DETAILED ACTION
 	- Claims 1, 3-7, 9, 11, 13-17 and 19-20 have been amended.
- Claims 1-20 are pending.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments filed on 9/9/2022 have been fully considered.
-With respect to the 112(f) interpretation, the amendment did not omit the language that was interpreted under 112(f).
-Remaining arguments are moot in view of the new ground of rejection.

Claim Interpretation 112(f)
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are:
“obfuscation analysis module configured to….”  in claim 3. [described in 0064].
“user activity analysis module configured to….”  in claim 4. [described in 0065].
“target domain analysis module configured to….”  in claims 5 and 6. [described in 0066].
“user access analysis module configured to….”  in claim 2. [described in 0067].
	In addition, [0049], [0068] of the specification describes the analysis modules as program modules of the Neural Network computing platform. Paragraph [0020] of the specification provides sufficient corresponding structure.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

 	Claims 1-20 are rejected under 35 USC 103 as being unpatentable over Levy et al (US 20190319987 A1) in view of Yampolsky (US 9,294,498B1).
Re claim 1. Levy discloses a neural network analysis computing platform comprising: at least one processor (i.e. In general, the compute instance may be configured, e.g., by computer executable code stored in a memory and executing on a processor, to detect one or more events associated with the compute instance and report an event vector including the one or more events to a remote resource.) [Levy, para. 0204]; a communication interface communicatively coupled to the at least one processor (i.e. These techniques may be used to create an entity model 1420 for any of the entities described herein, including without limitation physical hardware items, virtualized items, software items, data and data stores, programming interfaces, communications interfaces, remote resources, and so forth, or any of the other entities, computing objects, assets or the like described herein) [Levy, para.0168.; and memory storing computer-readable instructions that, when executed by the at least one processor, cause the neural network analysis computing platform to: (i.e. It should be understood that any suitable recognition model may be used. For example, a neural network or other model may be trained using machine learning using, which may use inputs as described above for feature vectors.) [Levy, para.0104]; receive, from a user device, a first event data associated with a first event; input, into a plurality of event analysis modules, the first event data (i.e. Thus for example, a request for access to a network resource may be an event 1406. When such a request is initiated by a user, an event vector 1410 for that user may be created and reported along with other temporally adjacent or otherwise related events 1406 associated with that user. Where the network request involves an interaction with, e.g., an authentication and identity management system, this may be represented as another entity, or as an event 1406 (or group of events 1406) in the event vector 1410 for the user. At the same time, a second event vector 1410 for the compute instance 1402 may also be created and reported along with other temporally adjacent or otherwise related events 1406 associated with that compute instance 1402…………….. The event vectors 1410 may be received by the threat management facility 1412 and stored as an event stream 1414 in a data repository 1416,………………………In general, an analysis module 1418 may analyze the event stream 1414 to identify patterns of events 1406 within the event stream 1414 useful for identifying unusual or suspicious behavior. In one aspect, this may include creating entity models 1420 that characterize behavior of entities, such as any of the entities described herein…. The entity models 1420 may, for example, be vector representations or the like of different events 1406 expected for or associated with an entity, and may also include information about the frequency, magnitude, or pattern of occurrence for each such event 1406. In one aspect, the entity model 1420 may be based on an entity type (e.g., a particular type of laptop, or a particular application), which may have a related event schema that defines the types of events 1406 that are associated with that entity type.) [Levy, para.0163-0166, Fig. 14 depicts a plurality of modules: analysis 1418, entity models 1420 and detection engine 1422]; 
  	Levy does not explicitly disclose whereas Levy in view of Yampolsky does: receive, from each of the plurality of event analysis modules and based on the first event data, a plurality of risk scores (i.e. Security signal collection module 210 collects one or more types of data that relate to the cybersecurity risks associated with an entity. Security signal collection module 210 comprises submodules that collect different types of data from a predefined “threat sphere.”) [Yampolski, col.7, Fig.2]; (i.e. collecting, by a processor, one or more types of data associated with an entity. the method can also comprises intrusively collecting a portion of the one or more types of data associated with the entity, wherein the one or more types of data includes the intrusively-collected portion of the one or more types of data. In addition, the one or more types of data includes data associated with social engineering, malware and botnet infections, application vulnerabilities, breach