DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Remarks
	This action is in response to the applicant’s response filed 11 August 2022, which is in response to the USPTO office action mailed 12 May 2022. Claims 1 and 11 are amended. Claims 1-20 are currently pending.

Response to Arguments
With respect to the 35 USC §103 rejection of claims 1-20, the applicant’s arguments are moot in view of a new grounds of rejection, as necessitated by the applicant's amendments.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Olson et al., US 20150244734 A1 (hereinafter “Olson”) in view of Yu et al., US 20200213336 A1 (hereinafter “Yu”).

Claim 1: Olson teaches an information security device, comprising:
a transceiver configured to receive scenario information of a company, a register configured to store a plurality of instructions and a plurality of databases, and a processor coupled to the transceiver and the register, and configured to execute the plurality of instructions to (Olson, [0051] note the method obtains fundamental data. The fundamental data may be obtained from, e.g., public sources, private sources, and internal sources, i.e., sources internal to a computer security company. Data from these sources ranges from, for example, binary data (malware samples), to news articles and blog posts authored by people, to structured XML report data generated by an analysis system, [0144] note Each hardware component may include one or more processors coupled to random access memory operating under control of, or in conjunction with, an operating system. Further, each hardware component can include persistent storage, such as a hard drive or drive array, which can store program instructions to perform the techniques presented herein):
read first vulnerability related information and first event information from the plurality of databases (Olson, [0025] note Fundamentals include vulnerabilities 206, URLs 208, malware families 210, domains 212, top-level domains 214, attack campaigns 216, networks 218, autonomous system numbers 220, accounts 222, email addresses 224, software 226, events 228, files 230, persons 232, countries 234, organizations 236, and regions 238);
generate at least one first intelligent graph according to the first vulnerability related information and the first event information, and generate a second intelligent graph according to the scenario information (Olson, [0050] note FIG. 3 is a flowchart illustrating a method of intelligence graph generation, [0072] note the method stores documents, fundamental instances, and edges, preserving the graph structure. Once fundamentals and their relationships to other fundamentals or documents are identified in the previous blocks, they can be electronically stored in persistent memory so as to preserve a graph structure; i.e. a first intelligent graph, [0082] note rules contain a set of conditions that, when met in the graph, indicate an attack or event amenable to a countermeasure. The rule may, in some embodiments, include the countermeasure itself. The rules may include templates, each indicating a sub-graph amenable to a countermeasure; i.e. a second intelligent graph); and
compare the at least one first intelligent graph with the second intelligent graph to identify at least one similarity between the at least one first intelligent graph and the second intelligent graph for determining whether the company has information security threat (Olson, [0004] note The method may include matching a sub-graph including at least one node and at least one edge to a pattern of a known attack. The matching may be performed upon the graph receiving an additional amount of nodes and edges, [0089] note embodiments detect sub-graphs amenable to countermeasure suggestion or deployment by matching sub-graphs to templates, [0104]-[0105] note matching templates to sub-graphs).
Olson does not explicitly wherein the scenario information comprises device model, data flow, host logs and file logs, which are related to devices and information of the company; and wherein the first vulnerability related information is information of a plurality of software vulnerabilities which happened in the past, wherein the first event information comprises a plurality of information security logs corresponding to a plurality of events, which happened in the past.
However, Yu teaches this (Yu, [0050] note packet capture appliances 302 are operative to capture packets off the network (using known packet capture (pcap) application programming interfaces (APIs) or other known techniques), and to provide such data (e.g., real-time log event and network flow) to the distributed database 306, [0054] note vulnerabilities, [0088] note API access requests are monitored and stored as log data 506, [0090] note a neural network classifier is trained (e.g., on access logs and other data) that reflect “appropriate” and “inappropriate” behavior as determined by a policy, [0109] note As additional training data is logged and/or simulated, as the case may be, the neural network may be updated, or a new version thereof instantiated to provide updated or otherwise enhanced predictive capability, [0128] note threat disposition and modeling techniques).
It would have been obvious to one of ordinary skill in the art at the effective filing date of the application to combine the information security threat assessment of Olson with the anomalous or malicious network activity detection of Yu according to known methods (i.e. identifying information security threats based on a neural network classifier trained on log, event and flow data). Motivation for doing so is that by using the neural network, the system provides more effective discrimination with respect to unauthenticated user behavior, and it enables access controls to be more effectively enforced with respect to users that are not using the application according to the enterprise's security policy (Yu, [0110]).

