Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This action is in response to: claims filed on 04/29/2022; the provisional priority date 07/21/2010 is considered.
Claims 1-29 are currently pending and rejected. 

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 04/29/2022 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-19 rejected on the ground of nonstatutory double patenting over claims 1-25 of U.S. Patent No. 11,343,265 B2 since the claims, if allowed, would improperly extend the “right to exclude” already granted in the patent.
The subject matter claimed in the instant application is fully disclosed in the patent and is covered by the patent since the patent and the application are claiming common subject matter, as follows: 
Instant application (17/661,511)
US Patent (11,343,265 B2)
1. A method for detecting security threats associated with at least one client network, the method for use in a system, said system comprising: 
at least one network entity associated with said at least one client network and configured to enable outbound communication via a communication network; 
at least one asset configured to communicate with one of a plurality of hosts via said communication network; and 
at least one log-analytic detection platform configured to analyze a plurality of log files associated with a plurality of channels, each said plurality of channels connecting an asset with a host, and further configured to determine a risk factor at least based on said outbound communications log for at least one entity, each of said plurality of channels being characterized by a channel identification pair comprising said asset and said host, said method being for operating said at least one log-analytics detection platform, comprising: 
obtaining, via said communication network, said plurality of log files from said at least one client network, each of said plurality of log files comprising at least one log record associated with at least one channel, said plurality of log files including at least one outbound communications log; 
extracting a channel feature set for each of said plurality of channels from said plurality of log files, said channel feature set comprises data pertaining to at least one associated entity, at least one channel feature being behavior of communication over a channel; 
aggregating said channel associated features for each of said plurality of channels into at least one data repository; 
generating said risk factor for said least one entity associated with entities of said plurality of channels, said risk factor characterized by an entity score; and 
blocking of communication for said at least one entity when said risk factor is indicative of said at least one entity being a security threat.
1. A method for detecting security threats associated with at least one client network, the method for use in a system, said system comprising: 
at least one network entity associated with said at least one client network and configured to enable outbound communication via a communication network; 
at least one asset configured to communicate with one of a plurality of hosts via said communication network; and 
at least one log-analytic detection platform configured to analyze a plurality of log files associated with a plurality of channels, each said plurality of channels connecting an asset with a host, and further configured to determine a risk factor at least based on said outbound communications log for at least one entity, each of said plurality of channels being characterized by a channel identification pair comprising said asset and said host, said method for operating said at least one log-analytics detection platform comprising: 
obtaining, via said communication network, said plurality of log files from said at least one client network, each of said plurality of log files comprising at least one log record associated with at least one channel, said plurality of log files including at least one outbound communications log; 
extracting a channel feature set for each of said plurality of channels from said plurality of log files, said channel feature set comprises data pertaining to at least one associated entity, at least one channel feature being behavior of communication over a channel; 
aggregating said channel associated features for each of said plurality of channels into at least one data repository; 
generating said risk factor for said least one entity associated with entities of said plurality of channels, said risk factor characterized by an entity score; and 
blocking of communication for said at least one entity when said risk factor is indicative of said at least one entity being a security threat; 
wherein the step of aggregating, comprises: retrieving, from said at least one data repository, a stored channel and an associated stored channel feature set identified by said channel identification pair; 
joining the channel feature set with the stored channel feature set matched by said entity identification pair; 
computing features for at least one entity associated with the stored channel; and 
storing the joined channel feature set into said at least one data repository; and wherein the step of computing further comprises: 
grouping a set of channels matched by the associated host; and 
computing the features of the associated host by joining the feature associated with each channel which is associated with the host.


Furthermore, there is no apparent reason why applicant was prevented from presenting claims corresponding to those of the instant application during prosecution of the application which matured into a patent. See In re Schneller, 397 F.2d 350, 158 USPQ 210 (CCPA 1968). See also MPEP § 804.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-13 and 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Moghe US Pub. 2011/0035781 A1 (hereinafter Moghe) in view of Stephenson. US Pub. No.: 2008/0082380 A1 (hereinafter Stephenson)

