the web portal to Arm/Disarm system the web interface prompts the customer for the user code, which is then stored securely on the server”), a prompt (paragraphs [0353-0358] for Installer returns to web interface and is prompted to automatically setup cameras. After waiting for completion cameras are now provisioned and operational); and 
receiving the event record from the user interface after transmitting the prompt (paragraph [0356], “Installer instructs customer how to change Simon XT user code from the keypad. Customer changes user code and stores in SimonXT.”), the user interface associated with the second data source (paragraph [0357], “The first time the customer uses the web portal to Arm/Disarm system the web interface prompts the customer for the user code, which is then stored securely on the server. In the event the user code is changed on the panel the web interface once again prompts the customer.”).  Examiner’s Note: First time use generates an event record that prompts the user for a user code at the interface. 
10 It would have been obvious for a person of ordinary skill in the art before the effective filing date of the claimed invention to use the cross-client sensor user interface of Fulker with the user activity monitoring device of Iyer, Sundaresan, and Hamby for the purpose of easily interfacing to and controlling existing proprietary security technologies utilizing a variety of wireless technologies as suggested by Fulker (paragraph [0015]).
Claims 15 is rejected under 35 U.S.C. 103 as being unpatentable over Iyer et al. (Hereinafter, Iyer, US 2016/0306965 A1) in view of Sundaresan et al. (Hereinafter, Sundaresan, US 2016/0112240 A1), Hamby (US 2016/0239665 A1), and further in view of Anderson et al. (Hereinafter, Anderson, US 2006/0041936 A1).
Per claim 15, Iyer, Sundaresan, and Hamby disclose the model as disclosed above and the method according to claim 10, but do not expressly disclose the method as further comprising, after presenting the representation of the command: 30
receiving, via the user interface, a response record associated with the command and a score record associated with the command; 
determining a second computational model based at least in part on less than all of the first state data, the command, the response record, and the score record; 57WO 2019/183371PCT/US2019/023394
receiving, via a network, a second event record associated with the organization 
determining a second command, by operating the second computational model based at least in part on the second event record; and 
presenting, via the user interface, a second representation of the second command.  
Anderson has a graphical representation of a firewall (Abstract) and discloses after presenting the representation of the command: 
receiving, via the user interface (paragraph [0041], “… queries the user to input the missing network information (step 408).  If the configuration file 304 contains all of this network information or after the user enters the missing network information…”), a response record associated with the command and a score record associated with the command (paragraph [0041], “… determines if the configuration file 304 indicates a numerical security level of each zone…”; Examiner’s Note: Numerical security level is score record.); 
determining a second computational model based at least in part on less than all of the first state data, the command, the response record, and the score record (paragraph [0041], “… determines if the configuration file 304 indicates a numerical security level of each zone (decision 410.”). If not, then program function 112 queries the user to input the numerical Security level of each Zone, preferably the numerical value on a Scale of one to one hundred ..”;  Examiner’s Note: Computation based on the value of the security level);
 receiving, via a network, a second event record associated with the organization 
determining a second command, by operating the second computational model based at least in part on the second event record (paragraph [0041], “…gathers Zone/network information needed to determine data flows, vulnerabilities and misconfigurations within firewall … and using stored information and configuration file and prompting the user for missing information and “; paragraph [0042], “… reads data flow rules from the configuration file 304. Then, program function 120 selects one of the firewall interfaces to begin a data flow rule checking to correlate to each interface, the rules that apply to the interface … Assuming there is still an interface yet to be analyzed for Firewall …”; Figure 4 illustrates operating the second computational model based at least in part on the second event record to provide a second command, i.e., request input from the user element 408 and 412); and 
presenting, via the user interface, a second representation of the second command (paragraph [0041], “… program function 112 queries the user to input the network information and then the numerical Security level of each zone ...”). 5
It would have been obvious for a person of ordinary skill in the art before the effective filing date of the claimed invention to use the graphical presentation of Anderson with the user activity monitoring device of Iyer and Sundaresan for the purpose of e correlating the firewall interface with the rules for the firewall as suggested by Anderson, paragraph [0042]).
Response to Arguments
Applicant’s arguments, see Remarks, filed 25 May 2022, with respect to the rejection of claims 1-15, 18-19 and 21-23 under 35 U.S.C. 103  have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Hamby US 2016/0239665 A1).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DARRIN HOPE whose telephone number is (571)270-5079. The examiner can normally be reached Mon-Thr - 7-4:30, Fri - 7-3:30, Alt. Fri Off.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kieu D Vu can be reached on (571)272-4057. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

DARRIN HOPE
Examiner
Art Unit 2173



/TADESSE HAILU/Primary Examiner, Art Unit 2173