DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This is a non-final office action in response to remarks filed on 29 July 2022.  Claims 1, 4, 13, and 17 are amended. No claims are canceled or added.  Claims 1-20 are pending.

Response to Arguments
Applicant’s arguments, see pages 7-8, filed 29 July 2022, with respect to the rejections of claims 1-3, 13, and 17-20 under 35 USC 112 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  

Applicant’s arguments, see remarks pages 9-15, filed 29 July 2022, with respect to the rejection(s) of claims 1-20 under 35 USC 102 and 103 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made incorporating newly discovered references Meir, Mehr, Lee.
While applicant’s arguments are moot in light of the use of the newly discovered references in the rejections below, examiner respectfully points out that several of the arguments are not within the scope of the current claims and recommends amending the claims to include them within the claims scope. For instance, the claims do not describe a 1:1 relationship between a network event profile and a network event (see remarks pages 9-11). Also, there is no explanation regarding what nor how a type of network event is used to generate a network event profile since the repeated use of “related to” and “associated with” a network event does not define a direct relationship between a network event, network event profile, attributes, and type of network event nor does it explain how a network event profile is generated “based on a type of the network event” (see remarks pages 9-11). Furthermore, examiner respectfully points out that the claims do not disclose how network event profiles and reference feedback are used to train the neural network (remarks pages 11-13), only that network event profiles and reference feedback are used and that they are part of the training data according to the new amendment. While elements (i)-(iii) are described in the same limitation, these elements are not used for training but rather for updating neural network parameters based on predictions. If these predictions are meant to be part of the training process, then examiner recommends amending the claims to clarify this. Additionally, the claims also do not explain that the network event profiles are the subject of training (see remarks page 13)
Also, the scope of independent claims 1, 4, and 17 are all different. While there are specific arguments for claims 1 and 17, there are no specific arguments for independent claim 4 aside from the allusion on page 15 that the previous arguments also apply, but the points raised in the previous arguments aren’t commensurate with claim 4’s scope. 


Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 17-19 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Meir et al. (U.S. Patent 11,483,326)

Regarding claim 17, Meir disclosed a computer-readable medium storing instructions that, when executed by one or more processors, cause operations comprising: 
collecting network event data related to a network event that is related to a data item (see Meir Fig. 1 #101, #102, #108, #110, #107, 3:34-43: agent 102 on endpoint 101 detects event data 108 (i.e. data item, incident data) and sends the event data to event processor #110 which sends the event data to event database #107 for future use | 2:20-25: agents deployed on endpoints filter and aggregate event data and forward the aggregated event data (i.e. network event data) to a database), the network event data including incident data associated with the network event (see Meir Fig. 1 #108, 3:65-4:12: event data #108 includes data about specific event (i.e. incident data));
generating a network event profile for the network event (see Meir 4:29-35: the aggregated event data are converted into a standardized, bucketed format (i.e. network event profile) that groups events from distinct endpoints into the same bucket if they are functionally similar or identical) based on a type of the network event (see Meir 4:31-35: events from distinct endpoints are grouped into the same bucket if they are functionally similar or identical | 4:25-40: event normalizer takes event data (i.e. incident data) as input and outputs an event bucket (i.e. network event profile) along with key event attributes extracted from the output bucket that identify the event, an example bucket includes a type ‘read’), the network event profile including one or more attributes representative of the network event (see Meir 4:37-54: an example event bucket (i.e. network event profile) includes information about event attributes, e.g. type, number of instances, process, path, business unit, company, etc.); and
obtaining, via a prediction model (see Meir 6:54-67: threat detection model accepts a set of event data as input and outputs a metric indicating the likelihood that the candidate event is malicious. Determining a likelihood metric is functionally equivalent to generating a prediction), a classification for the network event (see Meir 6:36-53: identifying which events match or do not match the normal profile such that events that match are considered normal (normal classification) and events that do not match are flagged and identified as being candidate malicious events (malicious classification) and are forwarded to a threat detection model 312, i.e. the prediction model obtains a network event classification) based on the network event profile (see Meir 6:36-43: event scanner receives a batch of incoming events from an event normalizer (From previously cited Fig. 1, the event normalizer groups similar events in buckets (i.e. network event profile)); the event scanner identifies which events match or do not match the normal profile (i.e. identifying if the events’ network event profile matches or does not match with the reference profile, i.e. obtaining a classification based on the network event profile)), the prediction model being configured to generate the classification (see Meir 6:36-53: identifying which events match or do not match the normal profile such that events that match are considered normal (normal classification) and events that do not match are flagged and identified as being candidate malicious events (malicious classification) and are forwarded for further investigation to the threat detection model (i.e. prediction model) | 6:54-7: the threat detection model uses the forwarded candidate malicious events and determines the likelihood that they are malicious events (i.e. prediction model generates the classification) based on [adaptive normal] profiles from profile database 322 and/or known malicious attacks. Additionally, since the prediction model uses events obtained through a comparison of reference profile and network event profile, the classification by the prediction model is also “based on” a match between profiles) based on a set of network events having reference profiles that match with network event profile (see Meir 6:36-43: event scanner receives a batch of incoming events (i.e. set of network events) from an event normalizer (From previously cited Fig. 1, the event normalizer groups similar events in buckets (i.e. network event profile)); the event scanner retrieves the corresponding [adaptive normal] profile (i.e. reference profile) from database 322 and identifies which events match or do not match the normal profile (i.e. identifying if the events’ network event profile matches or does not match with the reference profile) such that flagged candidate malicious events are forwarded for further processing. This classification of normal vs. candidate malicious is based on a match between network event profile and reference profile. Since the prediction model uses the flagged events obtained through a comparison of reference profile and network event profile, the classification by the prediction model is also “based on” a match between profiles), each of the reference profiles including one or more reference attributes representative of a corresponding network event (see Meir 5:31-67: an adaptive normal profile (i.e. reference profile) includes a variety of representative event attributes).