history, network exploits, DNS health; patching cadence, and leaked employee credentials. At block 604, method 600 includes calculating, by the processor, a security score for at least one of the one or more types of data based, at least in part, on processing of security information extracted from the at least one type of data, wherein the security information is indicative of a level of cybersecurity) [Yampolski, col.24]; generate a modified plurality of risk scores by modifying, based on a security flag associated with the first event data, a first risk score of the plurality of risk scores (i.e. The contextualization and attribution module 220 can also comprises a normalization module 224 and a weighting module 226 to normalize and/or weight a preliminary security score determined based on a raw scoring of the extracted security data. The normalization and/or weighting of a preliminary score may depend on multiple factors, such as, for example, the size of the entity, the relationship between the extracted information and overall cybersecurity performance, and the type of data collected) [Yampolsky, col.7]; input the modified plurality of risk scores into a [neural network] model, wherein inputting the modified plurality of risk scores into the [neural network] model causes the [neural network] model to output a risk level value associated with the first event (i.e. The contextualization and attribution module 220 can also comprises a machine learning module 228 to identify and update which factors most significantly affect an entity's cybersecurity. This information can be used to further contextualize the collected data. For example, the security scores identified as being the most relevant may then be normalized and/or weighted to account for their relevancy. The contextualization process can also comprises applying temporal adjustments to security data or calculated security scores based on the time span between an event that generated the security data and the current date..………………the benchmarking module 230 comprises a scoring module 232 to obtain the overall cybersecurity risk score for an entity based on the contextualization of the entity's security data and processing of scores for each of the different types of security data collected for the entity) [Yampolsky, col.7 last paragraph, col.8 first two paragraphs], Levy discloses the model being a neural network (i.e. such as neural network classifiers or other classifiers that may be trained by machine learning) [Levy, para.0061].
 	It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Levy with Yampolsky because Yampolsky provides weighing the calculated scores to improve the accuracy of the calculated score. For example, the scorecard system 200 may use weighting module 226 to weigh one or more of the calculated security scores. For example, calculated security scores can be assigned weights based on a correlation between the extracted security information and its impact on the overall cybersecurity risk of an entity [Yampolsky, col.16, last 3 lines, col.17, first 3 lines]; 
 	Levy further discloses: input data associated with the risk level value into a decision engine, wherein inputting the data associated with the risk level value into the decision engine causes the decision engine to output one or more reactionary commands based on the risk level value (i.e. may include responding to the first risk score. For example, when the first risk score exceeds a first threshold, the method 1500 may include deploying a first remedial action for the compute instance from the local security agent. In this context, the remedial action may be any remedial action including threat responses, security updates and patches, quarantines, changes in privileges or network capabilities, increased monitoring, forensic data capture, manual intervention, and so forth. ……………the threat management facility may be configured to deploy a remedial measure for the compute instance when at least one of the first risk score and the second risk score exceeds a threshold. As described herein, the first risk score may be indicative of deviations from an activity baseline for the event vectors for the compute instance. The activity baseline may be determined based on a historical window of event vectors for the compute instance. … when the second risk score exceeds a second threshold, the method 1500 may include deploying a second remedial action for the compute instance, such as any of the remedial actions or other responses described herein, from the threat management facility) [Levy, para.0180-0185]; generate one or more system reconfiguration instructions associated with the one or more reactionary commands (i.e. deployment of security patches or fixes, and so forth. This may also in policy updates. For example, security policies for compute instances 1402, users, applications or the like may be updated to security settings that impose stricter controls or limits on activity including, e.g., limits on network activity (bandwidth, data quotas, permitted network addresses, etc.), limits on system changes (e.g., registry entries, certain system calls, etc.), limits on file activity (e.g., changes to file permissions), increased levels of local activity monitoring) [Levy, para.0174]; and send, to the user device, the one or more system reconfiguration instructions associated with the one or more reactionary commands (i.e. communicating with local security agents on the compute instances through a second interface of the threat management facility, e.g., to