Moghe teaches:
As to claim 1, a method for detecting security threats associated with at least one client network, the method for use in a system (see Moghe ¶34, the monitoring layer (or other discrete functionality in the appliance) can be provided to receive and process external data feeds (such as a log of prior access activity) in addition to (or in lieu of) promiscuous or other live traffic monitoring), said system comprising: 
at least one network entity associated with said at least one client network and configurable to enable outbound communication via a communication network (see Moghe ¶54, A communications middleware layer provides a distributed communication mechanism); 
at least one asset configured to communicate with one of a plurality of hosts via said communication network (see Moghe ¶25, receive and process (through the filtering and decoding steps) data feeds from other sources, such as an externally-generated); and 
at least one log-analytic detection platform configurable to analyze a plurality of log files associated with a plurality of channels, each said plurality of channels connecting an asset with a host, and further configurable to determine a risk factor for at least one entity (see Moghe Fig. 3 and ¶20, an enterprise in which the distributed search/audit and analytics features of the present invention is implemented operates a distributed computing environment that includes a set of computing-related entities (systems, machines, servers, processes, programs, libraries, functions, or the like) that facilitate information asset storage, delivery and use; ¶34, the monitoring layer (or other discrete functionality in the appliance) can be provided to receive and process external data feeds (such as a log of prior access activity) in addition to (or in lieu of) promiscuous or other live traffic monitoring; ¶31, fourth module 116 (called the risk mitigation layer) allows for flexible actions to be taken in the event alert events are generated in the analytics layer), each of said plurality of channels being characterized by a channel identification pair comprising said asset and said host (see Moghe Fig. 3 and ¶20, an enterprise in which the distributed search/audit and analytics features of the present invention is implemented operates a distributed computing environment that includes a set of computing-related entities (systems, machines, servers, processes, programs, libraries, functions, or the like) that facilitate information asset storage, delivery and use), said method being for operating said at least one log-analytics detection platform (see Moghe Fig. 3, and ¶36, distributed search/audit and analytics system 300 includes the following components: a management console 302 (TMC), one or more server appliances, one of which is illustrated as 304, and a plurality of client appliances 306), the method comprising: 
extracting a channel feature set for each of said plurality of channels from said plurality of log files, said channel feature set comprises data pertaining to at least one associated entity, at least one channel feature being behavior of communication over a channel (see Moghe ¶49, extract and sort query-matching events from a client-resident event database); and
aggregating said channel associated features for each of said plurality of channels into at least one data repository (see Moghe Fig. 4 and ¶37, the system 300 has the ability to run a distributed query across multiple appliances--each of which may monitor many data servers--and returns consolidated results at the TMC 302 console);
generating said risk factor for said least one entity associated with entities of said plurality of channels, said risk factor characterized by an entity score (see Moghe ¶29, anomalies can be statistical in nature or deterministic. If either signatures or anomalies are triggered, the access is classified as an event; depending on the value of a policy-driven response field, an Audit 212 and/or an Alert 214 event is generated (i.e. risk factor)); and 
blocking of communication for said at least one entity when said risk factor is indicative of said at least one entity being a security threat (see Moghe ¶31, if an insider (i.e. entity)  intrusion is positively verified, the system then can perform a user disconnect (i.e. blocking), such as a network-level connection termination) ; 
Moghe does not explicitly teach but the related art Stephenson teaches:
obtaining, via said communication network, said plurality of log files from said at least one client network, each of said plurality of log files comprising at least one log record associated with at least one channel, said plurality of log files including at least one outbound communications log (see Stephenson ¶26 The security policy domains, the inter-domain communications policies and the log data are then used to perform the inter-domain communications analysis);
Therefore, it would have been obvious to one with ordinary skill in the art at the time the invention was filed to modify distributed data search, audit and analytics disclosed by Moghe to include method for evaluating system risk, as thought by Stephenson, to include log data to perform analysis of inter-domain communication including out bound communication. A person with ordinary skill in the art would have been motivated to include the analysis of communication log data to enhance security and usability.

