Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Objections
Claim 18 is objected to because of the following informalities:  claim 18 recites a typographical error "event records base on". For the purpose of examination this is being interpreted as "event records based on".  Appropriate correction is required.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitations are: 
“local security agent configured to” in claim 19
“a threat management facility configured to” in claim 20
Because these claim limitations are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. See specification [para. 0146, 0251] for “local security agent” and for “a threat management facility” see specification [para. 0052], for structure.  
If applicant does not intend to have these limitations interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is
directed to non-statutory subject matter. These claims do not fall within at least one of the four categories of patent eligible subject matter because these claims only recite of receiving data, modifying the data, storing the data, and transmitting the data. All of these are a form of ascertaining and processing the data which can be considered as mental steps, whereas devices configured
to process the data and additional recitations of computer program product with memory are merely generic computer components. In addition, the claims do not integrate the abstract ideas into a practical application. Furthermore, upon further considering additional claim elements, they do not appear to add significantly more to the abstract ideas. For example, the claims only recite of storing data in a data recorder, evaluating data, responding to query for the data, and determining relationships of the data. These claims fail to recite how the event data is being used to mitigate the security event. These claims amount merely to performing data retrieval, storage, and processing. Therefore, claims 1-20 are rejected under U.S.C. 101 for reciting abstract ideas. 