deploy security measures or otherwise coordinate security policies and the like within the enterprise network, such as by delivering patches, dictionary updates, and remediations to compute instances from remote providers of security services) [Levy, para.0226], wherein sending the one or more system reconfiguration instructions associated with the one or more reactionary commands to the user device causes the user device to modify one or more security settings of the user device based on the one or more system reconfiguration instructions associated with the one or more reactionary commands. (i.e. configuration management may define acceptable or required configurations for the compute instances 10-26, applications, operating systems, hardware, or other assets, and manage changes to these configurations. Assessment of a configuration may be made against standard configuration policies, detection of configuration changes, remediation of improper configurations, application of new configurations, and so on. An enterprise facility may have a set of standard configuration rules and policies for particular compute instances which may represent a desired state of the compute instance. For example, on a given compute instance 12, 14, 18, a version of a client firewall may be required to be running and installed. If the required version is installed but in a disabled state, the policy violation may prevent access to data or network resources. A remediation may be to enable the firewall. In another example, a configuration policy may disallow the use of USB disks, and policy management 112 may require a configuration that turns off USB drive access via a registry key of a compute instance) [Levy, para.0053, see also 0181].Re claims 11 and 20. These claims recite features similar to those in claim 1, therefore they are rejected in a similar manner.Re claims 2 and 12. Levy and Yampolsky disclose the features of claims 1 and 11, Levy further discloses memory storing computer-readable instructions that, when executed by the at least one processor, cause the neural network analysis computing platform to: update the neural network model (i.e. definitions also may include, for example, code or data to be used in a classifier, such as a neural network or other classifier that may be trained using machine learning) [Levy, para.0057],
 	Levy in view of Yampolsky further discloses: based on a result of the analyzing the first event and based on the risk level value, wherein updating the neural network model comprises updating a first node, of the neural network model, that is associated with a first event analysis module of the plurality of event analysis modules (i.e. The contextualization and attribution module 220 can also comprises a machine learning module 228 to identify and update which factors most significantly affect an entity's cybersecurity. This information can be used to further contextualize the collected data. For example, the security scores identified as being the most relevant may then be normalized and/or weighted to account for their relevancy. The contextualization process can also comprises applying temporal adjustments to security data or calculated security scores based on the time span between an event that generated the security data and the current date.) [Yampolsky, col.7-8], Levy discloses the model being a neural network [Levy, para.0057].
 	The same motivation to modify with Yampolsky, as in claim 1, applies.Re claims 3 and 13. Levy and Yampolsky disclose the features of claims 2 and 12, Levy further discloses: wherein the first event analysis module is configured to detect, within the first event data associated with the first event, one or more of encrypted files, multi-level file embedding, or files embedded within an object. (i.e. …the valuation model may estimate value based on one or more of encryption status, file type, file usage history, file creation date, file modification date, file content, and file author) [Levy, para.0111].Re claims 4 and 14. Levy and Yampolsky disclose the features of claims 2 and 12, Levy further discloses: wherein the first event analysis module is configured to analyze historical data of a user associated with the first event. (i.e. the event vectors 1410 may be organized around entities. Thus for example, a request for access to a network resource may be an event 1406. When such a request is initiated by a user, an event vector 1410 for that user may be created and reported along with other temporally adjacent or otherwise related events 1406 associated with that user) [Levy, para. 0163], (i.e. The activity baseline may be determined based on a historical window of event vectors for the compute instance) [Levy, para.0187].Re claims 5 and 15. Levy and Yampolsky disclose the features of claims 2 and 12, Levy further discloses: wherein the first event analysis module is configured to analyze a target domain associated with the first event. (i.e. the security management facility 122 may provide for reputation filtering, which may target or identify sources of known malware. For instance, reputation filtering may include lists of URIs of known sources of malware or known suspicious IP addresses, code authors, code signers, or domains, that when detected may invoke an action by the threat management facility 100. Based on reputation, potential threat sources may be blocked, quarantined, restricted, monitored, or some combination of these, before an exchange of data can be made. Aspects of reputation filtering may be provided, for