DETAILED ACTION
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 8/10/2022 has been entered.

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The applicant amended claims 1, 7-8, 14-15 and 20 in the amendment received on 6/10/2022.

The claims 1-20 are pending.

Response to Arguments
Applicant’s arguments with respect to claims 1-20 filed on 6/10/2022 have been considered but are moot in view of the new ground(s) of rejection.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Schneider et al. (U.S. Publication No. 2018/0183821 A1) in view of Weber et al. (U.S. Publication No. 20190238576 A1), and further in view of Huang et al. (U.S. Patent No. 10,778,702 B1)
With respect to claim 1, Schneider discloses a computer-implemented method, comprising: extracting a set of domain information from a plurality of input streams, the set of domain information including a set of domains and a set of domain characteristics describing each domain (i.e., At least one aspect is directed to a method of detecting threats in a network. The method can include a network security monitor obtaining a plurality of records for a plurality of entities that accesses a network. The plurality of records can include attributes associated with the one or more entities [extracting a set of domain information from a plurality of input streams, the set of domain information including a set of domains and a set of domain characteristics describing each domain]. The method can include the network security monitor generating a plurality of clusters from the plurality of records using a matching process. The method can include the network security monitor classifying a first cluster of the plurality of clusters as a threat cluster. The method can include the network security monitor receiving, subsequent to generating the plurality of clusters, a record from an entity that communicates via the network. The method can include the network security monitor assigning the record to the first cluster using the matching process. The method can include the network security monitor detecting, responsive to assigning the record to the first cluster, a threat associated with the entity, ¶ 6.  The network security monitor 120 can transform the attributes. For example, the transformation can include standardizing or scaling the attributes and then multiplying the attributes by the weight assigned to the attribute. Thus, the behavior can refer to the collection of aggregated and non-aggregated attributes about an entity (e.g., IPs, domains, mails, devices, connections, etc.) [entities being domains], ¶ 77). 
Schneider further discloses based on the set of domain characteristics, clustering the set of domains to generate a set of campaign clusters of related domains (i.e., Systems and methods of the present solution provide a network security monitor that can use partial information to detect upcoming threatful behaviors that can affect network infrastructure or network elements. The network security monitor can be configured with a dynamic clustering approach that facilitates extracting clusters from collected data. The network security monitor can combine the clusters with a pattern recognition technique, such as a k-Nearest Neighbors ("k-NN") technique to classify new upcoming behaviors [set of campaign clusters of related domains], ¶ 5.  The network security monitor can generate or identify clusters. Clusters can refer to groups of records that are similar to each other [set of campaign clusters of related domains]. Each group can include records that are similar to each other. Each group can have a number of records. If the number of records in the group satisfies a threshold, then the group may be considered a threatful group or normal group, ¶ 78). 
Schneider also discloses modifying the set of campaign clusters with a set of threat intelligence ratings to generate a set of enriched campaign clusters (i.e., The network security monitor can include, execute, interface with, or otherwise communicate with a data collector, a cluster generator and a classifier [set of campaign clusters with a set of threat intelligence ratings to generate a set of enriched campaign clusters]. The network security monitor can be configured to obtain a plurality of records for a plurality of entities that accesses a network. The plurality of records can include attributes associated with the one or more entities. The network security monitor can be configured to generate a plurality of clusters from the plurality of records using a matching process. The network security monitor can be configured to classify a first cluster of the plurality of clusters as a threat cluster [modifying the set of campaign clusters with a set of threat intelligence ratings to generate a set of enriched campaign clusters]. The network security monitor can be configured to receive, subsequent to generating the plurality of clusters, a record from an entity that communicates via the network. The network security monitor can be configured to assign the record to the first cluster using the matching process. The network security monitor can be configured to detect, responsive to assigning the record to the first cluster, a threat associated with the entity, ¶ 16.  The network security monitor 120 can organize, normalize, process, transform, or otherwise analyze the threat intelligence obtained by the cluster generation component 220 (or stored in database 240) to generate a list of threat indicators. In some embodiments, normalizing the threat intelligence data can include de-duplicating redundant data and/or transforming the threat intelligence data into a structured list of threat indicators corresponding to a threat scheme (or log format schema) [modifying the set of campaign clusters with a set of threat intelligence ratings to generate a set of enriched campaign clusters]. The network security monitor 120 can generate the list of threat indicators based on a schema for threats (e.g., threat schema or threat intelligence schema). The schema used by the network security monitor 120 organizes the aggregated threat intelligence and makes the threat intelligence database manageable and maintainable. The threat intelligence schema/format can be applied to threat indicators aggregated from different private and open source threat intelligence repositories including, (e.g., Internet Protocol address, a malware code sample, a malicious code sample, or an intrusion prevention system signature) to be structured and expressed as a list of threat indicators to allow the log correlation to identify a threat, ¶ 141). 