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-17, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over HOLEMAN (US-20180191766-A1) in view of WAGHORN (US-20190081963-A1), hereinafter HOLEMAN- WAGHORN.
Regarding claim 1, HOLEMAN teaches “A computer program product comprising computer executable code embodied in a non- transitory computer readable medium that, when executing on one or more computing devices, performs the steps of: receiving event data from a sensor on an endpoint, the event data responsive to an event on the endpoint;” ([HOLEMAN, para. 0031] “In some embodiments, the endpoint analysis agent may include instructions embodied on a non-transitory computer-readable medium that are executable by an endpoint computer system to cause operations such as those described above.”) ([HOLEMAN, para. 0024] “Turning now to FIG. 1, a block diagram is shown of a system 100 that implements an endpoint information collection architecture. System 100 includes a network 110, which is coupled to various network flow devices—namely, flow collectors 104A-B and flow analyzer 106. Network 110 is also coupled to several representative endpoint computer systems 120. Shown are desktop computer 120A, laptop computer 120B, mobile phone 120C, and data center server computer 120D. These are representative of numerous types of endpoint computer systems that may be connected to network 110.”) ([HOLEMAN, para. 0025] “Information may therefore be collected regarding computing activity on endpoint computer systems in a manner that does not rely on the network infrastructure.”) generating a source identifier that identifies a source of the event in a context of the sensor, ([HOLEMAN, para. 0025] “This capability allows collection not only of traditional data from OSI layers 3 and 4, such as source and destination IP addresses and ports, but also provides additional valuable information associated with OSI layers 4-7, including, for example, the executable responsible for a particular network socket, an associated cryptographic hash (e.g., MD5, SHA1, SHA2, SHA 256, etc.), process and file path of the executable, the user responsible for launching the executable, and whether the executable is being run in the foreground or background of the endpoint. (A “foreground” process is one that is actively selected by the user, as opposed to a “background” process associated with a minimized window or other system activity.) This paradigm thus provides “last-mile” visibility to provide additional information about network flows.”) the source identifier including a medium access control address associated with the source, ([HOLEMAN, para. 0047] “System event and configuration sensors 450 refer to computer program instructions that are executable to collect information regarding the configuration of endpoint computer system 120 or events that may occur on such a system. In various embodiments, sensors 450 may determine system identity information, such as the hostname, IP address, MAC address, and serial number of system 120. Any other suitable type of system identity information may also be determined, such as an inventory tracking number for system 120, or other enterprise-assigned tags or attributes.”) an Internet Protocol address associated with the source, ([HOLEMAN, para. 0025] “This capability allows collection not only of traditional data from OSI layers 3 and 4, such as source and destination IP addresses and ports, but also provides additional valuable information”) and a process executing on the endpoint that is associated with the source; ([HOLEMAN, para. 0025] “also provides additional valuable information associated with OSI layers 4-7, including, for example, the executable responsible for a particular network socket, an associated cryptographic hash (e.g., MD5, SHA1, SHA2, SHA 256, etc.), process and file path of the executable, the user responsible for launching the executable, and whether the executable is being run in the foreground or background of the endpoint. (A “foreground” process is one that is actively selected by the user, as opposed to a “background” process associated with a minimized window or other system activity.)”) creating a modified event record that includes the event data and the source identifier; ….. ([HOLEMAN, para. 0061] “In some embodiments, the data collected by sensor modules 440 may be assembled (e.g., by control logic 410 and/or cache logic 430) into network flow data records that are far more informative than traditional network flow data, which commonly does little more than identify a network address of an endpoint computer system 120. Instead, in various embodiments, endpoint analysis agent includes endpoint activity information in extended network flow data records. The Internet Engineering Task Force's IP Information Flow Export (IETF's IPFIX) standards, for example, provide an extensible flow data record format. Use of such a format allows information to be conveyed in a format similar to that currently in use within the industry. But by exploiting this flow data extensibility, additional endpoint security context may be provided, enabling far more specific analysis by the network flow analyzers to more accurately identify and prioritize network security threats. The present disclosure is not limited, of course, to use of the IPFIX standards. Instead, flow data may be conveyed using any other extensible formats or proprietary formats used by commercial network security infrastructure providers. Accordingly, sensor modules 440 may assemble any suitable data records associated with user activity, file access, registry operations, performance characteristics, device attach/detach, location data, log/audit events, etc.; these records may also be formatted in accordance with other formats such as Protobuf, JSON, XML, etc.”) …… and transmitting the modified event record to a threat management facility. ([HOLEMAN, para. 0026] “Information collected at endpoints may then be sent to devices in the network (or external to the network such as cloud-based devices), such as network flow analyzers, that use this information to supplement flow information collected within the network infrastructure. For example, if a network administrator is interested in a particular network flow, he or she may choose to review additional endpoint information to obtain a more complete picture of the security situation. In various embodiments, this information may be packaged in a standard network flow data record format.”) ([HOLEMAN, para. 0062] “Once properly formatted, network logic 430 is configured to transmit the network flow data records to one or more network flow devices in network 110. These transmissions may either be unicast (i.e., sent to one network flow device in network 110) or multicast (i.e., sent to multiple network flow devices). Note that network flow analyzers that ultimately will be processing the flow data records may need to be modified to recognize the extended flow data records and correlate this additional data with network-observed flow data.”).
However, HOLEMAN does not teach “storing the modified event record in a data recorder on the endpoint;”.
In analogous teaching WAGHORN teaches “storing the modified event record in a data recorder on the endpoint;” ([WAGHORN, para. 0077] “Forensic analysis for computer processes may include a root cause analysis—e.g., determining and analyzing an origin or root cause of a piece of malware. Techniques may include monitoring activity for one or more endpoints and recording the activity in a data recorder or the like. The data recorder may include a database or data store. The data recorder may act as a rolling buffer, e.g., storing a large amount of data for predetermined time windows before overwriting old data with new data. The data recorder may collect information about device activity, such as file creations, process creations, registry changes, memory injections, and so forth. In an aspect, when a beacon or trigger event is detected (e.g., an event pertinent to computer or network security), information from the data recorder may be analyzed (e.g., starting at the trigger event) to determine a root cause and to determine affected computing objects.”) ([WAGHORN, para. 0078] “FIG. 3 illustrates a system for forensic analysis for computer processes. The system 300 may include an endpoint 310 containing a data recorder 320”) ([WAGHORN, para. 0085] “The data recorder 320 may monitor and record activity related to the objects 312 and events 314 occurring on the endpoint 310. The activity of the endpoint 310 may be stored in a data log 322 or the like on the data recorder 320, which may be stored locally on the endpoint 310 (as depicted) or remotely at a threat management resource, or some combination of these, such as where the data log 322 is periodically transmitted to a remote facility for archiving or analysis. The data recorder 320 may continuously record any activity occurring on the endpoint 310 for predetermined periods of time before overwriting previously recorded data. Thus, the data log 322 may include a continuous data feed of events 314.”)
Thus, given the teaching of WAGHORN, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching storing event records in a data recorder by WAGHORN into the teaching of a receiving event data from a sensor as taught by HOLEMAN. One of ordinary skill in the art would have been motivated to do so because WAGHORN recognizes the need for improved detection of threats and efficiently monitoring events ([WAGHORN, para. 0003] “As computers and malware becomes more sophisticated, it becomes increasingly difficult to detect malicious computing activity or other endpoint conditions of interest, particularly where relevant patterns of events are complex or occur over an extended time period. There remains a need for improved techniques for real-time, event-based detection of malware and other complex computational events or contexts.”) ([WAGHORN, para. 0004] “An event handler implements a state machine or similar construct for processing of complex event chains as incremental events are detected. This approach advantageously limits processing to monitoring for and responding to a next event in a sequence of events, and supports complex event detection in a manner that scales efficiently in time and computation.”)

