DETAILED ACTION
This office action is in reply to applicant communication filed on September 11, 2022.


Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Claims 1-20 have been amended.
Claim 21 has been added.
Claims 1-21 are pending. 


Response to Argument
Applicant’s arguments filed on September 11, 2022 with respect to the 35 USC 102/103 rejections of independent claims have been fully considered but are moot in view of new ground(s) of rejection.

Applicant’s argues that the prior arts on record fails to teach the amended limitation of the independent claims, “…. wherein the originator is a monitored resource in the protected computing       environment”. However, upon further consideration a new ground(s) of rejection is made using newly discovered prior art to Kumar (US Pub. No. 2013/0298230).


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1-2, 7-17, and 21  are rejected under 35 U.S.C. 103 as being unpatentable over Rockwood (US 7,950,058) in view of Kumar (US Pub. No. 2013/0298230).

	As per claim 1 Rockwood discloses:
A method for protecting computing assets, the method comprising: detecting a set of events associated with an originator using a set of event sensors; (column 2, line 36-45 of Rockwood, intrusion detection system 10 comprises a plurality of sensors 20, one or more manager servers 30, global server 40, and console 50. These elements of system 10 may be communicatively coupled using an internal network 70. In general, system 10 performs data collection using sensors 20) and (column 10, line 8-15 of Rockwood, profile set 156 refers to one or more portions of memory module 150 used for storing attacker profiles 224. According to certain embodiments, correlation engine 140 identifies one or more existing attacker profiles 224a in profile set 156 that have characteristics that match or are similar to attributes 410 of identified detected events 222).
Comparing, using an inference server in communication with the set of event sensors, the detected set of events to a detection model: (column 2, line 36-45 of Rockwood, intrusion detection system 10 comprises a plurality of sensors 20, one or more manager servers 30, global server 40, and console 50. These elements of system 10 may be communicatively coupled using an internal network 70. In general, system 10 performs data collection using sensors 20) and (column 2, line 46-50 of Rockwood, the data is correlated by manager servers 30 and/or global server 40 in accordance with rules designed to detect attacks on the enterprise system. By correlating the data with profiles of attackers, system 10 determines the likely identity of attackers of the enterprise system).
Determining a pattern of behavior indicative of an attack on the computing assets based on the comparing; (column 2, line 46-50 of Rockwood, the data is correlated by manager servers 30 and/or global server 40 in accordance with rules designed to detect attacks on the enterprise system. By correlating the data with profiles of attackers, system 10 determines the likely identity of attackers of the enterprise system)
Communicating, using the inference server, an identifier associated with the originator. (Column 4, line 46-53 of Rockwood, according to certain embodiments, global server 40 comprises a correlation engine 140. Correlation engine 140 is operable to correlate detected events 110 to detect an attack occurring upon or within the enterprise. Correlation engine 140 is further operable to correlate detected events 110 with attacker profiles 224 (illustrated in FIG. 2) to identify the source of an attack) and (column 5, line 59-65 of Rockwood, each detected event 110 comprises a plurality of characteristics such as, for example, time, source IP address, and destination IP address. These characteristics are referred to as attributes 410) and (column 15, line 27-33 of Rockwood, console 50 may include a graphical user interface (GUI) 52 that tailors and filters the data presented to operator 60. Generally, GUI 52 provides operator 60 of console 50 with an efficient and user-friendly presentation of event information of detected events 110).
Rockwood teaches the method of detecting a set of events associated with an originator using a set of event sensor (column 2, line 36-45 of Rockwood) but fails to disclose:
Wherein the originator is a monitored resource in the protected computing environment.
However, in the same field of endeavor, Kumar teaches this limitation as, (paragraph 102 of Kumar, As shown in FIG. 5, the exemplary application operational integrity system 500 includes an endpoint trust agent 510 on a device 560 comprising a process monitor 514 configured to observe local execution context of applications and services. The endpoint trust agent 510 further comprises a socket montor513 configured to observe network activities of applications and services and a system monitor 512 configured to observe system and platform resources consumed by applications and services).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Rockwood and include the above limitation using the teaching of Kumar in order to enhance the security of the system by monitoring and detecting unauthorize activity (see paragraph 102 of Kumar.