Regarding claim 18, Meir disclosed the computer-readable medium of claim 17, wherein obtaining the classification includes:
determining the classification of the network event as a first classification of the one or more classifications of the set of network events based on (see Meir 6:43-53: determining if the flagged candidate malicious events have triggered or were triggered by another event. If another event was involved, then the candidate malicious event becomes a candidate malicious causality chain and is forwarded to a threat detection model | 6:54-67: threat detection model accepts a set of event data as input (e.g. the candidate malicious causality chain from the next limitation) and outputs a metric indicating the likelihood (i.e. confidence interval from the last limitation) that the candidate event is malicious and if the likelihood metric is above a threshold (i.e. second threshold from the last limitation), then the candidate malicious event is sent to the event causality database, logger, and notifier, i.e. determining a first classification of the network event):
a quantity of network events in the set of network events exceeding a first threshold (see Meir 6:43-53: determining if the flagged candidate malicious events have triggered or were triggered by another event. If another event was involved, then the candidate malicious event becomes a candidate malicious causality chain and is forwarded to a threat detection model. The first threshold is interpreted as an involvement of at least two events, such that the network event classification is determined to be a candidate malicious causality chain when one, i.e. quantity, network event in the set of network events involves another event and therefore exceeds the first threshold), and 
a confidence interval of the first classification exceeding a second threshold (see Meir 6:54-67: threat detection model accepts a set of event data as input and outputs a metric indicating the likelihood (i.e. confidence interval) that the candidate event is malicious and if the likelihood metric is above a threshold (i.e. second threshold), then the candidate malicious event is sent to the event causality database, logger, and notifier.).

Regarding claim 19, Meir disclosed the computer-readable medium of claim 17, wherein generating the network event profile includes:
hashing at least a portion of incident data associated with the network event to generate a hash value (see Meir 4:51-54: hashing event bucket attributes | 4:25-36: event bucket attributes are obtained from the input event data (i.e. incident data)), wherein the incident data triggered the network event (see Meir 3:59-4:19: agent monitors processes running on endpoint in order to detect events (i.e. incident) that correspond to the monitored processes, i.e. a triggering incident. The detected events are then filtered and aggregated by the event processor before grouping the events into event buckets (i.e. network event profile)), and
adding the hash value to the network event profile (see Meir 4:51-54: hashing event bucket (i.e. network event profile) attributes).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 4-6, 8, 13-14, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Mier, as applied to claim 19 above, and further in view of Mehr (U.S. Patent 9,892,253).