Claim 2: Olson and Yu teach the information security device of claim 1, wherein the processor is further configured to:
receive social media data through the transceiver, and calculate a plurality of relevancy scores of the social media data according to sample social media data of the plurality of databases, wherein the plurality of relevancy scores indicate correlation between the social media data and information security; and identify text data from the social media data according to the plurality of relevancy scores (Olson, [0034] note Each instance of an account fundamental 222 may be characterized by a string representing the account, e.g., "jon.smith@twitter", a string representing a service name, e.g., "twitter", a string representing a service type, e.g., "social media", [0111] note a list of systems with vulnerable software packages installed, sorted by threat priority score).

Claim 3: Olson and Yu teach the information security device of claim 2, wherein the processor is further configured to:
identify a plurality of event subjects of the text data according to the sample social media data, wherein the plurality of event subjects indicate a plurality of keywords relevant to a plurality of subjects of the text data; and label the text data with the plurality of event subjects, and generate second event information according to labeled text data and the first event information, and store the second event information into the plurality of databases (Olson, [0034] note Each instance of an account fundamental 222 may be characterized by a string representing the account, e.g., "jon.smith@twitter", a string representing a service name, e.g., "twitter", a string representing a service type, e.g., "social media", "chat", "forum", etc., and a string representing a user name, e.g., "Jon Smith").

Claim 4: Olson and Yu teach the information security device of claim 1, wherein the processor is further configured to:
receive vulnerability data through the transceiver, and calculate a plurality of exploit probabilities of the vulnerability data according to the first vulnerability related information; and generate second vulnerability related information according to the plurality of exploit probabilities and vulnerability data, and store the second vulnerability related information into the plurality of databases (Olson, [0120] note associating a threat priority score and/or a threat priority signature to each package and vulnerability pair. These threat priority parameters may take into account vulnerability intelligence, threat intelligence, and mitigation possibilities, among other considerations. Example calculations of a threat priority score, a number, and a threat priority signature, a string, follow. In particular, the threat priority score and threat priority signature for a given package and vulnerability pair may be constructed iteratively).

Claim 5: Olson and Yu teach the information security device of claim 4, wherein the processor is further configured to:
calculate a plurality of popularity degrees related to the first vulnerability related information according to sample social media data of the plurality of databases, wherein the plurality of popularity degrees indicates frequencies of the first vulnerability related information appearing in the sample social media data; generate a plurality of vulnerability features according to the first vulnerability related information and the plurality of popularity degrees; and calculate the plurality of exploit probabilities of the vulnerability data according to the plurality of vulnerability features (Olson, [0126] note if the vulnerability is associated with a popular software package, then add one to the threat priority score, otherwise add zero. For the threat priority signature, adjoin, "/Popular:p", where p is as determined for the threat priority score… At the end of the iteration, some packages will have higher counts than others, indicating popularity. A threshold may be implemented, such that popularity counts over the threshold indicate a popular package). 

Claim 6: Olson and Yu teach the information security device of claim 1, wherein the processor is further configured to:
generate a plurality of first intelligent subgraphs according to the first vulnerability related information, and generate a plurality of second intelligent subgraphs according to the first event information; and link at least one of the plurality of first intelligent subgraphs and at least one of the plurality of second intelligent subgraphs to generate the at least one first intelligent graph, wherein the at least one of the plurality of first intelligent subgraphs is related to the at least one of the plurality of second intelligent subgraphs (Olson, [0080] note fundamentals and their relationships in a graph can describe a specific event or attack. Some embodiments utilize a set of rules to automatically suggest or implement countermeasures based on identifying a particular sub-graph describing the event or attack. As described herein, a "sub-graph" is a portion of a graph that includes at least one node and at least one edge. Sub-graphs representing attacks can consist of, for example, a specific type of fundamental joined to a specific type of edge, or two specific types of fundamentals joined by a specific type of edge; i.e. the examiner interprets that an edge reads on a link).

