DETAILED ACTION

Information Disclosure Statement

1.	The information disclosure statement (IDS) submitted on 4/21/22 was filed. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Remarks
2.	 Pending claims for consideration are claims 1-20. 


Response to Arguments
3. 	Applicant's arguments filed 7/26/2022 have been fully considered, but they are not persuasive.
	In the remarks applicant argues in substance:
a.	That – The Office Action failed to cite prior art for receipt of “custom, declarative programming language input” of claim 1. Claim 1, as examined, recited among other things: “receive, from the authorized user via the interface, input comprising custom, declarative programming language input to the IDE to write, develop, and/or modify, on-the-fly, one or more customized sets of detection and response logic rules to be executed by an endpoint agent” The Office Action rejected claim 1 under 35 U.S.C. §103 over Kumar in view of Dhanani and further in view of Mualem.
In response to applicant’s argument – The application has been examined in its broadest most reasonable interpretation in light of applicant’s specification. It is the combination of Kumar, Dhanani, and Mualem that teaches the claimed language, neither Kumar, Dhanani, or Mualem alone. As stated in the prior action dated 4/26/2022 “the combined references disclose in its broadest most reasonable interpretation in light of the applicants specification discloses “receive, from the authorized user via the interface, input to the IDE to write, develop, and/or modify, on-the-fly, one or more customized sets of detection and response logic rules to be executed by an endpoint agent via the threat detection module of Mualem which teaches a threat detection system comprising Network Manager Daemon (or NMDs/endpoint agents) that perform the processing of the parser and analyzer portions in this embodiment, saving, analyzing, aggregating packets from each threat detection system, and propagating information to processing routines of the IMC Core Mualem[Col.19/lines 38-52]. Mualem discloses The permission detection module enforces the security model by filtering unauthorized packets from the network or by blocking switch ports from Which disallowed unauthorized traffic originates. Mualem additionally teaches that The rule set in the library can be updated at any time With Zero network downtime and also the creation of a custom (write, develop) rule in which The threat signature detection module in step S45 can trigger varying response capabilities Which are configurable on a rule-by-rule basis. Each rule can be set to either Warn, alter the malicious packets, or block the traffic by disabling a switch port. Mualem[Col.6/line 65- Col.7/line 7]. Applicant specification on page 2 discloses that “declarative programming language known as Event Filtering Language (EFL). The EFL may include a programming language using a process state database to provide per-process symbol tables for the lookup and storage of variables declared in a compiled rule set and is further able to have the values of those variables optionally persist across rule set reload operations. Dhani teaches a keystore interface security extension 206 of the IDE platform 202 is used to enable the IDE to communicate with (e.g., read and write from) with other keystore objects or components Dhanani [Col.5/lines 2-4]), additionally, Mualem  in column 13/ lines 25-32 further teaches a table permissions table which is searched in the order provided, and the first rule matching the traffic is the only one used and If no rules are matched, a default action set is applied. 

b.	That – The cited prior art does not teach or suggest input to the IDE to “write, develop, and/or modify, on-the-fly, one or more customized sets of detection and response logic rules to be executed by an endpoint agent”
In response to applicant’s argument – “the combined references disclose in its broadest most reasonable interpretation in light of the applicants specification discloses “to the IDE to write, develop, and/or modify, on-the-fly, one or more customized sets of detection and response logic rules to be executed by an endpoint agent via the threat detection module of Mualem which teaches a threat detection system comprising Network Manager Daemon (or NMDs/endpoint agents) that perform the processing of the parser and analyzer portions in this embodiment, saving, analyzing, aggregating packets from each threat detection system, and propagating information to processing routines of the IMC Core Mualem[Col.19/lines 38-52]. Mualem discloses The permission detection module enforces the security model by filtering unauthorized packets from the network or by blocking switch ports from Which disallowed unauthorized traffic originates. Mualem additionally teaches that The rule set in the library can be updated at any time With Zero network downtime and also the creation of a custom (write, develop) rule in which The threat signature detection module in step S45 can trigger varying response capabilities Which are configurable on a rule-by-rule basis. Each rule can be set to either Warn, alter the malicious packets, or block the traffic by disabling a switch port. Mualem[Col.6/line 65- Col.7/line 7]. 


Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



4.	Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Patent No.: US 9,092,616 B2 to Kumar et al (hereafter referenced as Kumar) in view of in further view of  Patent No.: US 8,032,940 B1 to Dhanani, in further view of Patent No.: US 7,463,590 B2 to Mualem et al (hereafter referenced as Mualem).
Regarding claim 1, Kumar discloses “a system for providing an integrated, context-aware, security management framework for an enterprise” (Tokenization of identities by Security Token Services (STS) intended to facilitate in Identity Federation and Single Sign. On (SSO) for web and Enterprise applications [Col.3/lines 21-23]) , “the system comprising: one or more endpoint devices”(endpoint trust agent [Col.13/lines 4-5]); “and a server configured to communicate and exchange data with the one or more endpoint devices over a network”(server device [Col.13/lines 20-21]),  “the server comprising a hardware processor coupled to non-transitory, computer-readable memory containing instructions executable by the processor to cause the server to: provide a security management platform comprising an interface with which an authorized user associated with the enterprise can interact to monitor endpoint agent activity and manage”(endpoint trust agent/server [Fig.8/item 510]) , “in real time, or near-real time, functionality of at least one endpoint agent deployed on one of the one or more endpoint devices” (trust supervisor sends real time actions to remediation controller [Col.18/lines 28-39]), 
Kumar does not explicitly disclose “provide an integrated development environment (IDE) operably coupled to the interface; input comprising custom, declarative programing language input to the IDE, to write, develop, and/or modify, on-the-fly, one or more customized sets of detection and response logic rules to be executed by an endpoint agent”  
However, Dhanani in an analogous art discloses “provide an integrated development environment (IDE) (secure IDE Dhanani [Fig.4/item 200] within server 414) operably coupled to the interface” (coupled to intrusion detection extension interface Dhanani[Fig4/item 214]);  “ input to the IDE (IDE platform extension Dhanani [Fig.4/item214] interconnected to Client Dhanani[Fig.4/item 412]  interface comprising control module security extensions to provide a secure IDE Dhanani[Col.4/lines 35-37]) ,  “to write, develop, and/or modify, on-the-fly, one or more customized sets of detection and response logic rules to be executed by an endpoint agent” (keystore interface security extension 206 of the IDE platform 202 is used to enable the IDE to communicate with (e.g., read and write from) with other keystore objects or components Dhanani [Col.5/lines 2-4]). 
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Kumar’s method for threat identification and remediation with Dhanani’s secured integrated development environment in order to provide additional security. 
One of ordinary skill in the art would have been motivated to combine because Kumar teaches a threat identification and remediation process comprising a security management platform comprising an interface with which an authorized user associated with the enterprise can interact to monitor endpoint agent activity via an endpoint trust agent/server, Dhanani discloses a process to provide a secure Integrated development environment, and both are from the same field of endeavor.
Neither Kumar nor Dhanani explicitly disclose “each endpoint device comprising a deployed endpoint agent configured to continuously monitor and record activity on the respective endpoint device and further execute one or more sets of detection and response logic rules for managing the detection of, and response to, any activity associated with the respective endpoint device that poses a potential security threat to the enterprise, receive, from the authorized user via the interface, and output, to the endpoint agent, a customized set of detection and response logic rules.”