Regarding claim 20, Meir disclosed the invention, substantially as claimed, as described in claim 19 above, further comprising:
determining the set of network events having reference profiles that match with network event profile (see Meir 6:36-43: event scanner receives a batch of incoming events (i.e. set of network events) from an event normalizer (From previously cited Fig. 1, the event normalizer groups similar events in buckets (i.e. network event profile)); the event scanner retrieves the corresponding [adaptive normal] profile (i.e. reference profile) from database 322 and identifies which events match or do not match the normal profile (i.e. identifying if the events’ network event profile matches or does not match with the reference profile) such that flagged candidate malicious events are forwarded for further processing. This classification of normal vs. candidate malicious is based on a match between network event profile and reference profile. Since the prediction model uses the flagged events obtained through a comparison of reference profile and network event profile, the classification by the prediction model is also “based on” a match between profiles), wherein each of the reference profiles includes a reference hash value that matches the hash value (see Meir 4:51-54: hashing event bucket (i.e. network event profile). While Meir did not disclose hashing the adaptive normal profile (i.e. reference profile) nor matching two hash values, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to apply Meir’s hashing to other profiles, e.g. reference profile. In a related art of machine learned profiling (see Mehr 6:60-67), Mehr disclosed an initial period of learning in which information is gathered and hashes are generated as part of a server behavior profiling process (see Mehr 6:36-45). Hashes of the profiles are generated to conserve resources and increase the comparison speed and are stored for subsequent analysis and comparison (see Mehr 10:56-61)). 
Meir did not explicitly disclose “wherein each of the reference profiles includes a reference hash value that matches the hash value”, however in light of Meir’s above teachings regarding hashing the event bucket, i.e. network event profile, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to apply Meir’s hashing to other profiles, e.g. reference profile. Citations are presented in the claim mapping above. Additionally, in a related art of machine learned profiling, Mehr disclosed an initial period of learning in which information is gathered and hashes are generated as part of a server behavior profiling process. While Meir did not explicitly disclose matching two hashes, Mehr disclosed generating hashes of the profiles, storing hashes for subsequent analysis and comparison, and that using hashes conserves resources and increases the speed of comparison, i.e. matching.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mier and Mehr to further describe how to use hashing when learning about profiles. Including Mehr’s teachings would ensure that the profiles are more current and improve in accuracy over time while also conserving resources (see Mehr 6:65-7:13).