Regarding claim 2, HOLEMAN- WAGHORN teaches all limitations of claim 1. WAGHORN further teaches “further comprising code that performs the step of storing a plurality of modified event records in the data recorder.” ([WAGHORN, para. 0078] “FIG. 3 illustrates a system for forensic analysis for computer processes. The system 300 may include an endpoint 310 containing a data recorder 320”) ([WAGHORN, para. 0085] “The data recorder 320 may monitor and record activity related to the objects 312 and events 314 occurring on the endpoint 310. The activity of the endpoint 310 may be stored in a data log 322 or the like on the data recorder 320, which may be stored locally on the endpoint 310 (as depicted) or remotely at a threat management resource, or some combination of these, such as where the data log 322 is periodically transmitted to a remote facility for archiving or analysis. The data recorder 320 may continuously record any activity occurring on the endpoint 310 for predetermined periods of time before overwriting previously recorded data. Thus, the data log 322 may include a continuous data feed of events 314.”)
The same motivation to modify HOLEMAN with WAGHORN as in the rejection of claim 1, applies. 

Regarding claim 3, HOLEMAN- WAGHORN teaches all limitations of claim 1. WAGHORN further teaches “further comprising code that performs the step of responding to a query from a resource external to the endpoint for data stored in the data recorder.” ([WAGHORN, para. 0078] “FIG. 3 illustrates a system for forensic analysis for computer processes. The system 300 may include an endpoint 310 containing a data recorder 320, a monitoring facility 330, and any number of objects 312 and events 314. An analysis facility 340 may be coupled in a communicating relationship with the endpoint 310 over a data network 350”) ([WAGHORN, para. 0085] “When an event 314 is detected that is a beacon or trigger event (such as a file detection, a malicious traffic detection, or the like), the data log 322 may be saved and transmitted to an analysis facility 340 or the like for analysis, e.g., to determine a root cause of the beacon or trigger event.”) ([WAGHORN , para. 0091] “The analysis facility 340 may analyze the data log 322, e.g., as part of a root cause analysis and to identify objects 312 compromised by the root cause. To this end, the analysis facility 340 may utilize one or more rules 342 for applying to the data included in the data log 322 to determine a root cause of a beacon or trigger event such as a suspected or actual security compromise on the endpoint 310 …… The analysis facility 340 may be an external facility, or it may reside in a virtual appliance (e.g., which could be run by a protected set of systems on their own network systems), a private cloud, a public cloud, and so forth. The analysis facility 340 may store locally-derived threat information for use in subsequent identification, remediation, or other similar activity. ”) ([WAGHORN, para. 0092] “The analysis facility 340 may create an event graph. In general, the event graph may represent information in the data log 322 in a graph where objects 312 are nodes and events 314 are edges connecting the nodes to one another based on causal or other relationships as generally contemplated herein.”)
The same motivation to modify HOLEMAN with WAGHORN as in the rejection of claim 1, applies. 