As per claim 2 Rockwood in view of Kumar discloses:
The method of claim 1, wherein the detection model includes an event lattice. (column 2, line 46-50 of Rockwood, the data is correlated by manager servers 30 and/or global server 40 in accordance with rules designed to detect attacks on the enterprise system. By correlating the data with profiles of attackers, system 10 determines the likely identity of attackers of the enterprise system)

As per claim 7 Rockwood in view of Kumar discloses:
The method of claim 2, wherein the event lattice includes a set of nodes, a node of the set of nodes indicative of the attack on the computing assets. (Column 9, line 63-67 of Rockwood, existing attacker profile 224a includes name and background information such as, for example, last known residence or last known employer. For example, a particular existing attacker profile 224a may correspond to an individual who typically launches attacks between 5:00 p.m. and 5:30 p.m. using external computers with IP addresses between 205.252.48.160 and 205.252.48.200).

As per claim 8 Rockwood in view of Kumar discloses:
The method of claim 7, further comprising when communicating the identifier, communicating the node. (Column 9, line 63-67 of Rockwood, existing attacker profile 224a includes name and background information such as, for example, last known residence or last known employer. For example, a particular existing attacker profile 224a may correspond to an individual who typically launches attacks between 5:00 p.m. and 5:30 p.m. using external computers with IP addresses between 205.252.48.160 and 205.252.48.200) and (column 15, line 27-33 of Rockwood, console 50 may include a graphical user interface (GUI) 52 that tailors and filters the data presented to operator 60. Generally, GUI 52 provides operator 60 of console 50 with an efficient and user-friendly presentation of event information of detected events 110).

As per claim 9 Rockwood in view of Kumar discloses:
The method of claim 8, wherein a risk associated with the node is determined based on a number of steps to a node representing a breach of cyber security, (Column 7, line 60-65 of Rockwood, attribute values 420 of target event 364 define a target point 362 in n-dimensional space at 17.33 and 3455856806, respectively. The similarity between target event 364 and detected events 110 corresponds to the distance between target point 362 and points 360 defined by attribute values 420 of detected events 110).

As per claim 10 Rockwood in view of Kumar discloses:
The method of claim 8, wherein a risk associated with the node is determined based on a percentage of nodes representing a breach of cyber security are in the lattice below the node. Column 7, line 60-65 of Rockwood, attribute values 420 of target event 364 define a target point 362 in n-dimensional space at 17.33 and 3455856806, respectively. The similarity between target event 364 and detected events 110 corresponds to the distance between target point 362 and points 360 defined by attribute values 420 of detected events 110).

As per claim 11 Rockwood in view of Kumar discloses:
The method of claim 2, wherein determining the pattern of behavior includes determining a node of the event lattice correlated with the set of events. (Column 9, line 63-67 of Rockwood, existing attacker profile 224a includes name and background information such as, for example, last known residence or last known employer. For example, a particular existing attacker profile 224a may correspond to an individual who typically launches attacks between 5:00 p.m. and 5:30 p.m. using external computers with IP addresses between 205.252.48.160 and 205.252.48.200).

As per claim 12 Rockwood in view of Kumar discloses:
The method of claim 11, further comprising: detecting a second set of events associated with the originator using a second set of event sensors. (Column 17, line 57-65 of Rockwood, detected events 110 received by one network node 610 may differ from detected events 110 received by another network node 610. Each detected event 110 comprises a plurality of attributes 410 such as, for example, time, source IP address, and destination IP address. Sensor 20 sends detected events 110 to correlation engine 140).

As per claim 13 Rockwood in view of Kumar discloses:
The method of claim 12, further comprising: comparing the second set of events to the event lattice using a second inference server; (column 2, line 36-45 of Rockwood, intrusion detection system 10 comprises a plurality of sensors 20, one or more manager servers 30, global server 40, and console 50. These elements of system 10 may be communicatively coupled using an internal network 70. In general, system 10 performs data collection using sensors 20) and (column 17, line 57-65 of Rockwood, detected events 110 received by one network node 610 may differ from detected events 110 received by another network node 610. Each detected event 110 comprises a plurality of attributes 410 such as, for example, time, source IP address, and destination IP address. Sensor 20 sends detected events 110 to correlation engine 140).
Determining a further pattern of behavior indicative of the attack on the computing assets based on the comparing and the pattern detected by the inference server. (Column 11, line 25-45 of Rockwood, correlation engine 140 generates new attacker profile 224b based on attributes 410 of identified detected events 222. In the present example, correlation engine 140 generates a new attacker profile 224b of an attacker who typically attacks between 5:00 p.m. and 5:30 p.m. and who typically uses source IP addresses between 205.252.48.160 and 205.252.48.170. Correlation engine 140 stores new attacker profile 224b in profile set 156. In addition, global server 40 sends new attacker profile 224b to console 50 as identified attacker profile 230. GUI 52 displays new attacker profile 224b to operator 60).

