DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are pending.
The claim objections have been withdrawn in view of the claim amendment. 

Response to Arguments
Applicant's arguments filed on 11/17/22 have been fully considered. 
In response to Applicant’s argument regarding the 101 rejection (page 7-8 of Remarks), Examiner acknowledged Applicant’s perspective but upon further consideration, the 101 rejection has been maintained for the reasons provided below.
In response to Applicant’s argument regarding the 102 and 103 rejections (pages 8-9 of Remarks), Examiner acknowledged Applicant’s perspective but respectfully disagreed because although there might be differences between Applicant’s invention and the cited prior arts, the current claims have not successfully captured these differences to render the claims clearly distinguishable from the cited prior arts as explained in more detail below.
Firstly, it should be noted that the claims only recite the term “predicting” and do not further clarify specifically how the “predicting” is being done.  Thus, the term “predicting” broadly covers any type of guessing, forecasting, projecting, estimating, anticipating or inferring.  Moreover, the claims only recite the term “future system condition” and also do not further clarify what this “future system condition” actually is or a type of this “future system condition”.  As a result, the term “future system condition” broadly covers any state, status, situation, mode, security, shape, or posture of any system that will likely to exist or happen.  
Secondly, Joseph discloses:  
[0021] For the apparatus and method disclosed herein, a predictive attack graph may be used by a network administrator to explore different paths an attacker may take to compromise a high value asset. A high value resource may represent any resource for which protection from an attack is needed for an organization. For example, a high value asset is a database that includes proprietary information related to an organization. The predictive attack graph may predict future paths of an attack based on known vulnerabilities in a network. The predictive attack graph may be built with the knowledge of network topology, services running on different machines, and vulnerabilities that exist in different services. The predictive attack graph may be used to derive a mathematical value based on how many high value assets a malicious event can compromise in the future, how difficult is it to exploit the vulnerabilities from the attacker's standpoint, and how long or how far an attacker has progressed towards compromising the vulnerabilities. The mathematical value may be designated a β-value. The apparatus and method disclosed herein may report anomalous events with high β-values to a network administrator. For example, β-values that exceed a predetermined user-configurable threshold are reported to the network administrator. By reporting anomalous events with high β-values, the apparatus and method disclosed herein may inform a network administrator of anomalies sooner compared to a system in which events are reported once a high value asset has been compromised.

[0022] When it is known that there are paths that may lead an event with malicious intent to compromise high value assets, the apparatus and method disclosed herein may provide for such high value assets to be protected by creating rules based on knowledge of the attack currently in progress. The rules may be designated as ephemeral rules, which last for a very short time (e.g., until the attack has been suppressed). The combination of the clustering and classification model predictions with the predictive attack graph may provide probabilistic future state transitions of a network.

[0025] According to an example, a pre-cognitive SIEM apparatus may include at least one processor, and an anomaly detection module that is executed by the at least one processor to use trained classifiers (e.g., determined by using artificial neural networks (ANNs) as described herein) to detect an anomaly (e.g., a pattern related to a virus, malware, etc., or an outlier from normal behavior as described herein) in input events. The classifiers may be trained to learn patterns of clusters (e.g., determined by using FC as described herein) based on training events. A predictive attack graph generation module that is executed by the at least one processor may generate a predictive attack graph based on the detected anomaly in the input events. The predictive attack graph may provide an indication of different paths that can be taken from a state that is related to the detected anomaly to compromise other selected states related to the state. The other selected states may be selected based on a ranking criterion and a complexity criterion. The predictive attack graph generation module may generate a rank list based on the ranking criterion to include the other selected states, and generate a complexity list based on the complexity criterion to include complexities that are related to vulnerabilities with respect to the other selected states. The predictive attack graph generation module may use the rank list, the complexity list, and a depth of the predictive attack graph to generate a score that provides an indication of a number of states that can be compromised and a difficulty of exploiting vulnerabilities with respect to the states that can be compromised. The depth of the predictive attack graph may represent how many hops an attacker is away from compromising the high value asset.