Regarding claim 4, HOLEMAN- WAGHORN teaches all limitations of claim 1. WAGHORN further teaches “further comprising code that, when executing on the threat management facility, performs the step of providing a user interface for navigating a chain of events based on relationships among a plurality of source identifiers in a plurality of modified event records received at the threat management facility.” ([WAGHORN, para. 0092] “The analysis facility 340 may create an event graph. In general, the event graph may represent information in the data log 322 in a graph where objects 312 are nodes and events 314 are edges connecting the nodes to one another based on causal or other relationships as generally contemplated herein. The event graph may be used by the analysis facility 340 or other component(s) of the system 300 as part of a root cause analysis and to identify objects 312 compromised by the root cause. The event graph may also or instead be displayed to a user of the system 300 or endpoint 310, e.g., using an interactive user interface or the like.”) ([WAGHORN, para. 0118] “Implementations may include a number of different event graphs stored in a data store that can be used together to detect, prevent, or determine the root causes for suspicious activity or other activity of interest, e.g., a security event. As discussed herein, the event graphs may be filtered before being stored in the data store, which can remove system activity that is not of interest in such analyses. The event graphs may be searchable, e.g., for analysis of event graphs including similar computing objects or events. The event graphs may also or instead be linked to one another, e.g., event graphs including similar computing objects or events. The event graphs may be presented to a user on a user interface or the like, e.g., an interactive user interface that allows a user to see similar or related event graphs, search the event graphs, link between event graphs, and so forth.”) ([WAGHORN, para. 0114] “As shown in step 410, the method 400 may include generating an event graph. The event graph may be generated in response to detecting the security event, e.g., using the data log from the data recorder. The event graph may be generated at the same time as or as part of creating the data log. The event graph may include the sequence of events causally relating the number of computing objects, and more specifically, the sequence of events and computer objects causally associated with the object(s) that triggered the detected security event.”)
The same motivation to modify HOLEMAN with WAGHORN as in the rejection of claim 1, applies. 

Regarding claim 5, HOLEMAN-WAGHORN teaches all limitations of claim 1. HOLEMAN further teaches “further comprising code that, when executing on the threat management facility, performs the step of processing a stream of modified event records to evaluate security threats to an enterprise network.” ([HOLEMAN, para. 0030] “A network flow analyzer according to the present disclosure may also base its network security analysis on information received from endpoint computer systems. A network flow analyzer refers to a physical device, which may perform the network security analysis using hardware or software running on hardware. A network flow analyzer may of course perform additional functions in various embodiments and is not merely limited to performing a network security analysis.”) ([HOLEMAN, para. 0068] “Turning now to FIG. 5, a block diagram of a system 500 that includes network flow analyzer 106 is shown. As depicted, network flow analyzer 106 includes flow matching module 510, threat and anomaly detection module 520, and risk analysis module 530. These modules may be implemented either in hardware, software, or a combination thereof.”) ([HOLEMAN, para. 0070] “Module 510 may include computer program instructions executable to match, or correlate, information about a flow observed within the network infrastructure with endpoint information that corresponds to that flow. Accordingly, any or all of the endpoint data collected by endpoint analysis agent 340 (e.g., process id, foreground/background process, executable file name and path, etc.) may be associated with a corresponding flow within the infrastructure of network 110. In some embodiments, this association may take the form of including additional information within a data structure maintained by network flow analyzer 106 for a particular network flow. In other embodiments, the endpoint data may be linked to a data structure for a particular network flow.”) ([HOLEMAN, para. 0072] “With network and endpoint information associated in some fashion, the consolidated information may be forwarded to threat and anomaly detection module 520. In some embodiments, module 520 includes computer program instructions that are executable to determine whether network activity should be classified as potential threat or anomaly. As shown, module 520, in some embodiments, may receive network threat intelligence feeds 512. Feeds 512 refer to any third-party data that provides information regarding known cyber-threats. Module 520 then uses a set of rules or heuristics, optionally in conjunction with feeds 512, to make a threat assessment determination.”).