As per claim 14 Rockwood in view of Kumar discloses:
The method of claim 13, further comprising communicating the identifier to a cyber security server with the second inference server. (Column 14, line 2-8 of Rockwood, Global server 40 then processes detected events 110 and provides operator 60 with a global view of the state of system 10)

As per claim 15 Rockwood in view of Kumar discloses:
The method of claim 1, wherein communicating includes communicating with a cyber security server. (Column 2, line 36-45 of Rockwood, intrusion detection system 10 comprises a plurality of sensors 20, one or more manager servers 30, global server 40, and console 50. These elements of system 10 may be communicatively coupled using an internal network 70. In general, system 10 performs data collection using sensors 20)

As per claim 16 Rockwood in view of Kumar discloses:
The method of claim 1, wherein communicating include communicating with another inference server. (See the communication between plurality manager server in fig. 1 of Rockwood) 

As per claim 17 Rockwood in view of Kumar discloses:
The method of claim 1, wherein an event of the set of events includes a detected signature in a network packet. (Column 3, line 49-55, sensor 20 may use any suitable detection technique to process and output detected events 110 and appropriate alerts. For example, sensor 20 may use algorithms, signatures, scripts, or any suitable detection or comparison technique to process packet headers, packet payloads, and/or any other data).

As per claim 21 Rockwood in view of Kumar discloses:
The method of clam 2, wherein the event lattice includes a set of event nodes and a set of nodes linked to event nodes of the set of event nodes, each node having a node position corresponding to event sensed by event sensor. (column 2, line 46-50 of Rockwood, the data is correlated by manager servers 30 and/or global server 40 in accordance with rules designed to detect attacks on the enterprise system. By correlating the data with profiles of attackers, system 10 determines the likely identity of attackers of the enterprise system)

Claims 3-6 are rejected under 35 U.S.C. 103 as being unpatentable over Rockwood (US 7,950,058) in view of Kumar (US Pub. No. 2013/0298230) and further in view of Srivastava (US Pub. No. 2016/0065594).

As per claim 3:
The combination of Rockwood Kumar teaches the method of having an intrusion detection system 10 comprises a plurality of sensors 20, one or more manager servers 30 (column 2, line 36-45 of Rockwood) but fails to disclose:
The method of claim 2, wherein the event lattice is derived using Association Rule Learning.
However, in the same field of endeavor, Srivastava teaches this limitation as, (paragraph 40 of Srivastava, the machine learning algorithms may include the construction and study of systems that can learn from information, such as the user profiles. The machine learning algorithms may include, for example, decision tree learning, association rule learning, artificial neural networks, inductive logic programming, support vector machines, clustering, Bayesian networks, representation learning, similarity learning, sparse dictionary learning, or the like).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Rockwood and Kumar to include the above limitation using the teaching of Srivastava in order to determine threats to the network using machine learning algorithm and secure the computing system (see paragraph 40 of Srivastava).

As per claim 4:
The combination of Rockwood and Kumar teaches the method of having an intrusion detection system 10 comprises a plurality of sensors 20, one or more manager servers 30 (column 2, line 36-45 of Rockwood) but fails to disclose:
The method of claim 3, wherein Association Rule Learning includes Formal Concept Analysis.
However, in the same field of endeavor, Srivastava teaches this limitation as, (paragraph 40 of Srivastava, the machine learning algorithms may include the construction and study of systems that can learn from information, such as the user profiles. The machine learning algorithms may include, for example, decision tree learning, association rule learning, artificial neural networks, inductive logic programming, support vector machines, clustering, Bayesian networks, representation learning, similarity learning, sparse dictionary learning, or the like) and (paragraph 10 of Srivastava, the intrusion detection platform may include an analytics component and an intrusion detection component. The analytics component may create user profiles for the users based on the user information. For example, the analytics component may create a user profile, for a particular user, that includes a user identifier (ID) (e.g., a unique user name, a user identification number, or the like) and multiple attributes associated with the particular user (e.g., demographic information, location information, time information, user device information, or the like). The analytics component may provide the user profiles to the intrusion detection component).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Rockwood and Kumar to include the above limitation using the teaching of Srivastava in order to determine threats to the network using machine learning algorithm and secure the computing system (see paragraph 40 of Srivastava).