[0026] For the pre-cognitive SIEM apparatus, the apparatus may be similarly applicable to activities instead of states. For example, the states may represent vulnerabilities in an application and the paths that may be taken from one state (vulnerability) to reach another state (vulnerability). The activities may represent any activities or actions related to a state.

[0050] Generally, the anomaly detection module 112 may analyze the input events 106 to detect outliers in the input events 106 using clusters generated by the clustering module 108 and/or the neurons trained by the training module 110. For example, the anomaly detection module 112 may determine how a particular data point is located in the n-dimensional Euclidian space, and/or a degree by which an event (of the input events 106) deviates from normal behavior. As described herein, an administrator may explore future states of the network for a given list of anomalies. The information about future states may include actions an attacker may take from the current network state, vulnerabilities that the attacker can exploit, and assets the attacker may compromise.

[0051] The predictive attack graph generation module 114 may generate a predictive attack graph based on the detected anomaly in one of the input event 104. The predictive attack graph may indicate different paths an attacker may take to compromise a high value asset. An administrator may explore future states of the attack by exploring the vulnerabilities the attack may exploit. As described herein, a predictive attack graph may use elements related to and including asset A.sub.i, service S.sub.i, vulnerability {V.sub.i}, network connection NC, attacker state X, and exploitation of a vulnerable asset. The asset A.sub.i, service S.sub.i, and vulnerability {V.sub.i} may represent a static component (e.g., the static network topology) of the predictive attack graph, and the network connection NC may represent the real-time component of the predictive attack graph.

[0078] With respect to the predictive attack graph generated by the predictive attack graph generation module 114, each edge in the predictive attack graph may be chosen based on the success probability (i.e., complexity) of reaching the edge. FIG. 4 illustrates a network description, and FIG. 5 illustrates vulnerability details, according to an example of the present disclosure. For the example of FIGS. 4 and 5, the network represented in FIG. 4 includes four hosts separated from the Internet by a firewall. The hosts may be respectively represented by asset IDs A1, A2, A3, and A4. The firewall may allow external hosts to connect to an Internet Information Services (IIS) web server running on port 80 on the host A1. Internal hosts may be allowed to connect to any port within the network. One possible path in the predictive attack graph is shown in FIG. 6 from user(1) to root(4) to compromise the high value asset that has proprietary information. Generally, FIG. 4 illustrates the connectivity, and FIG. 5 (Effects/Elevated Privilege column) explains the vulnerabilities. FIGS. 4 and 5 may be combined to generate FIG. 6. In order for an attacker who compromises A1 to use the vulnerabilities mentioned in FIG. 5 to travel through the predictive attack graph in FIG. 6 and compromise A4, an attacker may exploit buffer overflow vulnerability in the IIS web server and gain administrative privileges, and stop or start any service the attacker wants in that machine, or perform LFI (local file injection) and RCE (remote command execution). As this machine is not the target, the attacker may explore other machines to see valuable assets. As part of the attacker's exploration, the attacker may find out that a remote login trust relationship may be established by creating a .rhost file in the ftp home directory of A2. Then, using the existing login trust relationship, the attacker may log into A2 without providing a password. From A2, the attacker may perform a port scan to identify, and by using, for example, LICQ, remote attackers may execute arbitrary commands (via shell metacharacters in a uniform resource locator (URL) to gain user privileges, and exploit a setuid buffer overflow in the target machine. Considering all the high value assets that may be compromised from rank list, the difficulty of exploiting the vulnerabilities from vulnerability_complexity_list, and the depth of the predictive attack graph, the β-value may be derived. By reporting anomalous events with high β-values, the apparatus 100 may present the anomalies sooner to the network administrator compared to a system in which events are reported once an asset has been compromised.