Regarding claim 6, HOLEMAN-WAGHORN teaches all limitations of claim 1. HOLEMAN further teaches “further comprising code that performs the step of processing a stream of modified event records at the threat management facility to evaluate a security state of the endpoint.” ([HOLEMAN, para. 0073] “Consider an example in which a port 80 connection is being made to Internet destination 23.64.171.27. This may be the extent of information discernible by traditional network-based flow collection tools. Given this information, a network analyst may dismiss this alert as a false positive. But because endpoint information has been collected by endpoint analysis agent 340 and sent to network flow analyzer 106, the port 80 connection may be correlated by flow matching module 510 with information indicating that the connection was not initiated by a web browser, but rather through a task automation program such as a WINDOWS POWERSHELL. Additionally, module 510 may also determine that the connection was initiated by the “System” account and not a logged-in user. Additional information may also be determined, such as what actions were taken before and after the connection (malicious processes tend to perform actions before and after connections that constitute a recognizable attack pattern), as well as a history of endpoint process activity. Such information, when coupled with the network-observed activity, may be used by module 520 in more accurately determining whether network activity constitutes a security threat.”) ([HOLEMAN, para. 0075] “Threats and anomalies determined by module 520 may then be passed to risk analysis module 530, which, in some embodiments, includes computer program instructions executable to assign a risk level (e.g., high, medium, low) to these threats and anomalies. Some activity classified as a threat or anomaly may be determined by module 530 to not be a threat at all. Note that in some embodiments, modules 520 and 530 may be combined into a single module.”).

Regarding claim 7, this claim recites a method corresponding to the features of claim 1. Therefore, claim 7 is rejected in a similar manner as in the rejection of claim 1. 

Regarding claim 8, HOLEMAN- WAGHORN teaches all limitations of claim 7. WAGHORN further teaches “comprising determining a relationship of the modified event record with one or more other modified event records stored at the threat management facility based on the source identifier.” ([WAGHORN, para. 0114] “As shown in step 410, the method 400 may include generating an event graph. The event graph may be generated in response to detecting the security event, e.g., using the data log from the data recorder. The event graph may be generated at the same time as or as part of creating the data log. The event graph may include the sequence of events causally relating the number of computing objects, and more specifically, the sequence of events and computer objects causally associated with the object(s) that triggered the detected security event”) ([WAGHORN, para. 0092] “The analysis facility 340 may create an event graph. In general, the event graph may represent information in the data log 322 in a graph where objects 312 are nodes and events 314 are edges connecting the nodes to one another based on causal or other relationships as generally contemplated herein. The event graph may be used by the analysis facility 340 or other component(s) of the system 300 as part of a root cause analysis and to identify objects 312 compromised by the root cause. The event graph may also or instead be displayed to a user of the system 300 or endpoint 310, e.g., using an interactive user interface or the like.”)
The same motivation to modify HOLEMAN with WAGHORN as in the rejection of claim 1, applies. 

Regarding claim 9, HOLEMAN-WAGHORN teaches all limitations of claim 7. WAGHORN further teaches “comprising determining a relationship of the source identifier with one or more other source identifiers based on a plurality of modified event records received at the threat management facility.” (WAGHORN, para. 0136] “An event graph such as the event graph 500 shown in the figure may include any number of nodes and edges, where computing objects are represented by nodes and events are represented by edges that mark the causal or otherwise directional relationships between computing objects such as data flows, control flows, network flows and so forth. While processes or files are common forms of nodes that might appear in such a graph, any other computing object such as an IP address, a registry key, a domain name, a uniform resource locator, a command line input or other object may also or instead be designated to be a node in an event graph as contemplated herein. Similarly, while an edge may be formed by an IP connection, a file read, a file write, a process invocation (parent, child, etc.), a process path, a thread injection, a registry write, a domain name service query, a uniform resource locator access and so forth other edges may be designated.”) ([WAGHORN, para. 0114] “As shown in step 410, the method 400 may include generating an event graph. The event graph may be generated in response to detecting the security event, e.g., using the data log from the data recorder. The event graph may be generated at the same time as or as part of creating the data log. The event graph may include the sequence of events causally relating the number of computing objects, and more specifically, the sequence of events and computer objects causally associated with the object(s) that triggered the detected security event”) ([WAGHORN, para. 0092] “The analysis facility 340 may create an event graph. In general, the event graph may represent information in the data log 322 in a graph where objects 312 are nodes and events 314 are edges connecting the nodes to one another based on causal or other relationships as generally contemplated herein. The event graph may be used by the analysis facility 340 or other component(s) of the system 300 as part of a root cause analysis and to identify objects 312 compromised by the root cause. The event graph may also or instead be displayed to a user of the system 300 or endpoint 310, e.g., using an interactive user interface or the like.”)
The same motivation to modify HOLEMAN with WAGHORN as in the rejection of claim 1, applies. 