Claim 7: Olson and Yu teach the information security device of claim 6, wherein the processor is further configured to:
link at least one first node in the at least one of the plurality of first intelligent subgraphs to at least one second node in the at least one of the plurality of second intelligent subgraphs, wherein the at least one first node is same as the at least one second node (Olson, [0006] note match a sub-graph including of at least one node and at least one edge to a pattern of a known attack upon the graph receiving an additional amount of nodes and edges).

Claim 8: Olson and Yu teach the information security device of claim 1, wherein the processor is further configured to:
identify a plurality of first reference nodes from a plurality of first nodes of the at least one first intelligent graph; and determine whether at least one second reference node matched to at least one of the plurality of first reference node exists in the second intelligent graph (Olson, [0006] note match a sub-graph including of at least one node and at least one edge to a pattern of a known attack).

Claim 8: Olson and Yu teach the information security device of claim 8, wherein the processor is further configured to:
extract at least one intelligent subgraph corresponding to the at least one first reference node from the second intelligent graph when the at least one second reference node corresponding to the plurality of first reference node existing in the second intelligent graph; and calculate at least one match degree between the at least one intelligent subgraph and the at least one first intelligent graph, and determine whether at least one of the at least one match degree is greater than a threshold, wherein the at least one match degree indicates the at least one similarity (Olson, [0084] note the iteration may parse the documents to extract any existing rules, including both sub-graph templates for matching to threats, and countermeasure templates. The extracted information may then be stored in countermeasure rules engine 518, [0126] note whenever the package node is joined to a vulnerability node by an "has vulnerability" or "vulnerability of" edge. The counts may be maintained in the distributable vulnerability data. At the end of the iteration, some packages will have higher counts than others, indicating popularity. A threshold may be implemented, such that popularity counts over the threshold indicate a popular package)

Claim 10: Olson and Yu teach the information security device of claim 9, wherein the processor is further configured to:
identify at least one potential vulnerability corresponding to the at least one of the at least one match degree for determining whether the company has the information security threat when the at least one of the at least one match degree is greater than the threshold (Olson, [0123] note If the difference between the time that the threat priority score is calculated and the timestamp exceeds a threshold, then the vulnerability is judged to be non-active, otherwise it is judged to be active).

Claim 11: Olson teaches an information security method, comprising:
reading first vulnerability related information and first event information from a plurality of databases (Olson, [0025] note Fundamentals include vulnerabilities 206, URLs 208, malware families 210, domains 212, top-level domains 214, attack campaigns 216, networks 218, autonomous system numbers 220, accounts 222, email addresses 224, software 226, events 228, files 230, persons 232, countries 234, organizations 236, and regions 238);
generating at least one first intelligent graph according to the first vulnerability related information and the first event information, and generate a second intelligent graph according to the scenario information (Olson, [0050] note FIG. 3 is a flowchart illustrating a method of intelligence graph generation, [0072] note the method stores documents, fundamental instances, and edges, preserving the graph structure. Once fundamentals and their relationships to other fundamentals or documents are identified in the previous blocks, they can be electronically stored in persistent memory so as to preserve a graph structure; i.e. a first intelligent graph, [0082] note rules contain a set of conditions that, when met in the graph, indicate an attack or event amenable to a countermeasure. The rule may, in some embodiments, include the countermeasure itself. The rules may include templates, each indicating a sub-graph amenable to a countermeasure; i.e. a second intelligent graph); and
calculating at least one match degree between the at least one first intelligent graph and the second intelligent graph for determining whether the company has information security threat (Olson, [0004] note The method may include matching a sub-graph including at least one node and at least one edge to a pattern of a known attack. The matching may be performed upon the graph receiving an additional amount of nodes and edges, [0089] note embodiments detect sub-graphs amenable to countermeasure suggestion or deployment by matching sub-graphs to templates, [0104]-[0105] note matching templates to sub-graphs).
Olson does not explicitly teach wherein the first vulnerability related information is information of a plurality of software vulnerabilities which happened in the past, wherein the first event information comprises a plurality of information security logs corresponding to a plurality of events, which happened in the past; and wherein the scenario information comprises device model, data flow, host logs and file logs, which are related to devices and information of a company.
However, Yu teaches this (Yu, [0050] note packet capture appliances 302 are operative to capture packets off the network (using known packet capture (pcap) application programming interfaces (APIs) or other known techniques), and to provide such data (e.g., real-time log event and network flow) to the distributed database 306, [0054] note vulnerabilities, [0088] note API access requests are monitored and stored as log data 506, [0090] note a neural network classifier is trained (e.g., on access logs and other data) that reflect “appropriate” and “inappropriate” behavior as determined by a policy, [0109] note As additional training data is logged and/or simulated, as the case may be, the neural network may be updated, or a new version thereof instantiated to provide updated or otherwise enhanced predictive capability, [0128] note threat disposition and modeling techniques).
It would have been obvious to one of ordinary skill in the art at the effective filing date of the application to combine the information security threat assessment of Olson with the anomalous or malicious network activity detection of Yu according to known methods (i.e. identifying information security threats based on a neural network classifier trained on log, event and flow data). Motivation for doing so is that by using the neural network, the system provides more effective discrimination with respect to unauthenticated user behavior, and it enables access controls to be more effectively enforced with respect to users that are not using the application according to the enterprise's security policy (Yu, [0110]).