As to claim 2, the combination of Moghe and Stephenson teaches the method, wherein the step of obtaining further comprises: normalizing each of said plurality of log files by mapping fields associated with said at least one log record from a third-party format into a standard format (see Stephenson ¶21, The method accepts input data from a variety of sources and normalizes that data to be useful for threat, vulnerability and risk correlation)

As to claim 3, the combination of Stephenson the method, wherein the step of extracting, comprises: matching at least one log record associated with at least one of said plurality of channels (see Moghe ¶42, On each client appliance 306, extract and sort query-matching events from a client-resident event database);
grouping said at least one log record into a set of groups of channel associated records for at least one of said plurality of channels, each group of said set is associated with one matched channel (see Moghe ¶38, push the query to all CMC client appliances 306 in the target appliance group);
extracting said channel feature set from the group of channel associated records associated with each of said plurality of channels and identified by said channel identification pair, wherein said channel feature set being characterized by at least one of: data pertaining to communication behavior, data pertaining to host domain and data pertaining to host IP (see Moghe ¶42, On each client appliance 306, extract and sort query-matching events from a client-resident event database); and 
extracting, for each channel, asset associated features and host associated features and integrating into said channel feature set (see Moghe ¶42, extract and sort query-matching events from a client-resident event database). 

As to claim 4, the combination of Moghe and Stephenson teaches the method, wherein the step of generating, comprises: using an entity scoring model, said entity scoring model is configurable to provide said entity score for said at least one entity (see Stephenson ¶21, The method accepts input data from a variety of sources and normalizes that data to be useful for threat, vulnerability and risk correlation); 
classifying said at least one entity to determine said risk factor according to said entity score (see Stephenson ¶21, The method accepts input data from a variety of sources and normalizes that data to be useful for threat, vulnerability and risk correlation); and 
storing pertaining data of said risk factor into said at least one data repository (see Moghe ¶22, an analytics module or layer 112, a storage module or layer 114, a risk mitigation module or layer 116, and a policy management module or layer 118); 
wherein the entity score expresses the likelihood that said at least one entity is associated with a command and control (C&C) host communication (see Moghe ¶31, mitigation layer may provide other responses as well including, without limitation, real-time forensics for escalation, alert management via external event management (SIM, SEM), event correlation, perimeter control changes (e.g., in firewalls, gateways, IPS, VPNs, and the like) and/or network routing changes). 

As to claim 5, the combination of Moghe and Stephenson teaches the method, wherein said at least one log-analytic detection platform is configurable to collect a plurality of classified entities and execute a supervised machine learning algorithm to determine said entity scoring model, wherein said plurality of classified entities are selected from a group consisting of a channel, an asset, a host and combinations thereof(see Stephenson ¶28, These risks may be determined on a port-by-port basis for all or a selected portion of the open ports in the system under evaluation). 

As to claim 6, the combination of Moghe and Stephenson teaches the method, further comprising validating said risk factor associated with said at least one entity (see Moghe the layer provides for direct or indirect user interrogation and/or validation).

As to claim 7, the combination of Moghe and Stephenson teaches the method, wherein the step of generating further comprises: creating an output list of potentially compromised client assets, if said risk factor indicates that said at least one entity is malicious, said output list comprising each of said plurality of assets communicating with said at least one entity (see Moghe ¶29, policies allow criteria to be defined via signatures (patterns) or anomalies). 

As to claim 8, the combination of Moghe and Whitehouse teaches the method, further comprising: creating an output incidents report comprising data pertaining to the risk factor associated with each of said plurality of channels related entities (see Moghe ¶22, a browser or other rendering engine, input/output devices and network connectivity). 

As to claim 9 the combination of Moghe and Whitehouse teaches the method, wherein said output incidents report is configured to be transmitted via said communication network to said at least one client network (see Moghe ¶37, distributed query and reporting functionality is described with reference to FIG. 4). 

As to claim 10, the combination of Moghe and Whitehouse teaches the method, further comprising the step of: creating an alert associated with a detectable security incident associated with at least one entity, said alert is configured to be transmitted via said communication network (see Moghe ¶27, An alert event is mitigated by one or more techniques under the control of the mitigation layer 116). 