Regarding claim 4, Meir disclosed a method for automatic classification of a network event, the method comprising:
collecting, by a processor, network event data related to a network event that is related to a data item (see Meir Fig. 1 #101, #102, #108, #110, #107, 3:34-43: agent 102 on endpoint 101 detects event data 108 (i.e. data item, incident data) and sends the event data to event processor #110 which sends the event data to event database #107 for future use | 2:20-25: agents deployed on endpoints filter and aggregate event data and forward the aggregated event data (i.e. network event data) to a database), the network event data including incident data associated with the network event (see Meir Fig. 1 #108, 3:65-4:12: event data #108 includes data about specific event (i.e. incident data));
hashing, by the processor, at least a portion of the incident data to generate a hash value related to the incident data associated with the network event (see Meir 4:51-54: hashing event bucket attributes | 4:25-36: event bucket attributes are obtained from the input event data (i.e. incident data));
generating, by the processor, a network event profile for the network event (see Meir 4:29-35: the aggregated event data are converted into a standardized, bucketed format (i.e. network event profile) that groups events from distinct endpoints into the same bucket if they are functionally similar or identical) such that network event profile includes (i) the hash value (see Meir 4:51-54: hashing event bucket (i.e. network event profile) attributes) and (ii) one or more attributes representative of the network event (see Meir 4:37-54: an example event bucket (i.e. network event profile) includes information about event attributes, e.g. type, number of instances, process, path, business unit, company, etc.); and
obtaining, by the processor, via a prediction model (see Meir 6:54-67: threat detection model accepts a set of event data as input and outputs a metric indicating the likelihood that the candidate event is malicious. Determining a likelihood metric is functionally equivalent to generating a prediction), a classification for the network event (see Meir 6:36-53: identifying which events match or do not match the normal profile such that events that match are considered normal (normal classification) and events that do not match are flagged and identified as being candidate malicious events (malicious classification) and are forwarded to a threat detection model 312, i.e. the prediction model obtains a network event classification) based on the network event profile (see Meir 6:36-43: event scanner receives a batch of incoming events from an event normalizer (From previously cited Fig. 1, the event normalizer groups similar events in buckets (i.e. network event profile)); the event scanner identifies which events match or do not match the normal profile (i.e. identifying if the events’ network event profile matches or does not match with the reference profile, i.e. obtaining a classification based on the network event profile)), the prediction model being configured to generate the classification (see Meir 6:36-53: identifying which events match or do not match the normal profile such that events that match are considered normal (normal classification) and events that do not match are flagged and identified as being candidate malicious events (malicious classification) and are forwarded for further investigation to the threat detection model (i.e. prediction model) | 6:54-7: the threat detection model uses the forwarded candidate malicious events and determines the likelihood that they are malicious events (i.e. prediction model generates the classification) based on [adaptive normal] profiles from profile database 322 and/or known malicious attacks. Additionally, since the prediction model uses events obtained through a comparison of reference profile and network event profile, the classification by the prediction model is also “based on” a match between profiles) based on determining a match between the network event profile and reference profiles associated with network events (see Meir 6:36-43: event scanner receives a batch of incoming events (i.e. set of network events) from an event normalizer (From previously cited Fig. 1, the event normalizer groups similar events in buckets (i.e. network event profile)); the event scanner retrieves the corresponding [adaptive normal] profile (i.e. reference profile) from database 322 and identifies which events match or do not match the normal profile (i.e. identifying if the events’ network event profile matches or does not match with the reference profile) such that flagged candidate malicious events are forwarded for further processing. This classification of normal vs. candidate malicious is based on a match between network event profile and reference profile. Since the prediction model uses the flagged events obtained through a comparison of reference profile and network event profile, the classification by the prediction model is also “based on” a match between profiles), each of the reference profiles including a reference hash value (see Meir 4:51-54: hashing event bucket (i.e. network event profile). While Meir did not disclose hashing the adaptive normal profile (i.e. reference profile), it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to apply Meir’s hashing to other profiles, e.g. reference profile. In a related art of machine learned profiling (see Mehr 6:60-67), Mehr disclosed an initial period of learning in which information is gathered and hashes are generated as part of a server behavior profiling process (see Mehr 6:36-45). Hashes of the profiles are generated to conserve resources and increase the comparison speed and are stored for subsequent analysis and comparison (see Mehr 10:56-61)) and one or more reference attributes representative of a corresponding network event (see Meir 5:31-67: an adaptive normal profile (i.e. reference profile) includes a variety of representative event attributes).

Meir did not explicitly disclose “each of the reference profiles includes a reference hash value”, however in light of Meir’s above teachings regarding hashing the event bucket, i.e. network event profile, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to apply Meir’s hashing to other profiles, e.g. reference profile. Citations are presented in the claim mapping above. Additionally, in a related art of machine learned profiling, Mehr disclosed an initial period of learning in which information is gathered and hashes are generated as part of a server behavior profiling process. Mehr disclosed generating hashes of the profiles, storing hashes for subsequent analysis and comparison, and that using hashes conserves resources and increases the speed of comparison, i.e. matching.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mier and Mehr to further describe how to use hashing when learning about profiles. Including Mehr’s teachings would ensure that the profiles are more current and improve in accuracy over time while also conserving resources (see Mehr 6:65-7:13)

Regarding claim 5, Mier-Mehr disclosed the method of claim 4, wherein obtaining the classification includes:
determining the classification of the network event as one of one or more classifications of a set of network events having reference profiles that match the network event profile (see Meir 6:36-53: event scanner receives a batch of incoming events (i.e. set of network events) from an event normalizer (From previously cited Fig. 1, the event normalizer groups similar events in buckets (i.e. network event profile)); the event scanner retrieves the corresponding [adaptive normal] profile (i.e. reference profile) from database 322 and identifies which events match or do not match the normal profile (i.e. identifying if the events’ network event profile matches or does not match with the reference profile) such that events that match are considered normal (normal classification) and events that do not match are flagged and identified as being candidate malicious events (malicious classification) and are forwarded for further investigation to the threat detection model. This classification of normal vs. candidate malicious is based on a match between network event profile and reference profile. identifying which events match or do not match the normal profile).

