DETAILED ACTION
This Final Office Action is in response Applicant communication filed on 
7/27/2022. In Applicant’s amendment, claims 1, 2, 5, 8, 9, 12, 15, 16, and 19 were amended.
Claims 1-20 are currently pending and have been rejected as follows. 
Response to Amendments
Rejections under 35 USC 101 are withdrawn. Rejections under 35 USC 102 are withdrawn. Applicant’s amendments necessitated new grounds of rejection under 35 USC 103.
Response to Arguments
Applicant’s 35 USC 101 rebuttal arguments and amendments have been fully considered and they are persuasive to overcome the rejection.
Applicant's prior art arguments have been fully considered but they are not persuasive to overcome the rejection.
Applicant argues on p. 14-15 that Crowley does not disclose determining whether an industry type assigned to the entity corresponds to the global trending threat and further increasing the alert priority in response to determining that the industry type assigned to the entity corresponds to the global trending threat. Examiner respectfully disagrees. Regarding determining whether an industry type assigned to the entity corresponds to the global trending threat, Crowley is already shown earlier in the independent claim mappings to disclose in paragraph 23 “Local attributes 321 can be derived information descriptive of malicious activity occurring within a network. Global threat attributes 322 can be information derived externally to a network that is descriptive of a threat to that network” and in paragraph 72 “Alerts can be prioritized according to the composite risk score category.” In paragraph 32, Crowley teaches “A configurable priority set to specific network types, such as residential, commercial, government or other networks, as being higher risk for connection attempts, related to malicious network events, expressed as a range 0-100 according to one embodiment” noting the network type corresponding to an industry type. Given the data defining the network types, their associated local attributes and the attributes of global threats, Crowley teaches determining whether an industry type assigned to the entity corresponds to the global trending threat. For further explanation, see paragraphs figs. 6A-6D and associated text in paragraphs 83-87. Regarding the limitation of further increasing the alert priority in response to determining that the industry type assigned to the entity corresponds to the global trending threat, Crowley further teaches in paragraph 32 “a network type of priority 100 may represent a network (e.g., residential) which customer data should not be connecting to” in addition to Crowley being shown to teach a configurable priority. For further explanation, see fig. 4 and associated text in paragraph 69 stating “Composite risk scores ascertained via Algorithm 330 in FIG. 3 may be correlated against specific Attributes 410 to prioritize remediation efforts.” 
	

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 USC 103 as being unpatentable over the teachings of
Crowley et al, US Publication No. 20120143650 A1, hereinafter Crowley in view of
Rudnik, US Patent No. 11328059 B2, hereinafter Rudnik, in view of
Patel et al, US Publication No. 20210211452 A1, hereinafter Patel. As per,