Moghe teaches:
As to claim 11, a method for detecting security threats associated with at least one client network, the method for use in a system (see Moghe ¶34, the monitoring layer (or other discrete functionality in the appliance) can be provided to receive and process external data feeds (such as a log of prior access activity) in addition to (or in lieu of) promiscuous or other live traffic monitoring), said system comprising: 
at least one network entity associated with said at least one client network and configurable to enable outbound communication via a communication network (see Moghe ¶54, A communications middleware layer provides a distributed communication mechanism);  
at least one asset associated with said at least one client network and configurable to communicate with at least one of a plurality of hosts via said communication network (see Moghe ¶25, receive and process (through the filtering and decoding steps) data feeds from other sources, such as an externally-generated); and 
at least one log-analytic detection platform configurable to analyze a plurality of log files said plurality of log files including at least one outbound communications log and further determine a risk factor associated with at least one super-channel, said at least one super-channel is characterized by a super-channel (see Moghe Fig. 3 and ¶20, an enterprise in which the distributed search/audit and analytics features of the present invention is implemented operates a distributed computing environment that includes a set of computing-related entities (systems, machines, servers, processes, programs, libraries, functions, or the like) that facilitate information asset storage, delivery and use; ¶34, the monitoring layer (or other discrete functionality in the appliance) can be provided to receive and process external data feeds (such as a log of prior access activity) in addition to (or in lieu of) promiscuous or other live traffic monitoring; ¶31, fourth module 116 (called the risk mitigation layer) allows for flexible actions to be taken in the event alert events are generated in the analytics layer),
said at least one super-channel comprises: a set of channels, each said channel connecting an asset with a host, wherein said at least one host associated with a host-group, and wherein each said channel being characterized by a characteristics vector and a channel identification pair, said method for operating said at least one log-analytics detection platform (see Moghe Fig. 3 and ¶20, an enterprise in which the distributed search/audit and analytics features of the present invention is implemented operates a distributed computing environment that includes a set of computing-related entities (systems, machines, servers, processes, programs, libraries, functions, or the like) that facilitate information asset storage, delivery and use); 
identifying said at least one super-channel, wherein the set of channels associated with said at least one super-channel are determined by a shared similarity (see Moghe ¶26, provision policy filters (as will described) that processes functionally similar operations);
extracting the super-channel are determined by a shared similarity (see Moghe ¶26, provision policy filters (as will described) that processes functionally similar operations);
aggregating said channel associated features for each of said plurality of channels into at least one data repository (see Moghe Fig. 4 and ¶37, the system 300 has the ability to run a distributed query across multiple appliances--each of which may monitor many data servers--and returns consolidated results at the TMC 302 console);
generating said risk factor for said least one entity associated with entities of said plurality of channels, said risk factor characterized by an entity score (see Moghe ¶29, anomalies can be statistical in nature or deterministic. If either signatures or anomalies are triggered, the access is classified as an event; depending on the value of a policy-driven response field, an Audit 212 and/or an Alert 214 event is generated (i.e. risk factor)). 
blocking of communication for said at least one entity when said risk factor is indicative of said at least one entity being a security threat (see Moghe ¶31, if an insider (i.e. entity)  intrusion is positively verified, the system then can perform a user disconnect (i.e. blocking), such as a network-level connection termination) ; 
Moghe does not explicitly teach but the related art Stephenson teaches:
Obtaining said plurality of log files, from said at least one client network, each of said plurality of log files comprising at least one log records (see Stephenson ¶26 The security policy domains, the inter-domain communications policies and the log data are then used to perform the inter-domain communications analysis);

Therefore, it would have been obvious to one with ordinary skill in the art at the time the invention was filed to modify distributed data search, audit and analytics disclosed by Moghe to include method for evaluating system risk, as thought by Stephenson, to include log data to perform analysis of inter-domain communication including out bound communication. A person with ordinary skill in the art would have been motivated to include the analysis of communication log data to enhance security and usability.
As to claim 12, the combination of Moghe and Stephenson teaches the method, wherein the step of identifying, comprises: identifying a set of channels having the same asset and a shared similarity into a super-channel (see Moghe ¶26, provision policy filters (as will described) that processes functionally similar operations); 
setting the asset of the supper-channel to be the asset of each channel having said common characteristics and setting the host-group of the super-channel to include the hosts of the associated channels (see Moghe ¶36, client appliances are organized in one or more appliance "groups," with three (3) such groups illustrated) ; and 
creating a new super-channel for each channel that is not grouped, where the associated host-group comprises the host of the associated channel, wherein said shared similarity is based on identity or similarity in certain characteristics or based on similarity between a combination of characteristics of the associated characteristics vector (see Moghe ¶36, appliance group may be associated with a particular geographical location (East Coast), a specific function (Test Bed), or the like). 
As to claim 13, the combination of Moghe and Stephenson teaches the method, wherein the step of extracting, comprises: extracting a set of attributes representing the associated super-channel feature set, said super-channel feature set characterized by at least one of: an identified similarity characteristics determined by said shared similarity associated with each channel of said set of channels, a communication behavior characteristics associated with at least one channel of said set of channels, a domain characteristics of at least one host of the associated host-group; and a host IP address characteristics of at least one host of the associated host-group (see Moghe ¶29, anomalies can be statistical in nature or deterministic. If either signatures or anomalies are triggered, the access is classified as an event; depending on the value of a policy-driven response field, an Audit 212 and/or an Alert 214 event is generated (i.e. risk factor)). 