Schneider further discloses a portion of the set of threat intelligence ratings corresponding to one or more domains within the set of campaign clusters (i.e., The network security monitor can add the results from all the matches performed on the attributes of the two records (one represents a record from the testing set, and the other represent some cluster), such that the final result R can be [a portion of the set of threat intelligence ratings corresponding to one or more domains within the set of campaign clusters], ¶ 87.  The network security monitor 120 can organize, normalize, process, transform, or otherwise analyze the threat intelligence obtained by the cluster generation component 220 (or stored in database 240) to generate a list of threat indicators. In some embodiments, normalizing the threat intelligence data can include de-duplicating redundant data and/or transforming the threat intelligence data into a structured list of threat indicators corresponding to a threat scheme (or log format schema) [a portion of the set of threat intelligence ratings corresponding to one or more domains within the set of campaign clusters]. The network security monitor 120 can generate the list of threat indicators based on a schema for threats (e.g., threat schema or threat intelligence schema). The schema used by the network security monitor 120 organizes the aggregated threat intelligence and makes the threat intelligence database manageable and maintainable. The threat intelligence schema/format can be applied to threat indicators aggregated from different private and open source threat intelligence repositories including, (e.g., Internet Protocol address, a malware code sample, a malicious code sample, or an intrusion prevention system signature) to be structured and expressed as a list of threat indicators to allow the log correlation to identify a threat, ¶ 141). 
Schneider further discloses determining a cluster designation for each campaign cluster of the set of enriched campaign clusters (i.e., The network security monitor can be configured to assign the record to the first cluster using the matching process. The network security monitor can be configured to detect, responsive to assigning the record to the first cluster, a threat associated with the entity, ¶ 16.  The assigning of the cluster is a designation). 
Schneider also discloses distributing the cluster designations for each campaign cluster to one or more threat intelligence resource (i.e., The network security monitor can be configured to use, generate, or otherwise manipulate fuzzy logic, attributes, weights and clusters. For example, the network security monitor can use fuzzy logic when matching clusters or records. The network security monitor can also use fuzzy logic during the threat classification decision process, ¶ 74.  The threat classification is distributed among the clusters). 
Schneider may not explicitly disclose one or more campaign clusters including one or more new domains and at least one known domain, each campaign cluster including domains identified as belonging to a single campaign.
However, Weber discloses one or more campaign clusters including one or more new domains and at least one known domain, each campaign cluster including domains identified as belonging to a single campaign (i.e., In a particular embodiment, a method provides identifying a first plurality of domain names associated with a malicious domain campaign and seeding a first clustering algorithm with the first plurality of domain names. After seeding the first clustering algorithm, the method provides using the first clustering algorithm to process passive domain name system (DNS) records to identify and group a second plurality of domain names associated with the malicious domain campaign, ¶ 4.  Thus, the passive domain names are new and are clustered together with known domains in a campaign) in order to attempt to identify as many domain names associated with malicious activity (malicious domains) by leveraging clustering algorithms (¶ 20).
Therefore, based on Schneider in view of Weber, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Weber to the system of Schneider in order to attempt to identify as many domain names associated with malicious activity (malicious domains) by leveraging clustering algorithms.
However, Huang discloses the plurality of input streams includes a first input stream of one or more domain registrars representing newly registered domains and a set of second input streams of the one or more non-domain registrar sources containing domain information (i.e., In some implementations, users are able to filter out unhelpful indicators coming into their organization by setting a threshold of the confidence values. Since millions of indicators are ingested every week, data quality is important [the plurality of input streams], column 2 ¶ 3.  In some implementations, the matching IOCs comes from a variety of sources with varying quality levels. Consequently, users need to effectively filter this stream of matching indicators. Organizations that under-filter are inundated with excessive actionable issues that they are not appropriately staffed to address and accordingly malicious traffic may be ignored  [the plurality of input streams], column 2 ¶ 4.  Each item of domain registration information is sometimes referred to as a “feature” or an “attribute.” For example, each of “registrant name,” “Creation Date,” “Registrar,” and “registrant email address” is a feature or an attribute of the domain. The domain registration features can indicate whether certain entities have a higher tendency of registering domains associated with malicious sites, as well as whether a site is newly registered [a first input stream of one or more domain registrars representing newly registered domains], column 4 last ¶ .  In some implementations, in accordance with the execution of software that is known to be malicious or benign, the sandbox 106 identifies domain names or URLs associated with the malicious files 112, identifies domain names or URLs associated with the benign files 114, and assigns respective domain reputations 108 to the domain names or URLs [includes a first input stream of one or more domain registrars representing newly registered domains]. For example, domains or URLs that the malicious files 112 attempt to contact are classified as having a “bad” or “malicious” reputation whereas domains or URLs that the benign files 114 attempt to contact are classified as having a “good” or “benign” reputation. The domain names, registration information, and associated reputations 108 are stored in a sandbox features database 110, column 6 ¶ 2.  In some implementations, after identifying the domains and their classifications from the software execution, the sandbox 106 sends information about the identified domains to the web crawler 204. The web crawler 204 crawls the Internet 208 to obtain web-linking data on the domains that have been identified by the sandbox 106. In some implementations, the web crawler analyzes the data from web crawling and generates web-linking features associated with the domains [a set of second input streams of the one or more non-domain registrar sources containing domain information]. The web-crawling data, including web-linking data, are stored in the raw data store 314, column 9 ¶ 5. In some implementations, the feature vectors are viewed as rows of data in a table, with each feature corresponding to a defined column. This is illustrated in FIG. 5; training data 442, including data for domains that are already classified; weighting data 444, including weight assignments for features within a single classifier and/or weights used to combine the results of multiple classifiers; sandbox feature data 110, including data generated by the sandbox 106 [a set of second input streams of the one or more non-domain registrar sources containing domain information]; domain registration data 104, including data about registered domain owners retrieved from one or more domain registrars [the plurality of input streams includes a first input stream of one or more domain registrars representing newly registered domains]; and other features, such as geographical information about the IP address [a set of second input streams of the one or more non-domain registrar sources containing domain information], column 13 ¶ 1.  