Regarding claim 10, HOLEMAN- WAGHORN teaches all limitations of claim 7. WAGHORN further teaches “comprising creating a graph that causally associates two or more events based on a plurality of source identifiers in a plurality of modified event records received at the threat management facility.” (WAGHORN, para. 0136] “An event graph such as the event graph 500 shown in the figure may include any number of nodes and edges, where computing objects are represented by nodes and events are represented by edges that mark the causal or otherwise directional relationships between computing objects such as data flows, control flows, network flows and so forth. While processes or files are common forms of nodes that might appear in such a graph, any other computing object such as an IP address, a registry key, a domain name, a uniform resource locator, a command line input or other object may also or instead be designated to be a node in an event graph as contemplated herein. Similarly, while an edge may be formed by an IP connection, a file read, a file write, a process invocation (parent, child, etc.), a process path, a thread injection, a registry write, a domain name service query, a uniform resource locator access and so forth other edges may be designated.”) ([WAGHORN, para. 0114] “As shown in step 410, the method 400 may include generating an event graph. The event graph may be generated in response to detecting the security event, e.g., using the data log from the data recorder. The event graph may be generated at the same time as or as part of creating the data log. The event graph may include the sequence of events causally relating the number of computing objects, and more specifically, the sequence of events and computer objects causally associated with the object(s) that triggered the detected security event”) ([WAGHORN, para. 0092] “The analysis facility 340 may create an event graph. In general, the event graph may represent information in the data log 322 in a graph where objects 312 are nodes and events 314 are edges connecting the nodes to one another based on causal or other relationships as generally contemplated herein. The event graph may be used by the analysis facility 340 or other component(s) of the system 300 as part of a root cause analysis and to identify objects 312 compromised by the root cause. The event graph may also or instead be displayed to a user of the system 300 or endpoint 310, e.g., using an interactive user interface or the like.”)
The same motivation to modify HOLEMAN with WAGHORN as in the rejection of claim 1, applies. 

Regarding claim 11, HOLEMAN-WAGHORN teaches all limitations of claim 7. This claim recites features similar to those of claim 4. Therefore, claim 11 is rejected in a similar manner as in the rejection of claim 4. 

Regarding claim 12, HOLEMAN-WAGHORN teaches all limitations of claim 7. This claim recites features similar to those of claims 2 and 3. Therefore, claim 12 is rejected in a similar manner as in the rejection of claims 2 and 3. 

Regarding claim 13, HOLEMAN-WAGHORN teaches all limitations of claim 7. HOLEMAN further teaches “wherein the physical address includes a medium access control address and the network address includes an Internet Protocol address.” ([HOLEMAN, para. 0047] “System event and configuration sensors 450 refer to computer program instructions that are executable to collect information regarding the configuration of endpoint computer system 120 or events that may occur on such a system. In various embodiments, sensors 450 may determine system identity information, such as the hostname, IP address, MAC address, and serial number of system 120. Any other suitable type of system identity information may also be determined, such as an inventory tracking number for system 120, or other enterprise-assigned tags or attributes.”) ([HOLEMAN, para. 0025] “This capability allows collection not only of traditional data from OSI layers 3 and 4, such as source and destination IP addresses and ports, but also provides additional valuable information”).

Regarding claim 14, HOLEMAN-WAGHORN teaches all limitations of claim 7. HOLEMAN further teaches “comprising determining the context of the sensor by inspecting one or more network resources associated with the endpoint.” ([HOLEMAN, para. 0058] “For example, local analysis logic 420 may be programmed to look for certain sequences of operations, such as failed DNS look ups. Similarly, logic 420 may look for so-called indicators of compromise (e.g., signatures of known malware or attacks) or for common applications communicating over unusual port numbers. In this manner, local analysis logic 420 may provide a preliminary risk assessment for activity relating to endpoint computer system 120.”)