example, in the security agent of an endpoint 12, in a wireless access point 11 or firewall 10, as part of application protection 150 provided by the cloud, and so on. In embodiments, some reputation information may be stored on a compute instance 10-26, and other reputation data available through cloud lookups to an application protection lookup database, such as may be provided by application protection) [Levy, para. 0047]. Re claims 6 and 16. Levy and Yampolsky disclose the features of claims 2 and 12, Levy further discloses: wherein the first event analysis module is configured to analyze a plurality of factors of a target domain associated with the first event. (i.e. In an embodiment, the security management facility 122 may provide for reputation filtering, which may target or identify sources of known malware. For instance, reputation filtering may include lists of URIs of known sources of malware or known suspicious IP addresses, code authors, code signers, or domains, that when detected may invoke an action by the threat management facility 100. Based on reputation, potential threat sources may be blocked, quarantined, restricted, monitored, or some combination of these, before an exchange of data can be made. Aspects of reputation filtering may be provided, for example, in the security agent of an endpoint 12, in a wireless access point 11 or firewall 10, as part of application protection 150 provided by the cloud, and so on. In embodiments, some reputation information may be stored on a compute instance 10-26, and other reputation data available through cloud lookups to an application protection lookup database, such as may be provided by application protection) [Levy, para. 0047]. Re claims 7 and 17. Levy and Yampolsky disclose the features of claims 2 and 12, Levy further discloses: wherein the first event analysis module is configured to analyze access rights of a user associated with the first event. (i.e. riskiness of the user may be used as part of an authentication decision. An adaptive authentication facility 606 may evaluate any or all of entity state, risk score, value of data, consistency of user against the model, for example, using the analytics of FIG. 5. The adaptive authentication facility 606 may receive attestations about the state of integrity, or the health state of the user that is logging on. This may include the health of the device that the user is logging in on, as well as the overall risk score that the user brings. In embodiments, the authentication may be revoked if the risk score changes) [Levy, para.0091].Re claims 8 and 18. Levy and Yampolsky disclose the features of claims 1 and 11, Levy further discloses: a memory storing computer-readable instructions that, when executed by the at least one processor, cause the neural network analysis computing platform to: generate a user interface associated with the first event and the reactionary commands; and send, to the user device, the user interface, wherein sending the user interface to the user device causes the user device to display the user interface (i.e. The web server may be configured to display a list of intermediate threats in a user interface, wherein the list of intermediate threats is ranked according to a combination of a first score from the integrative model and a second score from the valuation model. In one aspect, the threat management facility may be configured to remediate a risk to an endpoint in response to a user input received through the user interface) [Levy, para.0121].Re claims 9 and 19. Levy and Yampolsky disclose the features of claims 1 and 11, Yampolsky further discloses: wherein the plurality of risk scores are weighted (i.e. contextualization also includes weighing the calculated scores to improve the accuracy of the calculated score. For example, the scorecard system 200 may use weighting module 226 to weigh one or more of the calculated security scores. For example, calculated security scores can be assigned weights based on a correlation between the extracted security information and its impact on the overall cybersecurity risk of an entity.) [Yampolsky, col.16-17]. 
 	The same motivation to modify with Yampolsky, as in claim 1, applies.
Re claim 10. Levy and Yampolsky disclose the neural network analysis computing platform of claim 1, Levy further discloses: wherein the decision engine comprises a risk level matrix that maps different combinations of weighted risk scores to different reactionary commands (i.e. The threat management facility may be configured to deploy a remedial measure for the compute instance when at least one of the first risk score and the second risk score exceeds a threshold. As described herein, the first risk score may be indicative of deviations from an activity baseline for the event vectors for the compute instance. The activity baseline may be determined based on a historical window of event vectors for the compute instance. … when the second risk score exceeds a second threshold, the method 1500 may include deploying a second remedial action for the compute instance, such as any of the remedial actions or other responses described herein, from the threat management facility) [Levy, para. 0185-0187], [Levy, para.0211, discloses weighted risk scores].
 
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NOURA ZOUBAIR whose telephone number is (571)270-7285. The examiner can normally be reached Monday - Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571-272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434