Regarding claim 6, Mier-Mehr disclosed the method of claim 4, wherein obtaining the classification includes:
determining the classification of the network event as different from one or more classifications of a set of network events having reference profiles that match the network event profile (see Meir 6:36-53: event scanner receives a batch of incoming events (i.e. set of network events) from an event normalizer (From previously cited Fig. 1, the event normalizer groups similar events in buckets (i.e. network event profile)); the event scanner retrieves the corresponding [adaptive normal] profile (i.e. reference profile) from database 322 and identifies which events match or do not match the normal profile (i.e. identifying if the events’ network event profile matches or does not match with the reference profile) such that events that match are considered normal (normal classification) and events that do not match are flagged and identified as being candidate malicious events (malicious classification) and are forwarded for further investigation to the threat detection model. This classification of normal vs. candidate malicious is based on a match between network event profile and reference profile. identifying which events match or do not match the normal profile).

Regarding claim 8, Mier-Mehr disclosed the method of claim 4, wherein obtaining the classification includes: 
determining the classification of the network event as a first classification based on (see Meir 6:43-53: determining if the flagged candidate malicious events have triggered or were triggered by another event. If another event was involved, then the candidate malicious event becomes a candidate malicious causality chain and is forwarded to a threat detection model | 6:54-67: threat detection model accepts a set of event data as input (e.g. the candidate malicious causality chain from the next limitation) and outputs a metric indicating the likelihood (i.e. confidence interval from the last limitation) that the candidate event is malicious and if the likelihood metric is above a threshold (i.e. second threshold from the last limitation), then the candidate malicious event is sent to the event causality database, logger, and notifier, i.e. determining a first classification of the network event): 
a quantity of network events having reference profiles that match the network event profile exceeding a first threshold (see Meir 6:43-53: determining if the flagged candidate malicious events have triggered or were triggered by another event. If another event was involved, then the candidate malicious event becomes a candidate malicious causality chain and is forwarded to a threat detection model. The first threshold is interpreted as an involvement of at least two events, such that the network event classification is determined to be a candidate malicious causality chain when one, i.e. quantity, network event in the set of network events involves another event and therefore exceeds the first threshold), and 
a confidence interval of the first classification exceeding a second threshold (see Meir 6:54-67: threat detection model accepts a set of event data as input and outputs a metric indicating the likelihood (i.e. confidence interval) that the candidate event is malicious and if the likelihood metric is above a threshold (i.e. second threshold), then the candidate malicious event is sent to the event causality database, logger, and notifier.), wherein the first classification is one of one or more classifications of the network events having reference profiles that match the network event profile (see Meir 6:36-53: event scanner receives a batch of incoming events (i.e. set of network events) from an event normalizer (From previously cited Fig. 1, the event normalizer groups similar events in buckets (i.e. network event profile)); the event scanner retrieves the corresponding [adaptive normal] profile (i.e. reference profile) from database 322 and identifies which events match or do not match the normal profile (i.e. identifying if the events’ network event profile matches or does not match with the reference profile) such that events that match are considered normal (normal classification) and events that do not match are flagged and identified as being candidate malicious events (malicious classification) and are forwarded for further investigation to the threat detection model. This classification of normal vs. candidate malicious is based on a match between network event profile and reference profile. identifying which events match or do not match the normal profile).

Regarding claim 13, Mier-Mehr disclosed the method of claim 4, wherein the one or more attributes in the network event profile include (a) a user associated with the network event, (b) a user associated with a file on which network event is performed, (c) a policy that is violated, (d) a version of the policy that is violated, (e) an application associated with the network event (see Mier 4:37-47: event bucket (i.e. network profile) attributes include identifying a process ‘power-shell.exe’ associated with the event and event bucket) or (f) a computing device associated with the network event