In some implementations, the table 500 and at least some of its entries are generated by the classifier system 320 using data in the raw data store 314. In some implementations, the features include both web-linking features that are obtained by web crawling (e.g., Features 2, 3, and 4) and domain registration features that are obtained from domain registrars [both a first input stream of one or more domain registrars representing newly registered domains and a second input streams of the one or more non-domain registrar sources containing domain information], column 13 last ¶ .  In some implementations, one or more of the feature values is obtained from the web crawling cache. In some implementations, the features include (808) one or more features extracted from domain registration data. For example, the features extracted from domain registration data can include one or more of: the domain name, the IP address(es), URL(s), TLD(s), data about the registrant (e.g., name, email address, mailing address, city of residence, country of residence), the registrar, date of domain expiration, date of the latest update, and other information associated with the domain registration record. In some implementations, the domain registration data is obtained from partners of the domain analysis system in a partner data feed 218 [a set of second input streams of the one or more non-domain registrar sources containing domain information], column 18 ¶ 5) in order to effectively classify unknown domains by using a web crawler that clusters the web pages crawled according to domains (or domain names) (column 2 ¶ 6 and column 7 ¶ 6).
Huang also discloses generating enriched domain information by correlating the set of domain information from the first input stream and the set of second input streams, the enriched domain information inserting missing data into domain information of a specified input stream from another input stream of the plurality of input streams (i.e., The function ƒ can include both arithmetic and Boolean logic. In some instances, not all of the feature information is available for a domain, in which case the corresponding feature components are blank or NULL [missing data]. For example, if a web domain was not included in the most recent web crawl, there may be no information about back links or any of the other web-linking features. …This is illustrated in FIG. 5; training data 442, including data for domains that are already classified; weighting data 444, including weight assignments for features within a single classifier and/or weights used to combine the results of multiple classifiers; sandbox feature data 110, including data generated by the sandbox 106; domain registration data 104, including data about registered domain owners retrieved from one or more domain registrars; and other features, such as geographical information about the IP address [generating enriched domain information by correlating the set of domain information from the first input stream and the set of second input streams, the enriched domain information inserting missing data into domain information of a specified input stream from another input stream of the plurality of input streams], column 13 ¶ 1.  In some implementations, the table 500 and at least some of its entries are generated by the classifier system 320 using data in the raw data store 314. In some implementations, the features include both web-linking features that are obtained by web crawling (e.g., Features 2, 3, and 4) and domain registration features that are obtained from domain registrars, column 13 last ¶ .  In some implementations, one or more of the feature values is obtained from the web crawling cache. In some implementations, the features include (808) one or more features extracted from domain registration data. For example, the features extracted from domain registration data can include one or more of: the domain name, the IP address(es), URL(s), TLD(s), data about the registrant (e.g., name, email address, mailing address, city of residence, country of residence), the registrar, date of domain expiration, date of the latest update, and other information associated with the domain registration record. In some implementations, the domain registration data is obtained from partners of the domain analysis system in a partner data feed 218, column 18 ¶ 5.  In some implementations, the previous web crawling populates (810) the data cache recursively by querying hyperlinks associated with domains previously identified by the web crawling. For a given domain the number of web hyperlinks that point to the domain forms a feature called “backlinks.”, column 18 ¶ 6). 
Huang further discloses based on the set of domain characteristics and the enriched domain information, clustering the set of domains to generate a set of campaign clusters of related domains (i.e., In some implementations, the web crawler 204 clusters the web pages crawled according to domains (or domain names) [based on the set of domain characteristics and the enriched domain information, clustering the set of domains to generate a set of campaign clusters of related domains]. The web crawler 204 analyzes crawled data and generates analytics for web-linking characteristics of domains that are obtained from the web crawling. The web-linking characteristics for each domain includes: (i) the number of unique publicly accessible URIs that were found to be hosted on the domain; (ii) the count of backlinks 210 referencing the domain (a backlink occurs when an originating website hyperlinks to a destination website, in which case the destination website has one backlink from the originator); (iii) the count of unique domain names in referring backlinks (such domains are referred to as linking root domains); (iv) the count of unique IP addresses in the domain names of the referring backlinks 212; (v) the count of the unique IP address groups in the domain names of the referring backlinks (e.g., subnetworks or subnets); and (vi) the relative proportion of hyperlinks to the domain from popular websites. In some implementations, each of the web-linking characteristics is known as a “feature” or an “attribute, column 7 last ¶ - column 8 first ¶). 
Therefore, based on Schneider in view of Weber, and further in view of Huang, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Huang to the system of Schneider and Weber in order to effectively classify unknown domains by using a web crawler that clusters the web pages crawled according to domains (or domain names).