Regarding claim 15, HOLEMAN-WAGHORN teaches all limitations of claim 7. HOLEMAN further teaches “wherein the temporal address includes an identifier for at least one of a user of the endpoint, a device associated with the endpoint, a path associated with a computing object on the endpoint, a process executing on the endpoint, and an application on the endpoint.” ([HOLEMAN, para. 0003] “Many information technology organizations may monitor various aspects about computer systems to improve system security and/or resource utilization. This may include monitoring the processes running in a computer system, which may be used for virus checking or ensuring that employees are not executing unauthorized software.”) ([HOLEMAN, para. 0025] “Information may therefore be collected regarding computing activity on endpoint computer systems in a manner that does not rely on the network infrastructure. This capability allows collection not only of traditional data from OSI layers 3 and 4, such as source and destination IP addresses and ports, but also provides additional valuable information associated with OSI layers 4-7, including, for example, the executable responsible for a particular network socket, an associated cryptographic hash (e.g., MD5, SHA1, SHA2, SHA 256, etc.), process and file path of the executable, the user responsible for launching the executable, and whether the executable is being run in the foreground or background of the endpoint. (A “foreground” process is one that is actively selected by the user, as opposed to a “background” process associated with a minimized window or other system activity.)”).

Regarding claim 16, HOLEMAN-WAGHORN teaches all limitations of claim 7. Furthermore, this claim recites features similar to that of claim 5. Therefore, claim 16 is rejected in a similar manner as in the rejection of claim 5. 

Regarding claim 17, HOLEMAN-WAGHORN teaches all limitations of claim 7. Furthermore, this claim recites features similar to that of claim 6. Therefore, claim 17 is rejected in a similar manner as in the rejection of claim 6. 

Regarding claim 19, this claim recites a system which recites features similar to those of claim 1. Therefore, claim 19 is rejected in a similar manner as in the rejection of claim 1. Furthermore, HOLEMAN teaches “a local security agent executing on an endpoint, the local security agent configured to: receive data characterizing an event from a sensor on the endpoint” ([HOLEMAN, para. 0039] “Turning now to FIG. 3, a block diagram of a system 300 is shown that includes an exemplary endpoint computer system. In this particular configuration, endpoint analysis agent 340 is implemented in software—for example, according to one of the arrangements described above with reference to FIG. 2. But as previously noted, in other embodiments endpoint analysis agent may be implemented differently in other systems, such as in a hardware module.”) ([HOLEMAN, para. 0063] “As mentioned, cache logic 430 is operable to cache information collected by sensors 440. In some instances, cache logic 430 may be used to implement temporary storage and buffering of the collected information, particularly while endpoint analysis agent 340 is determining when and at what level of detail to forward this information over the network to network flow data analyzers and flow collectors. Cache logic 430 may also serve to retain collected information over periods of loss of network contact between agent 340 and its associated data analyzers or collectors.”).

Regarding claim 20, HOLEMAN-WAGHORN teaches all limitations of claim 19. Furthermore, this claim recites features similar to that of claim 5. Therefore, claim 20 is rejected in a similar manner as in the rejection of claim 5. WAGHORN further teaches “receive a stream of modified event records from a plurality of endpoints in an enterprise network that includes the endpoint” ([WAGHORN, para. 0094] “The data log 322 may include data from a single endpoint 310, or from a number of endpoints 310, for example where one endpoint 310 accesses a service or a file on another endpoint. This advantageously facilitates tracking or detection of potentially malicious activity that spans multiple devices, particularly where the behavior on a single endpoint does not appear malicious. Thus, the monitoring facility 330 may monitor activity from an endpoint 310 exclusively, or use the full context of activity from all protected endpoints 310, or some combination of these. Similarly, the event graph generated from the data log 322 may include activity from one endpoint 310 exclusively, or use the full context of activity from all protected endpoints 310, or some combination of these.”) ([[WAGHORN, para. 0085] “the data log 322 may be saved and transmitted to an analysis facility 340 or the like for analysis, e.g., to determine a root cause of the beacon or trigger event.”) ([WAGHORN, para. 0092] “The analysis facility 340 may create an event graph.”).
The same motivation to modify HOLEMAN with WAGHORN as in the rejection of claim 1, applies. 