Regarding claim 14, Mier-Mehr disclosed the method of claim 4, wherein hashing at least the portion of the incident data includes: 
identifying a first portion of the incident data (see Mehr 6:5-16: identifying a subset of elements that are and are not to be included within the hashed stack) that triggered the network event (see Meir 4:51-54: hashing event bucket attributes | 4:25-36: event bucket attributes are obtained from the input event data (i.e. incident data) | 3:59-4:19: agent monitors processes running on endpoint in order to detect events (i.e. incident) that correspond to the monitored processes, i.e. a triggering incident. The detected events are then filtered and aggregated by the event processor before grouping the events into event buckets (i.e. network event profile)), and 
hashing the incident data without the first portion to generate the hash value (see Mehr 6:5-16: hashing a subset of elements, e.g. 10 out of 30, and further compressing the hashes into a bloom filter).
The motivation to combine Mier and Mehr is the same as that presented in claim 4 above.
Claims 7 and 9-10 are rejected under 35 U.S.C. 103 as being unpatentable over Mier-Mehr, as applied to claims 4 and 6 above, and further in view of DiCorpo et al. (U.S. Patent Publication 2012/150773).

Regarding claim 7, Mier-Mehr disclosed the invention, substantially as claimed, as described in claim 6 above, but did not explicitly disclose the following limitations, which are taught in a related art, DiCorpo: 
wherein determining the classification includes: determining the classification as a specified value, the specified value indicating a lack of data for classifying the network event (see DiCorpo [0047]: ML training of sensitive data requires exceeding a threshold number of sensitive data events and non-sensitive data events. Classification is unable to be performed due to insufficient reference data). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mier-Mehr and DiCorpo to further describe how to classify a network event, in particular how to indicate a lack of sufficient data for event classification. Including DiCorpo’s teachings would increase the accuracy and user’s customizability of learning profiles when protecting data (see DiCorpo 0004). 



Regarding claim 9, Mier-Mehr disclosed the invention, substantially as claimed, as described in claim 4 above, but did not explicitly disclose the following limitations, which are taught in a related art, DiCorpo: 
wherein obtaining the classification includes: determining the classification as a specified value, the specified value indicating a lack of data for classifying the network event based on a quantity of network events having reference profiles that match the network event profile being below a first threshold (see DiCorpo [0047]: ML training of sensitive data requires exceeding a threshold number of sensitive data events and non-sensitive data events. Classification is unable to be performed due to insufficient reference data).
The motivation to combine Mier-Mehr and DiCorpo is the same as that presented in claim 7 above.

Regarding claim 10, Mier-Mehr disclosed the invention, substantially as claimed, as described in claim 4 above, but did not explicitly disclose the following limitations, which are taught in a related art, DiCorpo:
wherein obtaining the classification includes: determining the classification as a specified value, the specified value indicating a lack of confidence for classifying the network event based on a confidence interval of one or more classifications of network events having reference profiles that match the network event profile being below a second threshold (see DiCorpo [0053]: The MLD profile includes a sensitivity threshold, i.e. confidence level threshold, such that incidents need to exceed the confidence threshold in order to be classified. When the confidence is lower than the threshold, then the classification is determined to not be sensitive).
The motivation to combine Mier-Mehr and DiCorpo is the same as that presented in claim 7 above.

Claims 11-12 and 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Mier-Mehr, as applied to claim 4 above, and further in view of Williams et al. (U.S. Patent Publication 2015/0254555).

Regarding claim 11, Mier-Mehr disclosed the invention, substantially as claimed, as described in claim 4 above, but did not explicitly disclose the following limitations which are taught by a related art, Williams:
wherein obtaining the classification includes: in response to determining a classification mode to be an “audit” mode (see Williams 0103: model performance evaluation component in which a human evaluates the classification decisions made by the machine learning model | 0113: tuning of machine learned classifications via a quality assurance process, i.e. “audit mode”, involving an expert user): 
generating the classification as a second classification in the network event data (see Williams 0105: machine learning model determines classifications), wherein the network event data includes a first classification indicating a classification of the network event determined by an entity other than the processor (see Williams 0108: user tunes the classification made by the machine learning model). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mier-Mehr and Williams to further describe how a machine learned classification is audited. Including Williams’ teachings regarding reviewing decisions by a machine learning process would increase the accuracy of classifications (see Williams 0022).

Regarding claim 12, Mier-Mehr-Williams disclosed the method of claim 11, wherein the entity other than the processor includes a human user (see Mier 6:64-67: malicious event classification feedback provided by analysts).