Thus, the predictive attack graph provides prediction that the system may be attacked, that the system’s vulnerabilities may be exploited, and that the system’s assets may be compromised.  One or more of these represents a future system condition.  Moreover, by generating the predictive attack graph, Joseph predicts at least the specific paths in the system that may be used to compromise high value assets, specific actions in the system that may be taken by the attacker, specific vulnerabilities in the system that may be exploited, and specific assets in the system that may compromised.  One or more of the predicted paths in the system that may be used to compromised high value assets, the predicted specific actions in the system that may be taken by the attacker, the predicted specific vulnerabilities in the system that may be exploited, and the predicted specific assets in the system that may be compromised also represents a future system condition.  
For at least the above reasons, Joseph does disclose “predicting, by the processor, a future system condition based, at least in part, on an action that produces an artifact in response to the one or more security incidents” recited in claims 1, 8, and 15.  Claims that depend from claims 1, 8, and 15 are also not patentable because they depend from unpatentable claims.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 15-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. The claims do not fall within at least one of the four categories of patent eligible subject matter.  In this case, Applicant has claimed a “computer program product…comprising one or more computer readable storage media” in the preamble of the claims.  
Since the claims and the specification do not limit the term "computer readable storage media" to only non-transitory storage media, for purposes of examination, it is assumed that the term is meant to also encompass signals per se, which is not statutory. Applicant can overcome this rejection by instead reciting "non-transitory computer readable storage media", which would explicitly exclude signals per se.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1-4, 8-11, and 15-18 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Joseph (US 20170032130).

Claim 1, Joseph discloses A computer-implemented method for reasoning based workflow management, the method comprising: 
detecting, by a processor, one or more security incidents within a computer system; (e.g. ¶18, 25, 31, 49: detecting anomalies in input events)
generating, by the processor, a threat score for each of the one or more security incidents; (e.g. ¶18, 21, 25, 49: generating anomaly score and a score of the severity of an attack, deriving a mathematical value based on how many high value assets a malicious event can compromise in the future and how long or how far an attacker has progressed towards compromising the vulnerabilities)
predicting, by the processor, a future system condition based, at least in part, on an action that produces an artifact in response to the one or more security incidents; and (e.g. ¶21, 25, 32, 50, 51: generating a predictive attack graph based on each of the detected anomalies that indicates different future paths that can be taken from a current network state related to that detected anomaly to compromise a high value asset)
pausing, by the processor, a task scheduled to be executed within the computer system based on the predicted future system condition. (e.g. ¶33, 81: when it is known that there are paths that may lead an event with malicious intent to compromise high value assets, those high value assets may be protected by creating rules based on the knowledge of the attack, e.g. rules used to block certain flow of traffic through connected firewalls, to restrict access to a high value asset that is linked to another compromised asset, block access to known IP address that is one step away from being compromised and through which an attacker may communicate to a high value asset)

Claim 2, Joseph discloses The computer-implemented method of claim 1, further comprising: generating, by the processor, one or more artifacts in response to detecting the one or more security incidents; (¶18, 21, 25, 49-51) and updating, by the processor, the threat score for at least one of the one or more security incidents. (e.g. ¶98)

Claim 3, Joseph discloses The computer-implemented method of claim 2, further comprising: executing, by the processor, the paused task based, at least in part, on the updated threat score for at least one of the one or more security incidents. (e.g. ¶81, 98)

Claim 4, Joseph discloses The computer-implemented method of claim 2, further comprising: canceling, by the processor, the paused task based, at least in part, on the updated threat score for at least one of the one or more security incidents.  (e.g. ¶81, 98)

Claims 8 and 15, these claims are rejected for similar reasons as in claim 1.

Claims 9 and 16, these claims are rejected for similar reasons as in claim 2.

Claims 10 and 17, these claims are rejected for similar reasons as in claim 3.

Claims 11 and 18, these claims are rejected for similar reasons as in claim 4.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 5-6, 12-13, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Joseph (US 20170032130) in view of Carver (US 20180124098).

Claim 5, Joseph discloses The computer-implemented method of claim 1, wherein the threat score is based, at least in part, on a detected security incident.  (e.g. ¶18, 21, 25, 49).
Although Joseph discloses the threat score is based at least in part on a detected security incident (see above), Joseph does not appear to explicitly disclose but Carver discloses based at least in part on an internet protocol address of a detected security incident (e.g. ¶12, 14).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Carver into the invention of Joseph for the purpose of determining a threat confidence score that incorporates network features of the security threat. 
	