With respect to claim 2, Schneider discloses wherein clustering the set of domains further comprises: determining a first set of cluster keys for a first subset of domain characteristics of the set of domain characteristics (i.e., For example, the data collection component 210 can receive the logs via interface 205 or another interface of the data collection component 210. The data collection component 210 can receive the logs securely from the protected network 204 (e.g., an encrypted network, password protected network, access restricted network, time restricted network, etc.). The data collection component 210 may receive, request, retrieve or obtain logs from the protected network 204 that indicate a status of the protected network. The logs may indicate network activity on the protected network 204 including, e.g., threats, traffic, email, performance authentication, authorization and accounting (AAA), VPN, and access control information. Each log may have a log identifier and indicate information associated with the network activity such as device identifiers, time stamps, domains, level of severity of the log event, source port of the session, source internet protocol (IP) of the session, destination IP of the session, reference URL, etc. Tables 1-8 are an illustrative example of the type of information that can be obtained or determined by the data collection component 210 to provide the records or attributes or values [determining a first set of cluster keys for a first subset of domain characteristics of the set of domain characteristics], ¶ 131). 
Schneider also discloses clustering the set of domains to generate a first set of campaign clusters based on the first set of cluster keys (i.e., At least one aspect is directed to a method of detecting threats in a network. The method can include a network security monitor obtaining a plurality of records for a plurality of entities that accesses a network. The plurality of records can include attributes associated with the one or more entities. The method can include the network security monitor generating a plurality of clusters from the plurality of records using a matching process [clustering the set of domains to generate a first set of campaign clusters], ¶ 6.  The network security monitor 120 can include, interface with, access or otherwise communicate with a weighting component 215 (or weighter) that applies or assigns weights to attributes or variables of the data collected by the data collection component 210. The network security monitor 120 can include, interface with, access or otherwise communicate with a cluster generation component 220 (or cluster generator) that can generate groups of records that are closely similar to each other [based on the first set of cluster keys]. The network security monitor 120 can include, interface with, access or otherwise communicate with a tuning component 230 (or tuner) that can perform a self-learning process to identify values for variables that improve the clustering and classification process. The network security monitor 120 can include, interface with, access or otherwise communicate with a classifier component 225 (or classifier) to classify a record or behavior as a threat or not a threat. The network security monitor 120 can include, interface with, access or otherwise communicate with a database or data repository 240 that stores, in or more data structures or data files, include logs, attributes, weights, clusters, and records. The network security monitor 120 can generate a report based on whether or not at threat is detected in the networks 204 or 104, and communicate the report to a client 102a-n via the network 204 or 104 or other entity. The network security monitor 120 can, responsive to detecting the threat, control a function of the affected network entity 240 or element. For example, the network security monitor 120 can, responsive to detecting the threat, disable the network entity 240 or element, restart the network entity 240 or element, reset the network entity 240 or element, repair the network entity 240 or element, patch or update the network entity 240 or element, or otherwise eliminate or remove the threat affecting the network entity 240 or element, ¶ 127). 

