DETAILED ACTION
This office action is in reply to applicant communication filed on July 12, 2022.
 
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on July 12, 2022.

Claims 2, 5, 7, 10-11, and 14-15 have been cancelled.

Claims 1, 3-4, 6, 8-9, 12-13, and 16-17 have been amended.

Claims 18-27 have been added.

Claims 1, 3-4, 6, 8-9, 12-13, and 16-27 are pending.

Response to Argument
Applicant’s arguments filed on July 12, 2022 with respect to the 35 USC 103 rejection of claims 1, 3, and 4 have been fully considered but are moot in view of new ground(s) of rejection using previously cited prior art.

Applicant’s arguments filed on July 12, 2022 with respect to the 35 USC 103 rejection of claims 6, 8, and 9 have been fully considered but are moot in view of new ground(s) of rejection using the newly discover art to Gopalakrishna (US Pub. No. 2018/0198821).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1, 3-4, 12-13, and 16-21 are rejected under 35 U.S.C. 103 as being unpatentable over Singh (US Pub. 2017/0223046) in view of Moynahan (US Pub. No. 2018/0332066).

	As per claim 1 Singh discloses:
A method comprising: identifying a change to a first portion of a system, wherein the first portion of the system has a vulnerability: (paragraph 599 of Singh, the correlation process 3700 may further identify a memory event 3702b—specifically, the starting of a process that generated data—that occurred when the server started running out of memory).
Obtaining user activity data comprising data of user actions initiated by a user, wherein the user actions are performed by the user with respect to the system; (paragraph 594 of Singh, the high-interaction network 3616 may collect web-based network protocol activity, other network protocol activity, file activity log files, memory snapshots, and/or records of lateral movement within the high-interaction network 3616)  and (paragraph 595 of Singh, an analytic engine may receive, for a given incident, data 3724, 3728, 3726, 3730 of various types. In this example, the data includes network activity 3724, log files 3728, file activity 3726, and memory snapshots 3730).
Based on analyzing correlations between the user activity data and system change data, (paragraph 599 of Singh, the correlation process 3700 may look at memory snapshots 3730 of a crashed server. The correlation process 3700 may find that, between one snapshot and another, the crashed server suddenly ran out of memory, an event that occurred after the malware file was downloaded. The correlation process 3700 may further identify a memory event 3702b—specifically, the starting of a process that generated data—that occurred when the server started running out of memory) correlating a first user action identified in the user activity data with the change to the first portion of the system, (paragraph 601 of Singh, to determine how the malware file came to be on the network, the correlation process 3700, in this example, may generate a digital signature for the malware file, as an identifier for the file. The correlation process 3700 may next search log file 3728 data for the digital signature, and find a web event 3702c, here showing that the malware file was downloaded from a particular website. The website by itself may generally be safe, and the log file 3728 data may show many events 3738 related to the website. Thus, the correlation process 3700, in this example, may next search the log files for events related to both the website and the malware file. This search may locate a user event 3702d, here showing that a particular user visited the website and caused the malware file to be downloaded).
Wherein the change occurred after the first user action, and wherein the system change data comprise data collected from the system that indicate changes to the system; and determining, based on the correlation between the first user action and the change to the first portion of the system, that the first user action caused the vulnerability. (Paragraph 599 of Singh, the correlation process 3700 may further identify a memory event 3702b—specifically, the starting of a process that generated data—that occurred when the server started running out of memory) and (paragraph 601 of Singh, to determine how the malware file came to be on the network, the correlation process 3700, in this example, may generate a digital signature for the malware file, as an identifier for the file. The correlation process 3700 may next search log file 3728 data for the digital signature, and find a web event 3702c, here showing that the malware file was downloaded from a particular website. The website by itself may generally be safe, and the log file 3728 data may show many events 3738 related to the website. Thus, the correlation process 3700, in this example, may next search the log files for events related to both the website and the malware file. This search may locate a user event 3702d, here showing that a particular user visited the website and caused the malware file to be downloaded).
Singh teaches the method of having user activity (paragraph 595 of Singh) but fails to disclose:
The user actions corresponding to discrete events initiated by a user.
 However, in the same field of endeavor, Moynahan teaches this limitation as, (paragraph 26 of Moynahan, In various embodiments, a physical or cyber behavior element may include one or more user behavior activities. In various embodiments, a user behavior activity may be enriched by context about the object upon which the activity is acted. A physical or cyber behavior activity, as used herein, broadly refers to one or more discrete actions performed by a user, such as user `A` 202 or `B` 262, to enact a corresponding physical or cyber behavior element. In various embodiments, such physical or cyber behavior activities may include the use of user authentication factors 204, user behavior factors 212, or a combination thereof, in the enactment of a user's physical or cyber behavior).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Singh and include the above limitation using the teaching of Moynahan in order to build user behavior and detect malicious user activity to secure the computing system.

Claims 3 and 4 are rejected under the same reason set forth in rejection of claim 1:

As per claim 12 Singh in view of Moynahan discloses:
The method of claim 1, further comprising: determining the user that caused the vulnerability, wherein the user that caused the vulnerability is the user that initiated the first user action. (paragraph 601 of Singh, the correlation process 3700, in this example, may next search the log files for events related to both the website and the malware file. This search may locate a user event 3702d, here showing that a particular user visited the website and caused the malware file to be downloaded).

Claim 16 is rejected under the same reason set forth in rejection of claim 12:

As per claim 13 Singh in view of Moynahan discloses:
The method of claim 1, further comprising: determining a time period during which the vulnerability affected the first portion of the system based on a time of the first user action and a time of detection of the vulnerability. (Paragraph 609 of Singh, an incident report may include an incident identifier 3802. The incident identifier 3802 may be a time and/or date stamp, and/or a string (e.g. “michaelangelo”) that can be used to identify and/or describe the attack). 