As to claim 17, the combination of Moghe and Stephenson teaches the method, wherein said at least one log-analytic detection platform is configurable to collect a plurality of classified entities and execute a supervised machine learning algorithm to determine said entity scoring model, wherein said plurality of classified entities are selected from a group consisting of a channel, an asset, a host and combinations thereof(see Stephenson ¶28, These risks may be determined on a port-by-port basis for all or a selected portion of the open ports in the system under evaluation). 

As to claim 18, the combination of Moghe and Stephenson teaches the method, wherein the step of generating, comprises: using an entity scoring model, said entity scoring model is configurable to provide said entity score for said at least one entity; classifying said at least one entity to determine said risk factor according to said entity score; and storing pertaining data of said risk factor in said at least one data repository; wherein the entity score expresses the likelihood that said at least one entity is associated in a command and control (C&C) host communication (see Stephenson ¶21, The method accepts input data from a variety of sources and normalizes that data to be useful for threat, vulnerability and risk correlation). 

Moghe teaches:
As to claim 19, a method for detecting security threats associated with at least one client network, the method for use in a system (see Moghe ¶34, the monitoring layer (or other discrete functionality in the appliance) can be provided to receive and process external data feeds (such as a log of prior access activity) in addition to (or in lieu of) promiscuous or other live traffic monitoring), said system comprising: 
at least one network entity associated with said at least one client network and configurable to enable outbound communication via a communication network (see Moghe ¶54, A communications middleware layer provides a distributed communication mechanism); 
at least one asset configured to communicate with one of a plurality of hosts via said communication network (see Moghe ¶25, receive and process (through the filtering and decoding steps) data feeds from other sources, such as an externally-generated); and 
at least one log-analytic detection platform configurable to analyze a plurality of log files associated with a plurality of channels, each said plurality of channels connecting an asset with a host, and further configurable to determine a risk factor for at least one entity (see Moghe Fig. 3 and ¶20, an enterprise in which the distributed search/audit and analytics features of the present invention is implemented operates a distributed computing environment that includes a set of computing-related entities (systems, machines, servers, processes, programs, libraries, functions, or the like) that facilitate information asset storage, delivery and use; ¶34, the monitoring layer (or other discrete functionality in the appliance) can be provided to receive and process external data feeds (such as a log of prior access activity) in addition to (or in lieu of) promiscuous or other live traffic monitoring; ¶31, fourth module 116 (called the risk mitigation layer) allows for flexible actions to be taken in the event alert events are generated in the analytics layer), each of said plurality of channels being characterized by a channel identification pair comprising said asset and said host (see Moghe Fig. 3 and ¶20, an enterprise in which the distributed search/audit and analytics features of the present invention is implemented operates a distributed computing environment that includes a set of computing-related entities (systems, machines, servers, processes, programs, libraries, functions, or the like) that facilitate information asset storage, delivery and use), said method being for operating said at least one log-analytics detection platform (see Moghe Fig. 3, and ¶36, distributed search/audit and analytics system 300 includes the following components: a management console 302 (TMC), one or more server appliances, one of which is illustrated as 304, and a plurality of client appliances 306), the method comprising: 
extracting a channel feature set for each of said plurality of channels from said plurality of log files, said channel feature set comprises data pertaining to at least one associated entity, (see Moghe ¶49, extract and sort query-matching events from a client-resident event database); and
aggregating said channel associated features for each of said plurality of channels into at least one data repository (see Moghe Fig. 4 and ¶37, the system 300 has the ability to run a distributed query across multiple appliances--each of which may monitor many data servers--and returns consolidated results at the TMC 302 console);
generating said risk factor for said least one entity associated with entities of said plurality of channels, said risk factor characterized by an entity score (see Moghe ¶29, anomalies can be statistical in nature or deterministic. If either signatures or anomalies are triggered, the access is classified as an event; depending on the value of a policy-driven response field, an Audit 212 and/or an Alert 214 event is generated (i.e. risk factor)); and 
blocking of communication for said at least one entity when said risk factor is indicative of said at least one entity being a security threat (see Moghe ¶31, if an insider (i.e. entity)  intrusion is positively verified, the system then can perform a user disconnect (i.e. blocking), such as a network-level connection termination) ; 
Moghe does not explicitly teach but the related art Stephenson teaches:
obtaining, via said communication network, said plurality of log files from said at least one client network, each of said plurality of log files comprising at least one log record associated with at least one channel, said plurality of log files including at least one outbound communications log (see Stephenson ¶26 The security policy domains, the inter-domain communications policies and the log data are then used to perform the inter-domain communications analysis);
at least one channel feature being information regarding one of a domain or internet protocol (IP) address of a host (see Stephenson ¶26, the criteria that were used include matching all of the groups that have access to the system with the IP address ranges in the system);
Therefore, it would have been obvious to one with ordinary skill in the art at the time the invention was filed to modify distributed data search, audit and analytics disclosed by Moghe to include method for evaluating system risk, as thought by Stephenson, to include log data to perform analysis of inter-domain communication including out bound communication. A person with ordinary skill in the art would have been motivated to include the analysis of communication log data to enhance security and usability.