With respect to claim 3, Schneider discloses wherein clustering the set of domains further comprises: determining a second set of cluster keys based on a second subset of domain characteristics of the set of domain characteristics (i.e., For example, the data collection component 210 can receive the logs via interface 205 or another interface of the data collection component 210. The data collection component 210 can receive the logs securely from the protected network 204 (e.g., an encrypted network, password protected network, access restricted network, time restricted network, etc.). The data collection component 210 may receive, request, retrieve or obtain logs from the protected network 204 that indicate a status of the protected network. The logs may indicate network activity on the protected network 204 including, e.g., threats, traffic, email, performance authentication, authorization and accounting (AAA), VPN, and access control information. Each log may have a log identifier and indicate information associated with the network activity such as device identifiers, time stamps, domains, level of severity of the log event, source port of the session, source internet protocol (IP) of the session, destination IP of the session, reference URL, etc. Tables 1-8 are an illustrative example of the type of information that can be obtained or determined by the data collection component 210 to provide the records or attributes or values [determining a second set of cluster keys for a first subset of domain characteristics of the set of domain characteristics], ¶ 131.  The identifiers would be different for different clusters including a second, third, fourth, fifth, etc. set of identifers/keys.  The cluster generation component 220 can create the clusters using a fixed cluster creation technique or a variable cluster creation technique. In fixed cluster construction, the cluster generation component 220 can identify a priori the number of clusters to create. For example, an administrator or user of the network security monitor 120 can provide or otherwise indicate the number of cluster to create. The number of clusters to create can be stored in database 235. In variable cluster construction, the cluster generation component 220 can determine the number of clusters to create based on a set of parameters. For example, the network security monitor can determine an optimal or beneficial number of clusters to create. The optimal or beneficial number of clusters to create can be based on the types of records identified, the desired amount of cluster separation, or resource availability (e.g., processing capacity, memory availability, bandwidth usage). In some cases, the network security monitor 120 can apply a machine learning technique or tuning technique to determine the optimal number of clusters to create, ¶ 147.  Each cluster would have a different identifier/key). 
Schneider further discloses clustering the first set of campaign clusters to generate a second set of campaign clusters based on the second set of cluster keys (i.e., For example, the network security monitor can select, choose, identify or otherwise obtain a record and assign (or temporarily assign or associate) the record to a first cluster (or default cluster or initial cluster). The network security monitor can then match the data in the record against the first cluster. If R, as described in Equation 1, satisfies (e.g., greater than or equal to) a threshold T, then the network security monitor can add the record to the cluster. If R does not satisfy (e.g., less than) the threshold then the network security monitor can create a second cluster and assign the new record as the center of the second cluster. The network security monitor can repeat the process until some or all the records are assigned to clusters [clustering the first set of campaign clusters to generate a second set of campaign clusters], ¶ 90.  Each log may have a log identifier and indicate information associated with the network activity such as device identifiers, time stamps, domains, level of severity of the log event, source port of the session, source internet protocol (IP) of the session, destination IP of the session, reference URL, etc. Tables 1-8 are an illustrative example of the type of information that can be obtained or determined by the data collection component 210 to provide the records or attributes or values [based on the second set of cluster keys], ¶ 131.  The identifiers would be different for different clusters including a second, third, fourth, fifth, etc. set of identifers/keys.  The cluster generation component 220 can create the clusters using a fixed cluster creation technique or a variable cluster creation technique. In fixed cluster construction, the cluster generation component 220 can identify a priori the number of clusters to create [clustering the first set of campaign clusters to generate a second set of campaign clusters]. For example, an administrator or user of the network security monitor 120 can provide or otherwise indicate the number of cluster to create. The number of clusters to create can be stored in database 235. In variable cluster construction, the cluster generation component 220 can determine the number of clusters to create based on a set of parameters. For example, the network security monitor can determine an optimal or beneficial number of clusters to create. The optimal or beneficial number of clusters to create can be based on the types of records identified, the desired amount of cluster separation, or resource availability (e.g., processing capacity, memory availability, bandwidth usage). In some cases, the network security monitor 120 can apply a machine learning technique or tuning technique to determine the optimal number of clusters to create, ¶ 147.  Each cluster would have a different identifier/key). 

