DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

	Claims 1-18 as submitted on 8/6/21 were considered.

Information Disclosure Statement
	The IDS submitted on 10/25/21 and 11/12/21 were considered.


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1-18 is/are rejected under 35 U.S.C. 102(a)(1) and (a)(2) as being anticipated by Muddu et al (US 2017/0063900).

Claims 1 and 7:
	As per claim 1, Muddu discloses:
a computing device (abstract; paragraphs 139, 346, 742, and 743; Networked computer system having security system to detect anomalies and threats on the network.  Any of the computing device in the network can be considered the claimed computing device);
a network in communication with the computer device (abstract; paragraphs 139, 346, 742, and 743);
a baseline generation and monitoring system in communication with the network (abstract; paragraphs 346 and 348; Baseline and historical data generated so anomalies can be detected based on the baseline and historical data);
a correlation and alert generator in communication with the network (abstract; paragraphs 140, 145, 164-169, 171, and 385; Fig 34; Correlate a subset of threat indicator data against a plurality of pre-defined security scenarios to detect and expose security threats via threat alert, i.e. as discussed in paragraph 171); and
a memory storing instructions that when executed (paragraph 743), cause the baseline generation and monitoring system to:
identify an employee of the enterprise that represents an elevated risk of contributing to the potential security breach where the computing device is associated with the employee (paragraphs 163, 346-348, 398, 401-401 and 443; Employee monitored for anomalous behavior and potential instances of network compromise.  Security threats are identified);
develop a plurality of use cases based on the identified employee by using a cyber-attack methodology (paragraphs 136, 138, 352-353, and 363; Processing event data according to a plurality of (threat indicator) models, i.e. use cases, to detect anomalies);
store a list of predetermined behaviors corresponding to the plurality of use cases that are indicative of the potential security breach (paragraph 348, 352, and Fig 23, item 2304; Anomaly data generated is equivalent to the claimed list.  In cited paragraph 352, the anomaly data is stored in a data structure and in cited Fig 23, it is passed onto a threat indicator identification process);
determine a baseline of the computing device behaviors (paragraphs 145, 182-183, and 349; Machine learning means baseline and historical data are formed/determined so that anomalies can be detected.  Paragraphs 182-183 also explicitly discuss baselines of various computing entities being determined);
monitor the computing device associated with the identified employee for occurrence of a behavior that exceeds the baseline (paragraphs 182, 346-347; Compare behavior to baselines to determine if activities are anomalous);
monitor the behavior of the computing device for an occurrence of a second behavior that is related to the first behavior (paragraphs 346, 350, and 388-391; Actual behavior is monitored with respect to anomalous behavior as well as projected behavior.  The actual behavior can be considered the claimed second behavior while anomalous or projected behavior can be considered the claimed first behavior.  Alternatively, it should be noted that anomalies are detected by correlation using different model types and a threat indicator is identified by processing the output from an anomaly model of a first type with an anomaly of the second type); and
generate an alert using the correlation and alert generator if both the first behavior and second behavior occurs (paragraphs 149, 171, 335, 346, and 388-391; Alert generated if actual behavior determined to be anomalous via correlation and first and second anomalies are identified).

The rejection of claim 1 applies, mutatis mutandis, to claim 7.

Claim 14:
	Muddu discloses:
identifying an employee of the enterprise that represents an elevated risk of contributing to the potential security breach (paragraphs 163, 346-348, 398, 401-401 and 443; Employee monitored for anomalous behavior and potential instances of network compromise.  Security threats are identified);
providing a list of predetermined behaviors indicative of the potential security breach (paragraph 348, 352, and Fig 23, item 2304; Anomaly data generated is equivalent to the claimed list.  In cited paragraph 352, the anomaly data is stored in a data structure and in cited Fig 23, it is passed onto a threat indicator identification process);
storing network activity of the employee in an event log (paragraphs 346 and 443; Historical data logged);
determining a baseline for each of the behaviors in the list, the predetermined behavior including at least one of: email activity, process activity, installations, register modifications, new proxy connections, new user agents, new user connections, new source authorizations, new attempted accesses, or new outbound data connections (paragraphs 182, 346, 441-443, and 611; Behavioral baselines of various entities are determined based on watch lists, event data generated from network activities including log-ins, email traffic, uploads, delete, data from API, change events, etc.);
generating a whitelist of network activities from the network activity (paragraphs 349, 564, 611, and 668; Baseline and dynamic whitelist created); 
developing use cases based on cyber-attack methodology (paragraphs 136, 138, 352-353, and 363; Processing event data according to a plurality of (threat indicator) models, i.e. use cases, to detect anomalies); 
monitoring the network activity (abstract and paragraphs 182, 349-350);
detecting a first network activity that is not included on the whitelist of activities (paragraphs 350, 611, and 646; Detect anomaly, i.e. activities outside of observed baseline and historical data of acceptable activities.  Whitelist also used to determine whether traffic is benign);
comparing the detected activity to the use cases (paragraphs 346, 350-351, and 368; Compare event data to anomaly models, i.e. use cases);
when the detected first network activity satisfies a use case, monitoring the network activity for a second activity that satisfies a second use case that is related to the first use case (paragraphs 346, 350-352, and 388-391; Actual behavior is monitored with respect to anomalous behavior as well as projected behavior.  The actual behavior can be considered the claimed second behavior while anomalous or projected behavior can be considered the claimed first behavior.  Alternatively, it should be noted that anomalies are detected by correlation using different model types and a threat indicator is identified by processing the output from an anomaly model of a first type with an anomaly of the second type); and
generating an alert if network activity compares to at least one second use
case (paragraphs 149, 171, 335, 346, and 388-391; Alert generated if actual behavior determined to be anomalous via correlation and first and second anomalies are identified).