Claim 6, Joseph-Carver discloses The computer-implemented method of claim 5, wherein the threat score is further based, at least in part, on a hash of the detected security incident.  (Carver, e.g. ¶12, 14).  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Carver into the invention of Joseph for the purpose of determining a threat confidence score that incorporates file attribute of the security threat.

Claims 12 and 19, these claims are rejected for similar reasons as in claim 5.

Claims 13 and 20, these claims are rejected for similar reasons as in claim 6.

Claims 7 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Joseph (US 20170032130) in view of Sundararam (US 20190303195).

Claim 7, Joseph discloses The computer-implemented method of claim 1, (see above) and doesnot appear to explicitly disclose but Sundararam discloses reassigning, by the processor, a resource that was originally assigned to the paused task to a different task. (e.g. ¶22)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Sundararam into the invention of Joseph for the purpose of releasing computing resources to high priority tasks (Sundararam, ¶22).

Claim 14, this claim is rejected for similar reasons as in claim 7.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 

US 10547623 discloses securing network devices by forecasting future security incidents for a network based on past security incidents. In one embodiment, a method may include constructing past inside-in security features for a network, constructing past outside-in security features for the network, and employing dynamic time warping to generate a similarity score for each security feature pair in the past inside-in security features, in the past outside-in security features, and between the past inside-in security features and the past outside-in security features. The method may further include generating a Coupled Gaussian Latent Variable (CGLV) model based on the similarity scores, forecasting future inside-in security features for the network using the CGLV model, and performing a security action on one or more network devices of the network based on the forecasted future inside-in security features for the network.

US 20030070003 discloses the vulnerability and security state models can interact with each other and with other models, such as, for example, the attack models. Therefore, for example, the attack models can interact with vulnerability and security state models to provide a comprehensive overview of the computer network attack and the system status. According to exemplary embodiments, the probabilistic assessments can be used to predict at least one of a vulnerability and security state of at least one component in the computer network. In other words, the probabilistic attack assessments can be used by the vulnerability and security state models to predict, for example, the vulnerability and security states of other components in the system. In addition, the vulnerability and security state information can be applied to other models, such as, for example, the attack models.

US 20170230413 discloses an intrusion detection system is coupled to the network infrastructure and configured to process signals received from that infrastructure in order to detect malicious attacks on the network infrastructure. The intrusion detection system includes an evaluator that generates a set of indicators based on the received signals. The evaluator models these indicators as stochastic processes, and then predicts an attack probability for each indicator based on a predicted future state of each such indicator. The evaluator combines the various attack probabilities and determines an overall attack level for the network infrastructure. Based on the attack level, the intrusion detection system dispatches a specific handler to prevent or mitigate attacks.

US 10277619 discloses the systems and methods of the present invention allow for determining the impact of the different correction methods and their change over time. The systems and methods of the present invention can also provide, or enable, a future prediction of vulnerability status in the infrastructure, where the prediction is based, at least in part, on one or more of: the number of active or remaining vulnerabilities, periodic average of vulnerabilities removed or eliminated though patching (e.g., on a rolling month-to-month basis)/patching cadence, and the number of vulnerabilities to be removed or eliminated with a scheduled (or unscheduled) server or other equipment refresh. Bubble charts can be created, which identify where standards across the environment(s) for eliminating vulnerabilities are not being met.

US 20090126023 discloses the security forecast engine 101, which is an essential portion according to the present invention, forecasts the security threat level or the state of attacks of a managed network 110 using a network traffic analysis value or a time series data transformation value stored in the DB 109. The security forecast engine 101 may employ a time series prediction algorithm or a Markov chain prediction algorithm.


THIS ACTION IS MADE FINAL.  See MPEP 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRONG NGUYEN whose telephone number is (571)270-7312.  The examiner can normally be reached on Monday through Thursday 9:30 AM - 5:00 PM EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GELAGAY SHEWAYE can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/TRONG H NGUYEN/Primary Examiner, Art Unit 2436