Claims 17 and 19 are rejected under the same reason set forth in rejection of claim 13:

As per claim 18 Singh in view of Moynahan discloses:
The method of claim 1 further comprising detecting the vulnerability based on scanning the system for vulnerabilities. (Paragraph 616 of Singh, The firewall 3964 generally controls what network traffic can come into and go out of the customer network 3902. The customer network 3902 in this example includes additional network security tools 3930, 3932, such as anti-virus scanners, IPS, IDS, and others). 

Claims 20 and 21 are rejected under the same reason set forth in rejection of claim 18:

Claims 6, 8-9, 22, 25, and 27 are rejected under 35 U.S.C. 103 as being unpatentable over Gopalakrishna (US Pub. No. 2018/0198821) in view of Schmugar (US Pub. No. 20200314126).

As per claim 6 Gopalakrishna discloses:
A method comprising: detecting an attempt by a user to perform a first user action in the predefined set of user actions: (paragraph 249 of Gopalakrishna, the process executing on the node 1280 can look for unknown or unidentifiable processes, files or directories with unusual names, user accounts for nonexistent users, changes to memory or files that should not occur, and so on).
Taking a first snapshot a portion of the system while the first user action is delayed; (paragraph 247 of Gopalakrishna, a process executing on the node 1280 can use snapshots 1286 of the system to locate and identify the malware program's 1290 marker 1260. For example, the process can identify a “before” snapshot 1282, that is, a snapshot taken before the malware program 1290 infected the node 1280).
Allowing the first user action to proceed; and taking a second snapshot of the portion of the system after the first user action occurs. (Paragraph 247 of Gopalakrishna, the process can further identify an “after” snapshot 1284, that is, a snapshot taken after the malware infection started. In various implementations, the after snapshot 1284 can be taken when a particular event occurs, such as the when the malware program 1290 completes a task (e.g., encrypting an entire file system, sending data to the Internet, copying itself to another system, etc.)).
Gopalakrishna teaches the method of comparing the first snapshot and second snapshot to detect the change to the computing system (see paragraph 247 Gopalakrishna) but fails to disclose:
Installing a hook to a system that delays occurrence of a predefined set of user actions;
 However, in the same field of endeavor, Schmugar teaches this limitation as, (paragraph 85 of Schmugar, the security agent utilizes a continuous system event monitor to watch for system events. This may include the use of operating system (OS) hooks and/or interrupts (i.e., the claimed delay), or otherwise trapping system events so that the security functions can be performed. This continuous system monitoring may require elevated system privileges, and thus, the security agent may operate at a relatively high privilege level) and (paragraph 100 of Schmugar, a method 500 that may be followed by a security agent. Starting in block 504, the security agent hooks or otherwise intercepts a user action, such as opening an application or taking an administrative action).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Singh and Gopalakrishna to include the above limitation using the teaching of Schmugar in order to in order to enhance the security of computing device. 

Claims 8 and 9 are rejected under the same reason set forth in rejection of claim 6:

As per claim 22 Gopalakrishna in view of Schmugar discloses:
The method of claim 6 further comprising, based on detecting an attempt by a user to perform a second user action that is not in the predefined set of user actions, allowing the second user action to occur without snapshotting. (Paragraph 99 of Gopalakrishna, the enterprise network 400 may be connected to the external network 450 using a gateway device 404. The gateway device 404 may include a firewall or similar system for preventing unauthorized access while allowing authorized access to the enterprise network 400). 

Claims 25 and 27 are rejected under the same reason set forth in rejection of claim 22:

Claims 6, 8-9, 22, 25, and 27 are rejected under 35 U.S.C. 103 as being unpatentable over Gopalakrishna (US Pub. No. 2018/0198821) in view of Schmugar (US Pub. No. 20200314126).

As per claim 23:
The combination of Gopalakrishna and Schmugar teaches the method of comparing the first snapshot and second snapshot to detect the change to the computing system (see paragraph 247 Gopalakrishna) but fails to disclose:
The method of claim 6, wherein each user action indicated in the predefined set of user actions is a discrete user action that will cause a change to the system.
 However, in the same field of endeavor, Moynahan teaches this limitation as, (paragraph 26 of Moynahan, in various embodiments, a physical or cyber behavior element may include one or more user behavior activities. In various embodiments, a user behavior activity may be enriched by context about the object upon which the activity is acted. A physical or cyber behavior activity, as used herein, broadly refers to one or more discrete actions performed by a user, such as user `A` 202 or `B` 262, to enact a corresponding physical or cyber behavior element. In various embodiments, such physical or cyber behavior activities may include the use of user authentication factors 204, user behavior factors 212, or a combination thereof, in the enactment of a user's physical or cyber behavior).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Gopalakrishna and Schmugar to include the above limitation using the teaching of Moynahan in order to build user behavior and detect malicious user activity to secure the computing system. 

Claims 24 and 26 are rejected under the same reason set forth in rejection of claim 23: 

Conclusion
The prior art made or record and not relied upon is considered pertinent to applicant’s disclosure is D Nil (US Pub. No. 2018/0248902). D Nil discloses the methods and systems for identifying abnormal user interaction within one or more monitored computer network.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to TESHOME HAILU whose telephone number is (571)270-3159. The examiner can normally be reached M-F 8 a.m. - 5 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571) 272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/TESHOME HAILU/Primary Examiner, Art Unit 2434