Claims 2, 12, and 15:
	As per claim 2, Muddu further discloses wherein the baseline of user activity is determined for at least one of: email activity, process activity, installations, register modifications, new proxy connections, new user agents, new user connections, new source authorizations, new attempted accesses, or new outbound data connections (paragraph 442-443, 447 and Fig 47G).
The rejection of claim 2 applies, mutatis mutandis, to claims 12 and 15.

Claim 3:
	Muddu further discloses an event log which stores a history of computing device activity (paragraphs 346 and 443; Event data stored).

Claim 8:
	Muddu further discloses storing network activity associated with the employee in an event log (paragraphs 346 and 443; Event data, such as when a user logs in, are stored).

Claims 4, 9, and 16-17:
	As per claim 4, Muddu further discloses instructions that when executed, cause the baseline generation and monitoring system to:
normalize the computing device activity stored in the event log (Fig 54A; paragraphs274, 524, and 540; Raw data is normalized); and
generate a whitelist of activities from the normalized computing device activity (paragraphs 540-541 and 611; Baseline and dynamic white list created).

The rejection of claim 4 applies, mutatis mutandis, to claims 9 and 16-17.

Claim 10:
	Muddu further discloses wherein the step of monitoring network activity associated with the employee for occurrence of any of the behaviors comprises;
monitoring the network activity (abstract); and
detecting an activity related to behaviors indicative of the potential security breach that is not included on the whitelist of activities (paragraphs 540, 541, and 611; Increased activity to site xyz.com, which is not on the list of benign entities, is detected and flagged as a possible security risk/anomaly/breach).


Claims 5, 11, and 18:
	As per claim 5, Muddu further discloses instructions that cause the baseline generation and monitoring system to:
analyze a data feed comprising asset inventory information to identify new assets (Fig 47G and paragraphs 563 and 611; New identified nodes added to graph); and
add activities related to deploying these new assets to the whitelist of activities (paragraph 611; Dynamic white list has a new site added if the new site is determined to be benign).

The rejection of claim 5 applies, mutatis mutandis, to claims 11 and 18.

Claims 6 and 13:
	Muddu further discloses wherein the baseline of user activity is determined for at least one of: email activity, process activity, installations, register modifications, new proxy connections, new user agents, new user connections, new source authorizations, new attempted accesses, or new outbound data connections (paragraphs 184-189, 441-443 and 611; Event data generated from various network activities such as log-ins, email traffic, upload, delete, various user activities, data from API, change events, etc.  Baseline profiles can be crated and continually updated to include the newly observed event data).


Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claims 1-18 rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-18 of U.S. Patent No. 11,122,066. 
Although the claims at issue are not identical, they are not patentably distinct from each other because claims 1-18 of the ‘066 patent anticipate claims 1-18 respectively of the present application.  The only difference between the claims of the ‘066 patent and the claims of the present application is that claims 1, 7, and 18 of the ‘066 patent additionally recite: “the employee pool including a plurality of enterprise employee” and “the cyber-attack methodology relating to a sequence of actions that are completed to prepare for a cyber-attack and to execute the cyber-attack”.
However, official notice is taken that employee pools having a plurality of enterprise employee was well known in the art before the effective filing date of applicant’s claimed invention.  Most businesses having an employee pool typically have more than one employee.  Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to modify the invention as set forth in the claims of the present invention so that employee pools have a plurality of enterprise employee.  One skilled would have been motivated to do so to ensure that there is enough employees to do all the work needed to run an enterprise business having a lot of work.
Further, official notice is also taken that running drills/training of attacks such that actions are completed to prepare for an attack and to execute an attack was well known in the art before the date of applicant’s claimed invention.  For examples, many businesses (including the USPTO) run yearly cyber security training so that employees can identify cyber threats and what to do when a threat is encountered.  It would have been obvious to one of ordinary skill in the art to modify the claims of the present invention to include the limitation: “the cyber-attack methodology relating to a sequence of actions that are completed to prepare for a cyber-attack and to execute the cyber-attack”.  One of ordinary skill would have been motivated to do so as it would ensure employees know what to do in case an actual cyber attack occurred.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to PONNOREAY PICH whose telephone number is (571)272-7962. The examiner can normally be reached M-F 9am-5pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/PONNOREAY PICH/Primary Examiner, Art Unit 2495