Claim 12: Olson and Yu teach the information security method of claim 11, further comprising:
receiving social media data, and calculating a plurality of relevancy scores of the social media data according to sample social media data of the plurality of databases, wherein the plurality of relevancy scores indicate correlation between the social media data and information security; and identifying text data from the social media data according to the plurality of relevancy scores (Olson, [0034] note Each instance of an account fundamental 222 may be characterized by a string representing the account, e.g., "jon.smith@twitter", a string representing a service name, e.g., "twitter", a string representing a service type, e.g., "social media", [0111] note a list of systems with vulnerable software packages installed, sorted by threat priority score).

Claim 13: Olson and Yu teach the information security method of claim 12, further comprising:
identifying a plurality of event subjects of the text data according to the sample social media data, wherein the plurality of event subjects indicate a plurality of keywords relevant to a plurality of subjects of the text data; and labeling the text data with the plurality of event subjects, and generating second event information according to labeled text data and the first event information to store the second event information into the plurality of databases (Olson, [0034] note Each instance of an account fundamental 222 may be characterized by a string representing the account, e.g., "jon.smith@twitter", a string representing a service name, e.g., "twitter", a string representing a service type, e.g., "social media", "chat", "forum", etc., and a string representing a user name, e.g., "Jon Smith").

Claim 14: Olson and Yu teach the information security method of claim 11, further comprising:
receiving vulnerability data, and calculating a plurality of exploit probabilities of the vulnerability data according to the first vulnerability related information; and generating second vulnerability related information according to the plurality of exploit probabilities and vulnerability data, and store the second vulnerability related information into the plurality of databases (Olson, [0120] note associating a threat priority score and/or a threat priority signature to each package and vulnerability pair. These threat priority parameters may take into account vulnerability intelligence, threat intelligence, and mitigation possibilities, among other considerations. Example calculations of a threat priority score, a number, and a threat priority signature, a string, follow. In particular, the threat priority score and threat priority signature for a given package and vulnerability pair may be constructed iteratively).

Claim 15: Olson and Yu teach the information security method of claim 14, wherein the step of calculating a plurality of exploit probabilities of the vulnerability data according to the first vulnerability related information comprises:
calculating a plurality of popularity degrees related to the first vulnerability related information according to sample social media data of the plurality of databases, wherein the plurality of popularity degrees indicate frequencies of the first vulnerability related information appearing in the sample social media data; generating a plurality of vulnerability features according to the first vulnerability related information and the plurality of popularity degrees; and calculating the plurality of exploit probabilities of the vulnerability data according to the plurality of vulnerability features (Olson, [0126] note if the vulnerability is associated with a popular software package, then add one to the threat priority score, otherwise add zero. For the threat priority signature, adjoin, "/Popular:p", where p is as determined for the threat priority score… At the end of the iteration, some packages will have higher counts than others, indicating popularity. A threshold may be implemented, such that popularity counts over the threshold indicate a popular package).