However, Mualem in an analogous art discloses “each endpoint device comprising a deployed endpoint agent configured to continuously monitor and record activity on the respective endpoint device (Network Manager Daemon (or NMDs) that perform the processing of the parser and analyzer portions in this embodiment, saving, analyzing, aggregating packets from each threat detection system, and propagating information to processing routines of the IMC Core Mualem[Col.19/lines 38-52])  “and further execute one or more sets of detection and response logic rules for managing (management and administration portion of threat detection response system Mualem [Fig.3/item 180])  the detection of, and response to, any activity associated with the respective endpoint device that poses a potential security threat to the enterprise”(threat detection system Mualem[Fig.3]), “receive, from the authorized user via the interface via the interface ”(permission detection module Mualem[Col.12/lines 23-25])  , and output, to the endpoint agent, a customized set of detection and response logic rules.”(Threat detection library of rules Mualem [Col.6/lines 60-61]). 
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Kumar’s method for threat identification  remediation, and Dhanani’s secured integrated development environment, with Mualem’s method for threat detection and response in which a network intrusion detection system (Mualem [Fig.3]) which utilizes a that Network Manager Daemon (or NMDs) that perform the processing of the parser and analyzer portions saving, analyzing, aggregating packets from each threat detection system, and propagating information to processing routines of the IMC Core in order to provide additional security and data integrity. 
One of ordinary skill in the art would have been motivated to combine because Kumar teaches a threat identification and remediation process comprising a security management platform comprising an interface with which an authorized user associated with the enterprise can interact to monitor endpoint agent activity via an endpoint trust agent/server, Dhanani discloses a process to provide a secure Integrated development environment, Mualem discloses a threat detection system executing one or more sets of logic rules, and all are from the same field of endeavor.
Regarding claim 2 in view of claim 1, the references combined disclose “wherein the server is configured to receive, from the endpoint agent, security data based on execution of one or more sets of detection and response logic rules”( The threat signature detection module in step S45 provides a library of rules Which evaluate every packet Mualem[Col.6/lines 56-57]). 
Regarding claim 3 in view of claim 2, the references combined disclose “wherein the endpoint agent comprises one or more collection modules configured to monitor activities of processes and user on the respective endpoint device in real time, or near-real time, via a range of kernel mode and/or user mode information sources” (mmap extension of packet sockets allows the kernel to make packets available to the analysis modules Mualem [Col.15/lines 34-36]). 
Regarding claim 4 in view of claim 3, the references combined disclose “wherein the one or more collection modules are configured to: generate event data based on the monitoring of activities”(threat analysis Mualem[Fig.3] also see user interface threat management system Mualem[Fig.9]) ;  “and transmit the event data to a logic engine of the endpoint agent (event data transferred from analysis module to threat management system [Fig.9])  to undergo analysis based on execution of detection and response logic rules for the determination of a one or more actions to be performed based on the analysis of the event data” (threat analysis Mualem[Fig.3] also see user interface threat management system Mualem[Fig.9]) 
Regarding claim 5 in view of claim 4, the references combined disclose “wherein the activities comprise one or more events selected from the group consisting of removable media events, file events, session events, network events, name lookup events, process events, registry events, print events, image load events, and object access events”(analyzer portion Mualem[Fig.4/item 244]) .
Regarding claim 6 in view of claim 5, the references combined disclose “wherein the one or more events are selected from the group consisting of process start/stop, insertion/removal of removable media, establishment/termination of network connections, writes to a file system, printing of one or more documents, Domain Name System (DNS) name resolution attempts, and writes to an operating system registry” (reject filter packet, send alert Mualem [Fig.1/item s72-s78]). 
Regarding claim 7 in view of claim 4, the references combined disclose “wherein the set of detection and response logic rules comprises at least one rule statement comprising match criteria and an associated action” (analyzer portion Mualem [Fig.4/irwm 244]). 
Regarding claim 8 in view of claim 7, the references combined disclose “wherein the analysis comprises: comparing the event data with the match criteria” (anomaly detected Mualem [Fig.1/item s20]); “and determine an associated action to be performed by the endpoint agent based on a positive correlation of the event data with the match criteria” (threat signatures used by the threat signature detection module may utilize a generic form. For example, each signature may include: a) A set of actions to take upon a match of the signature Mualem [Col.7/lines 8-15]).