As per claim 5:
The combination of Rockwood and Kumar teaches the method of having an intrusion detection system 10 comprises a plurality of sensors 20, one or more manager servers 30 (column 2, line 36-45 of Rockwood) but fails to disclose:
The method of claim 3, wherein Association Rule Leaming includes Frequent Item Sets.
However, in the same field of endeavor, Srivastava teaches this limitation as, (paragraph 40 of Srivastava, the machine learning algorithms may include the construction and study of systems that can learn from information, such as the user profiles. The machine learning algorithms may include, for example, decision tree learning, association rule learning, artificial neural networks, inductive logic programming, support vector machines, clustering, Bayesian networks, representation learning, similarity learning, sparse dictionary learning, or the like).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Rockwood and Kumar to include the above limitation using the teaching of Srivastava in order to determine threats to the network using machine learning algorithm and secure the computing system (see paragraph 40 of Srivastava).

As per claim 6:
The combination of Rockwood and Kumar teaches the method of having an intrusion detection system 10 comprises a plurality of sensors 20, one or more manager servers 30 (column 2, line 36-45 of Rockwood) but fails to disclose:
The method of claim 3, wherein Association Rule Leaming includes Triadic Concept Analysis.
However, in the same field of endeavor, Srivastava teaches this limitation as, (paragraph 40 of Srivastava, the machine learning algorithms may include the construction and study of systems that can learn from information, such as the user profiles. The machine learning algorithms may include, for example, decision tree learning, association rule learning, artificial neural networks, inductive logic programming, support vector machines, clustering, Bayesian networks, representation learning, similarity learning, sparse dictionary learning, or the like).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Rockwood and Kumar to include the above limitation using the teaching of Srivastava in order to determine threats to the network using machine learning algorithm and secure the computing system (see paragraph 40 of Srivastava).

Claims 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Rockwood (US 7,950,058) in view of Kumar (US Pub. No. 2013/0298230) and further in view of Honig (US Pub No. 2013/0031633).

As per claim 18:
The combination of Rockwood and Kumar teaches the method of having an intrusion detection system 10 comprises a plurality of sensors 20, one or more manager servers 30 (column 2, line 36-45 of Rockwood) but fails to disclose:
The method of claim 1, wherein an event of the set of network events includes a memory usage pattern.
However, in the same field of endeavor, Honig teaches this limitation as, (paragraph 53 of Honig, network connection sensors collect information about network connections being made to and from the host machine. Resource sendors gather information about CPU and memory usage on a machine).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Rockwood and Kumar to include the above limitation using the teaching of Honig in order to detect unauthorized activity on computing system by gathering information about the operation of the computing system (see abstract of Honig).

As per claim 19:
The combination Rockwood and Kumar teaches the method of having an intrusion detection system 10 comprises a plurality of sensors 20, one or more manager servers 30 (column 2, line 36-45 of Rockwood) but fails to disclose:
The method of claim 1, wherein an event of the set of events includes a central processing unit usage pattern.
However, in the same field of endeavor, Honig teaches this limitation as, (paragraph 53 of Honig, network connection sensors collect information about network connections being made to and from the host machine. Resource sendors gather information about CPU and memory usage on a machine).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Rockwood and Kumar to include the above limitation using the teaching of Honig in order to detect unauthorized activity on computing system by gathering information about the operation of the computing system (see abstract of Honig).

As per claim 20:
The combination of Rockwood and Kumar  teaches the method of having an intrusion detection system 10 comprises a plurality of sensors 20, one or more manager servers 30 (column 2, line 36-45 of Rockwood) but fails to disclose:
The method of claim 1, wherein an event of the set of events includes an application access.
However, in the same field of endeavor, Honig teaches this limitation as, (paragraph 52 of Honig, Software wrappers are sensors that gather information about system calls. Netatat sensors use the netatat tool that gathers information about network connections on the host. data. Registry sensors monitor the activity of the windows registry when applications are run on the host).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Rockwood and Kumar to include the above limitation using the teaching of Honig in order to detect unauthorized activity on computing system by gathering information about the operation of the computing system (see abstract of Honig). 


Conclusion

The prior art made or record and not relied upon is considered pertinent to applicant’s disclosure is Shulman (US Pub. No. 2010/0251377). Shulman discloses the methods and systems for protecting an enterprise application using an adaptive normal behavior profile. 

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to TESHOME HAILU whose telephone number is (571)270-3159. The examiner can normally be reached M-F 8 a.m. - 5 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571) 272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/TESHOME HAILU/Primary Examiner, Art Unit 2434