Claim 16: Olson and Yu teach the information security method of claim 11, wherein the step of generating the at least one first intelligent graph according to the first vulnerability related information and the first event information comprises:
generating a plurality of first intelligent subgraphs according to the first vulnerability related information, and generate a plurality of second intelligent subgraphs according to the first event information; and linking at least one of the plurality of first intelligent subgraphs and at least one of the plurality of second intelligent subgraphs to generate the at least one first intelligent graph, wherein the at least one of the plurality of first intelligent subgraphs is related to the at least one of the plurality of second intelligent subgraphs (Olson, [0080] note fundamentals and their relationships in a graph can describe a specific event or attack. Some embodiments utilize a set of rules to automatically suggest or implement countermeasures based on identifying a particular sub-graph describing the event or attack. As described herein, a "sub-graph" is a portion of a graph that includes at least one node and at least one edge. Sub-graphs representing attacks can consist of, for example, a specific type of fundamental joined to a specific type of edge, or two specific types of fundamentals joined by a specific type of edge; i.e. the examiner interprets that an edge reads on a link).

Claim 17: Olson and Yu teach the information security method of claim 16, wherein the step of linking the at least one of the plurality of first intelligent subgraphs and the at least one of the plurality of second intelligent subgraphs to generate the at least one first intelligent graph comprises:
linking a first node in the at least one of the plurality of first intelligent subgraphs to a second node in the at least one of the plurality of second intelligent subgraphs, wherein the first node is the same as the second node (Olson, [0006] note match a sub-graph including of at least one node and at least one edge to a pattern of a known attack upon the graph receiving an additional amount of nodes and edges).

Claim 18: Olson and Yu teach the information security method of claim 11, wherein the step of calculating the at least one match degree between the at least one first intelligent graph and the second intelligent graph to determine whether the company has the information security threat comprises:
identifying a plurality of first reference nodes from a plurality of nodes of the at least one first intelligent graph; and determining whether at least one second reference node matched to at least one of the plurality of first reference node exists in the second intelligent graph (Olson, [0006] note match a sub-graph including of at least one node and at least one edge to a pattern of a known attack).

Claim 19: Olson and Yu teach the information security method of claim 18, further comprising:
extracting at least one intelligent subgraph corresponding to the at least one first reference node from the second intelligent graph when the at least one second reference node corresponding to the plurality of first reference node existing in the second intelligent graph; and calculating at least one match degree between the at least one intelligent subgraph and the at least one first intelligent graph, and determine whether at least one of the at least one match degree is greater than a threshold (Olson, [0084] note the iteration may parse the documents to extract any existing rules, including both sub-graph templates for matching to threats, and countermeasure templates. The extracted information may then be stored in countermeasure rules engine 518, [0126] note whenever the package node is joined to a vulnerability node by an "has vulnerability" or "vulnerability of" edge. The counts may be maintained in the distributable vulnerability data. At the end of the iteration, some packages will have higher counts than others, indicating popularity. A threshold may be implemented, such that popularity counts over the threshold indicate a popular package)

Claim 20: Olson and Yu teach the information security method of claim 19, further comprising:
identifying at least one potential vulnerability corresponding to the at least one of the at least one match degree for determining whether the company has the information security threat when the at least one of the at least one match degree is greater than the threshold (Olson, [0123] note If the difference between the time that the threat priority score is calculated and the timestamp exceeds a threshold, then the vulnerability is judged to be non-active, otherwise it is judged to be active).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Giuseppi Giuliani whose telephone number is (571)270-7128. The examiner can normally be reached Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Aleksandr Kerzhner can be reached on (571)270-1760. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GIUSEPPI GIULIANI/Primary Examiner, Art Unit 2165