With respect to claim 4, Schneider discloses generating a time-based cache for the set of domains, the time-based cache storing the set of domain information within a specified time range (i.e., The data collection component 210 can obtain the logs based on a time interval. In some embodiments, the data collection component 210 may continuously receive logs in real-time, e.g., as logs are created. In some embodiments, the data collection component 210 may receive the logs based on a time interval or in a batch process (e.g., multiple logs stored in one or more data files). For example, the data collection component 210 may receive logs hourly, every 12 hours, every 24 hours, weekly, every two weeks, or any other time interval set by an administrator of the network security monitor 120 that facilitates managing the security of the protected network 204. In some embodiments, the network security monitor 120, e.g., via the data collection component 210, may receive logs responsive to a request for logs, ¶ 132). 
Schneider further discloses wherein the set of domains are clustered based on the set of domain information and the specified time range (i.e., The network security monitor can obtain or identify attributes. Attributes can refer to raw logs that are normalized and parsed. The network security monitor can extract attributes about several entities and aggregate the attributes about the several entities. The network security monitor can extract the aggregated attributes at a desired time, ¶ 75.  Also see ¶ 135 with the restriction of time based attributes for forming clusters). 

With respect to claim 5, Schneider discloses wherein modifying the set of campaign clusters with the set of threat intelligence ratings further comprises: identifying one or more threat intelligence scores (i.e., The network security monitor can be configured to use, generate, or otherwise manipulate fuzzy logic, attributes, weights and clusters. For example, the network security monitor can use fuzzy logic when matching clusters or records. The network security monitor can also use fuzzy logic during the threat classification decision process, ¶ 74.  The network security monitor can generate or use weights. For example, the data collected and analyzed by the network security monitor can include many attributes. Some of these aggregated attributes may be more important (or influential) than others. This importance can be translated as the "weight" of the attribute (or variable). The network security monitor can take the weight into an account during the decision process [identifying one or more threat intelligence scores], ¶ 76.  The network security monitor 120 can transform the attributes. For example, the transformation can include standardizing or scaling the attributes and then multiplying the attributes by the weight assigned to the attribute. Thus, the behavior can refer to the collection of aggregated and non-aggregated attributes about an entity (e.g., IPs, domains, mails, devices, connections, etc.), ¶ 77). 
Schneider also discloses generating the set of threat intelligence ratings based on the one or more threat intelligence scores (i.e., In some embodiments, the matching process includes at least one of a fuzzy logic algorithm or a k-nearest neighbors technique. The network security monitor can weight the attributes associated with the one or more entities, and generate the clusters using the matching process and the weighted attributes, ¶ 9.  The network security monitor can generate or identify clusters. Clusters can refer to groups of records that are similar to each other. Each group can include records that are similar to each other. Each group can have a number of records. If the number of records in the group satisfies a threshold, then the group may be considered a threatful group or normal group, ¶ 78). 
Schneider also discloses applying a threat intelligence rating to each campaign cluster of the set of campaign clusters (i.e., In some embodiments, the matching process includes at least one of a fuzzy logic algorithm or a k-nearest neighbors technique. The network security monitor can weight the attributes associated with the one or more entities, and generate the clusters using the matching process and the weighted attributes, ¶ 9.  The network security monitor can generate or identify clusters. Clusters can refer to groups of records that are similar to each other. Each group can include records that are similar to each other. Each group can have a number of records. If the number of records in the group satisfies a threshold, then the group may be considered a threatful group or normal group [applying a threat intelligence rating to each campaign cluster of the set of campaign clusters], ¶ 78). 