Claims 1, 8, 15
Crowley teaches
A method implemented by an information handling system that includes a 2memory and a processor, the method comprising: /
An information handling system comprising: one or more processors;  Docket No. P201911884US01 Page 24 of 29Atty. Ref. No. 0011a memory coupled to at least one of the processors; a set of computer program instructions stored in the memory and 5executed by at least one of the processors in order to perform actions of:  /
A computer program product stored in a computer readable storage medium, comprising computer program code that, when executed by an 3information handling system, causes the information handling system to 4perform actions comprising:
3receiving, […], a global trending threat corresponding to an incident occurring in 4an industry,  5(Crowley [0023] “FIG. 3 illustrates an example derivation of risk 300, according to one embodiment. In this example, the network event between compromised internal asset 305 and server 312 can contain attributes 320. These attributes 320 can include, but are not limited to: local attributes 321 and/or global threat attributes 322. Local attributes 321 can be derived information descriptive of malicious activity occurring within a network. Global threat attributes 322 can be information derived externally to a network that is descriptive of a threat to that network”)
[…][…];
identifying a set of local Indicators of Concern (loCs) within an entity that 6corresponds to the global trending threat;  7(Crowley fig. 3; [0042] “FIG. 3 also lists global threat attributes 322;” [0045] “The example in FIG. 3 also illustrates how local attributes 321 and global threat attributes 322 can be collected and tallied”)
computing an alert priority based on the set of local loCs and the global 8trending threat;  9(Crowley [0072] “Alerts can be prioritized according to the composite risk score category”)
adjusting the alert priority based on comparing one or more entity 10properties of the entity with one or more threat properties of the global 11trending threat, wherein the adjusting further comprises:  (Crowley fig. 8; [0045] “Due to the ever-changing nature of risk, risk can be continually assessed and prioritized;” [0047] “The asset priority risk can be a number in the 1-5 range assigned by the user to an asset or group of assets, with 1 representing a high-priority asset, and 5, a low priority asset. The number assigned can be compared against a set of preselected ranges, and the risk associated with the ranges can then be assigned to the asset(s)”) 
determining whether an industry type assigned to the entity corresponds to the global trending threat; and (Crowley [0032] “A configurable priority set to specific network types, such as residential, commercial, government or other networks, as being higher risk for connection attempts, related to malicious network events, expressed as a range 0-100 according to one embodiment”)
further increasing the alert priority in response to determining that the industry type assigned to the entity corresponds to the global trending threat; and (Crowley [0032] “a network type of priority 100 may represent a network (e.g., residential) which customer data should not be connecting to”)
12dispatching an alert based on the adjusted alert priority. (Crowley [0016] “The method and system 100 admonishes risk through the use of alerts sent to a user”) 
Crowley does not explicitly teach, Rudnik however in the analogous art of threat management teaches
[…] from a cloud service […]; (Rudnik 1:64-67, 2:1-4 “a detection proxy to collect telemetry data from the telemetry probes and forward the telemetry data to a detection cloud service; and logic to receive from the detection cloud service a detection message that the user application has exhibited behavior consistent with tampering, and to take remedial action responsive to the detection message”)
[…] by the cloud service […]; (Rudnik 1:64-67, 2:1-4 “a detection proxy to collect telemetry data from the telemetry probes and forward the telemetry data to a detection cloud service; and logic to receive from the detection cloud service a detection message that the user application has exhibited behavior consistent with tampering, and to take remedial action responsive to the detection message”)
Before the effective filling date of the claimed invention, it would have been obvious for one of ordinary skill in the art to modify Crowley’s threat detection to include a cloud service in view of Rudnik in an effort to prevent attackers by detecting tampering in the cloud (see Rudnik 5:5-7 & MPEP 2143G).
Crowley does not explicitly teach, Patel however in the analogous art of threat management teaches
wherein the global trending threat is identified […] based on performing a topological data analysis on a set of features, the set of features generated from a crowdsourced plurality of Indicators of Concern (loCs) from a plurality of entities; (Patel [0006] “the threat indicators can be generated by analyzing previously, more importantly very recently, exploited conditions during cyber-attack … The process includes actively and/or periodically accessing the data source, analyzing the data, and updating threat indicator values in the device risk profiles;” [0034] “the device risk profiles can also include threat indicators. The threat indicators can be generated by analyzing previously exploited conditions via cyber-attacks;” [0071] “the process 500 includes using at least one method to obtain risk profile parameter values to build and maintain some level of device cybersecurity risk posture 502;” [0087] “the reference 432 in FIG. 4 indicates both vulnerability and threat with respect to password management knowledge”)
Before the effective filling date of the claimed invention, it would have been obvious for one of ordinary skill in the art to modify Crowley’s threat detection to include crowdsourcing indicators from entities to identify the global threat in view of Patel in an effort to deliver human-factor-related conditions (see Patel ¶ [0068] & MPEP 2143G).
Claims 2, 9, 16
Crowley teaches
further comprising wherein the 4plurality of loCs includes the set of local loCs and the plurality of entities 5includes the entity; (Crowley [0023] “Local attributes 321 can be derived information descriptive of malicious activity occurring within a network. Global threat attributes 322 can be information derived externally to a network that is descriptive of a threat to that network”)
and 10matching the global trending threat to a customer profile corresponding to 11the entity.Docket No. P201911884US01Page 23 of 29Atty. Ref. No. 0011the entity. (Crowley fig. 4; [0069] “Composite risk scores ascertained via Algorithm 330 in FIG. 3 may be correlated against specific Attributes 410 to prioritize remediation efforts, according to a company's internal policies and/or highest level of concern;” claim 11 “at least one overall risk is correlated with any individual attribute risk and the result is displayed in at least one threat matrix, allowing at least one user to quickly identify at least one most important compromised network asset to at least one organization”)
Claims 3, 10, 17
Crowley teaches
wherein at least one of the set of features is selected from a group consisting of a time variant feature, a time invariant feature, a time independent feature, and a label feature.  (Crowley [0079] “First Seen. Time (e.g., in days) when the asset was first seen to communicate with an external entity”)
Claims 4, 11, 18
Crowley teaches

wherein the matching indicates one or more 2vulnerabilities within the entity that is targeted by the global trending 3threat.  (Crowley [0038] “A configurable priority set to specific assets based on identified vulnerabilities on those assets, expressed as a range 0-100, according to one embodiment. As an example, a Vulnerability of 100 would indicate the asset being investigated has known vulnerabilities that could be used by the remote criminal operator to control the asset and exfiltrated data.”)
Claims 5, 12, 191Clai
Crowley teaches

wherein the adjusting of the alert priority further 2comprises: 3increasing the alert priority in response to determining that the entity is in a 4geographic location that corresponds to the global trending threat.  5(Crowley [0053] “The geo-location can be a number in the 1-5 range assigned by the user to specific geographic locations for connection attempts, with 1 representing a high-priority geo-location, and 5, a low-priority geo-location. The number assigned can be compared against a set of preselected ranges, and the risk associated with the ranges can be assigned to the asset(s)) 
Claims 6, 13, 20
Crowley teaches
1Claim2determining whether the entity comprises one or more on premise 3components that correspond to the global trending threat; (Crowley [0031] “A configurable priority set to the specific geo-location based on the location of the IP address of connection attempts related to malicious network events, expressed as a number in the 0-100 range”)
and  4further increasing the alert priority in response to determining that the 5entity comprises one or more on premise components that correspond to 6the global trending threat.  (Crowley [0031] “As an example, a geo-location priority 100 may represent a connection attempt to an IP address located in a country designated to be high risk by the customer”)
Claims 7, 14
Crowley teaches
1Cwherein the dispatched alert comprises one or 2more courses of actions to respond to the global trending threat.  (Crowley claim 12 “at least one user can be alerted regarding the at least two prioritized compromised network assets by their associated individual attribute risk or by the overall risk via at least one alert used to trigger incident response efforts”)
1112the entity.Docket No. P201911884US01Page 25 of 29Atty. Ref. No. 00111Docket No. P201911884US01 Page 26 of 29Atty. Ref. No. 0011







Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Girma et al, Analysis of DDoS Attacks and an Introduction of a Hybrid Statistical Model to Detect DDoS Attacks on Cloud Computing Environment, 2015; Thaper et al, Adaptive Pattern Attack Recognition technique (APART) against EDoS attacks in Cloud Computing, 2015; MacDermott et al, Detecting Intrusions in Federated Cloud Environments Using Security as a Service, 2015.
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMED EL-BATHY whose telephone number is (571)270-5847.  The examiner can normally be reached on M-F 8AM-4:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, PATRICIA MUNSON can be reached on (571) 270-5396.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/MOHAMED N EL-BATHY/Primary Examiner, Art Unit 3624