Claims 18 is rejected under 35 U.S.C. 103 as being unpatentable over HOLEMAN-WAGHORN, in view of HEGLI (US-8561187-B1).
Regarding claim 18, HOLEMAN-WAGHORN teaches all limitations of claim 7. However, HOLEMAN-WAGHORN does not teach “comprising processing a stream of modified event records at the threat management facility to deduplicate one or more event records base on a reconciliation of source identifiers.”
In analogous teaching, HEGLI teaches “comprising processing a stream of modified event records at the threat management facility to deduplicate one or more event records base on a reconciliation of source identifiers.” ([HEGLI, Claim 10] “A system for prosecuting threatening Internet Protocol (IP) addresses on the Internet, the system comprising: a plurality of sensors for detecting incidents associated with one or more IP addresses and generating event data associated with the one or more IP addresses; a database for storing the event data generated by the plurality of sensors;”) ([HEGLI, Col. 5 lines 1-14] “FIG. 2 is a block diagram of one embodiment of a system 10 for identifying and prosecuting threatening IP addresses. A threat database 50 is preferably located at a threat detection server site and the threat database 50 receives data over the Internet 100 and transfers Web content reports over the Internet 100 to a client 55. The system 10 preferably includes a proxy master web filtering host 60 which controls and collects evidence and other data from a plurality of cloud based slave proxies 65 a, 65 b, 65 c, 65 d and 65 e. This system 10 preferably detects threats such as click-fraud, Botnets and malware. In this system 10, if an IP address is “convicted” of harmful or dangerous behavior, then the IP address is published on the list at vector publishing 1100. The list is constantly updated to add and remove IP addresses.”) ([HEGLI, Col. 11 lines 5-19] “A threat aging algorithm is utilized with the present invention to determine if threatening IP address should be paroled from the publication line. The threat aging algorithm is preferably performed for each of the threatening IP addresses published on the list of threatening IP addresses. The threat aging algorithm determines if an IP address should be removed by determining the threat performed by the threatening IP address, the time period on the list of threatening IP addresses, the completion of a publication period on a threatening IP addresses list by the threatening IP address, reoccurring behavior by the threatening IP address and volume of threatening events performed by the threatening IP address. If the listed IP address is no longer a threat, or no longer behaving threateningly, then the IP address is removed from the list of threatening IP addresses.”).
Thus, given the teaching of HEGLI, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of deduplicating and reconciling by HEGLI into the teaching of a receiving event data from a sensor as taught by HOLEMAN-WAGHORN. One of ordinary skill in the art would have been motivated to do so because HEGLI recognizes the need for better protection of enterprise security. ([HEGLI, Col. 1 lines 38-42] “Enterprises, and even the security solutions vendors themselves, have limited visibility into all of the malicious activity occurring on the internet, so there is a need to share data to increase visibility and gain better protection against a broader range of attacks.”).


The prior art made of record and not relied upon is considered pertinent to applicant’s
disclosure.
LYUKSHIN (US-11399036-B2) this prior art teaches of a system and method for correlating events to detect an information security incident, a correlation module may receive a plurality of network events indicating potential security violations, wherein each network event of the plurality of network events has a respective timestamp. The correlation module may identify, from the plurality of network events, a subset of network events that have occurred within a period of time, based on each respective timestamp. The correlation module may determine a plurality of potential orders of occurrence for the subset of network events. The correlation module may apply at least one correlation rule to each respective potential order of the plurality of potential orders. In response to determining that the at least one correlation rule is fulfilled, the correlation module may detect the information security incident.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AFAQ ALI whose telephone number is (571)272-1571. The examiner can normally be reached Mon - Fri 7:30am - 5:30pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AFAQ ALI/Examiner, Art Unit 2434       

/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434