Regarding claim 9 in view of claim 8, the references combined disclose “wherein the associated action is selected from the group consisting of a suppress action, an alert action, a forward action, a block action, a kill process action, an isolate action, and a set action.”(reject filter packet, send alert Mualem [Fig.1/item s72-s78]).
Regarding claim 10 in view of claim 9, the references combined disclose “wherein the suppress action comprises preventing recording of event data to a forensic log file in a database based on a positive correlation of the event data with a suppress rule match criteria” (reject filter packet, send alert Mualem[Fig.1/item s72-s78]). 
Regarding claim 11 in view of claim 9, the references combined disclose “wherein the alert action comprises transmitting an alert to the endpoint server indicative of event data requiring attention based on a positive correlation of the event data with an alert rule match criteria” (reject filter packet, send alert Mualem[Fig.1/item s72-s78]).
Regarding claim 12 in view of claim 9, the references combined disclose “wherein the forward action comprises transmitting a communication to the endpoint server comprising a copy of event data based on a positive correlation of the event data with a forward rule match criteria” (set action, reassemble packets, send complete frame Mualem[Fig.1]). 
Regarding claim 13 in view of claim 9, the references combined disclose “wherein the block action comprises blocking execution of a process associated with event data based on a positive correlation of the event data with a block rule match criteria” (reject filter packet, send alert Mualem[Fig.1/item s72-s78]). 
Regarding claim 14 in view of claim 9, the references combined disclose “wherein the kill process action comprises terminating a process associated with event data and having already been executed based on a positive correlation of the event data with a kill process rule match criteria.” (analyzer portion Mualem [Fig.4/irwm 244]). 
Regarding claim 15 in view of claim 9, the references combined disclose “wherein the isolate action comprises isolating, over the network, the endpoint agent and endpoint device from other endpoint agents and endpoint devices” (reject filter packet, send alert Mualem[Fig.1/item s72-s78 ]).
Regarding claim 16 in view of claim 9, the references combined disclose “wherein the set action comprises modifying one or more state variables associated with rule statements of matching criteria.” (analyzer portion Mualem [Fig.4/irwm 244]). 
Regarding claim 17 in view of claim 1, the references combined disclose “wherein the one or more customized sets of detection and response logic rules are generated based on a custom, declarative programming language, wherein the custom, declarative programming language is compiled, via a compiler module, into byte code, wherein the compiler module is configured to output a compiled rule set.”(threat detection module Mualem [Fig.3]). 
Regarding claim 18 in view of claim 17, the references combined disclose “wherein the customized set of detection and response logic rules outputted from the server comprises a compiled rule set embedded into an installer executable by the endpoint agent to thereby transmit the compiled rule set to the endpoint agent such that the endpoint agent executes the associated customized set of detection and response logic rules” (threat detection module Mualem [Fig.3]). 
Regarding claim 19 in view of claim 1, the references combined disclose “wherein the authorized user is an individual or group tasked with managing the enterprise's security posture and the enterprise comprises at least one of a business entity, company, organization, and government agency” (FIG. 9 can be used to consolidate and correlate a plurality of identity, inventory and log management systems in order to determine a reputation of a subject e.g., a user, device, transaction, service, or organization/company Mualem[Col.20/ line 64-67]). 
Regarding claim 20 in view of claim 1, the references combined disclose “wherein the customized set of detection and response logic rules is based on at least one of the enterprise's operations”, the enterprise's infrastructure, user-based processes within the enterprise, the enterprise's security policies, industry-specific rules and regulations associated with the enterprise, known security threats and techniques, and new emerging security threats and techniques” (threat detection module Mualem[Fig.3]). 

Conclusion

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL D ANDERSON whose telephone number is (571)270-5159. The examiner can normally be reached Mon-Fri 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571) 272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MICHAEL D ANDERSON/Examiner, Art Unit 2433                                                                                                                                                                                                        


/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433