With respect to claim 6, Schneider discloses wherein determining the cluster designation for each campaign cluster further comprises: classifying the set of threat intelligence ratings to generate a set of threat classes, each threat class indicating a campaign nature (i.e., The network security monitor can be configured to classify a first cluster of the plurality of clusters as a threat cluster, ¶ 6.  The network security monitor 120 can include, interface with, access or otherwise communicate with a classifier component 225 (or classifier) to classify a record or behavior as a threat or not a threat.  The network security monitor 120 can, responsive to detecting the threat, control a function of the affected network entity 240 or element. For example, the network security monitor 120 can, responsive to detecting the threat, disable the network entity 240 or element, restart the network entity 240 or element, reset the network entity 240 or element, repair the network entity 240 or element, patch or update the network entity 240 or element, or otherwise eliminate or remove the threat affecting the network entity 240 or element, ¶ 127.  The data collection component 210 can parse, analyze, or otherwise process received logs to determine a type of log (e.g., threat log, email log, traffic log, authentication log, etc.), and one or more parameters or fields associated with the log. The data collection component 210 can then index the log based on the type of log (e.g., threat log), and organize the data or parameters associated with the log using a log format or schema, ¶ 138.  Also see Table 1 field name: Type (threat) for the classifying to generate a set of threat classes, each threat class indicating a campaign nature). 
Schneider further discloses applying a threat class of the set of threat classes to each campaign cluster (i.e., The data collection component 210 can parse, analyze, or otherwise process received logs to determine a type of log (e.g., threat log, email log, traffic log, authentication log, etc.), and one or more parameters or fields associated with the log. The data collection component 210 can then index the log based on the type of log (e.g., threat log), and organize the data or parameters associated with the log using a log format or schema, ¶ 138.  For example, table 1 illustrates an embodiment of a log format or schema for mapping received logs to indexed threat logs, ¶ 139. Also see Table 1 field name: Type (threat) and subtype for applying a threat class of the set of threat classes to each campaign cluster). 

With respect to claim 7, Schneider discloses wherein clustering the set of domains further comprises: monitoring the plurality of input streams to identify subsequent domain information including a subsequent set of domains (i.e., The network security monitor can repeat the process until some or all the records are assigned to clusters, ¶ 90). 
Schneider also discloses iteratively clustering the set of domain clusters to incorporate the subsequent set of domains into one or more campaign clusters of the set of campaign clusters (i.e., The network security monitor can update centers of the clusters, ¶ 91.  The network security monitor can test the clusters by repeating the matching process to determine that records did not move out of one cluster and into another cluster. By testing the clusters after updating the centers, the network security monitor can improve the stability of the cluster generation process. If the network security monitor determines a change, then the network security monitor can determine the value R using Equation 1, and then assign records to a corresponding cluster, and then update the center of the cluster, ¶ 92). 

With respect to claims 8 and 15, the limitations of claims 8 and 15 are rejected in the analysis of claim 1 above, and the claim is rejected on that basis.

With respect to claims 9 and 16, the limitations of claims 9 and 16 are rejected in the analysis of claim 2 above, and the claim is rejected on that basis.

	With respect to claims 10 and 17, the limitations of claims 10 and 17 are rejected in the analysis of claim 3 above, and the claim is rejected on that basis.

With respect to claim 11, the limitations of claim 11 are rejected in the analysis of claim 4 above, and the claim is rejected on that basis.

With respect to claims 12 and 18, the limitations of claims 12 and 18 are rejected in the analysis of claim 5 above, and the claim is rejected on that basis.

With respect to claims 13 and 19, the limitations of claims 13 and 19 are rejected in the analysis of claim 6 above, and the claim is rejected on that basis.

With respect to claims 14 and 20, the limitations of claims 14 and 20 are rejected in the analysis of claim 7 above, and the claim is rejected on that basis.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAREN M MEANS whose telephone number is (571)270-7202.  The examiner can normally be reached on 12pm-6pm ET.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joon Hwang can be reached on 571-272-4036.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).





Jaren M. Means
/J.M.M./
Patent Examiner
Art Unit 2447	
10/12/2022

/JOON H HWANG/Supervisory Patent Examiner, Art Unit 2447