Claims 14-16 are rejected under 35 U.S.C. 103 as being unpatentable over Moghe US Pub. 2011/0035781 A1 (hereinafter Moghe) in view of Stephenson et al. US Pub. No.: 2011/0035390 A1 (hereinafter Whitehouse)

As to claim 14, the combination of Moghe and Stephenson does not explicitly teach but the related art Whitehouse teaches:
the method, wherein said characteristics vector comprises data pertaining to at least one characteristic selected from a group consisting of: communication characteristics, domain name characteristics, IP address characteristics and combinations thereof, wherein said communication characteristics comprises data associated with at least one of the path and query parts of a URL, destination IP address, sequence properties; and wherein said domain name characteristics and IP address characteristics comprises data associated with at least one of the domain and subdomain of the host, the domain registration details, IP addresses of the domain and the domain site (see Whitehouse ¶20, the storage method can employ one or more "flat files" containing individual logs messages. For example, a "row" in a flat file containing log messages from an email system can contain a user's name (e.g., "Matt"), IP address, location, and event occurrence, such as a failed login attempt. Such an entry can include a timestamp for identifying the time (e.g., down to the minute or fraction of a second) that the entry was made). 
Therefore, it would have been obvious to one with ordinary skill in the art at the time the invention was filed to modify distributed data search, audit and analytics disclosed by Moghe and method for evaluating system risk, as thought by Stephenson to include message descriptions, as thought by Whitehouse, in order to incorporate the steps of aggregation. A person with ordinary skill in the art would have been motivated to include the log file normalization in order to enhance usability and security.

As to claim 15, the combination of Moghe and Stephenson does not explicitly teach but the related art Whitehouse teaches:
the method, wherein further comprising the step of merging associated host-groups based upon similarities, comprising: determining the shared similarity of a first super-channel with a second super-channel; and merging the associated host-group of the second super-channel into the associated host-group of the first super-channel, if the characteristic vector of said first super-channel is analyzed of being similar to the characteristic vector of said second super-channel (see Whitehouse ¶97, message descriptions can be classified into groups, such as groups of messages produced by a particular vendor or product) . 
Same motivation applied as above to combine the cited prior art references.

As to claim 16, the combination of Moghe, Stephenson and Whitehouse teaches the method, wherein step of merging, comprises: determining the shared similarity of a first super-channel with a second super-channel such that the associated host-group comprises at least one C&C host; and merging the associated host-group of the second super-channel into the associated host-group of the first super-channel, if the first host-group comprises no C&C hosts and the second host-group comprises at least one C&C host, such that all associated hosts of the merged host-group are marked as C&C hosts (see Moghe ¶26, the policy language enables the administrator to provision policy filters (as will described) that processes functionally similar operations (e.g., a "READ" Operation with respect to a file server and a "SELECT" Operation with respect to a SQL database server) even though the operations rely on different access protocols).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NEGA WOLDEMARIAM whose telephone number is (571)270-7478. The examiner can normally be reached Monday to Friday, 8am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 5712726798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/NEGA WOLDEMARIAM/Examiner, Art Unit 2433                           

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433