Regarding claim 15, Mier-Mehr disclosed the invention, substantially as claimed, as described in claim 4 above further comprising: 
generating a report showing information for a group of network events (see Mier 6:27-32: generating a report of malicious events), the information including, for each network event from the network events. 
Mier-Mehr did not explicitly disclose:
a first classification and a second classification of the corresponding network event, wherein the first classification indicates a classification determined by an entity other than the processor and the second classification indicates the classification determined by the processor (see Williams 0103: model performance evaluation component in which a human evaluates the classification decisions made by the machine learning model | 0113: tuning of machine learned classifications via a quality assurance process involving an expert user | 0105: machine learning model determines classifications | 0108: user tunes the classification made by the machine learning model).
The motivation to combine Mier-Mehr and Williams is the same as that presented in claim 11 above.

Regarding claim 16, Mier-Mehr-Williams disclosed the method of claim 15, wherein the report includes:
a first subset of network events from the group of network events in which the first classification and the second classification indicate the same classification (see Williams 0167: user’s classification decision is the same as the machine learned classification decision), and
a second subset of network events from the group of network events in which the first classification and the second classification indicate different classifications (see Williams 0167: user’s classification decision is different than the machine learned classification decision).
The motivation to combine Mier-Mehr and Williams is the same as that presented in claim 11 above.



Claims 1-2 are rejected under 35 U.S.C. 103 as being unpatentable over Lee et al. (U.S. Patent Publication 2019/0394215) in view of Meir et al. (U.S. Patent 11,483,326).

Regarding claim 1, Lee disclosed a system for facilitating reduction of computational resource usage for network event classification (“for facilitating reduction of computational resource usage for network event classification” is intended use and is not provided patentable weight), the system comprising: 
a computer system comprising one or more processors programmed with computer program instructions (see Lee Fig. 12, [0050]: processor, system, memory, instructions for performing the method) that, when executed, cause the computer system to: 
provide training data containing network event profiles and reference feedback to a neural network to train the neural network (see Lee [0008]: training a neural network based on raw security event data and a similarity of training and baseline profiles | 0011: converting collected security event data into input data by generating similarity values between a security event profile and a baseline profile | 0042: the similarity between training and baseline profiles is compared with the predetermined training data labels, repeatedly adjusting the weights of the regression analysis on the similarity values in order to gradually reduce the differences (i.e. reference feedback) between the predicted and actual values), the neural network (i) generating predictions based on the network event profiles (see Lee 0034: performing statistical predictions based on machine learning involves regression analysis | 0042 bottom of first column to top of second column: performing regression analysis on the similarity values), (ii) assessing the predictions against the reference feedback (see Lee 0042 second column: repeatedly adjusting the weights of the regression analysis in order to gradually reduce the differences between the predicted and actual values), and (iii) updating one or more parameters of the neural network based on the assessment of the predictions (see Lee 0042 second column: neural network variables include weights which are repeatedly adjusted according to the regression analysis); 
collect network event data related to a network event that is related to a data item (see Lee 0037: collecting raw data (i.e. network event data) of security events (i.e. related to a network event) and aggregating the security events (i.e. network events) that occur within a predetermined time interval (i.e. related to a data item)), the network event data including incident data (see Lee 0016: collecting security event data and converting it into an input for the neural network | 0037: collecting raw data of security events and aggregating the security events | 0038: security event data profile includes a set of security events {e1, e2, …en}) that triggered the network event  (see Meir Fig. 1 #108, 3:65-4:12: event data #108 includes data about specific event (i.e. incident data) | 3:59-4:19: agent monitors processes running on endpoint in order to detect events (i.e. incident) that correspond to the monitored processes, i.e. a triggering incident. The detected events are then filtered and aggregated by the event processor before grouping the events into event buckets (i.e. network event profile)), the network event data not including the data item (see Lee 0038: security event data profile includes a set of security events {e1, e2, …en}. The predetermined time interval, i.e. data item, is not a part of this data profile vector); 
generate a network event profile for the network event based on the incident data (see Lee 0016: converting security event data into an input for the neural network involves determining a similarity of the security event’s data profile and a plurality of baseline profiles | 0036: generating a data profile of a security event from baseline data, training data, and collected raw data | 0041: training profile is the security event data profile) that triggered the network event (see Meir 3:59-4:19: agent monitors processes running on endpoint in order to detect events (i.e. incident) that correspond to the monitored processes, i.e. a triggering incident. The detected events are then filtered and aggregated by the event processor before grouping the events into event buckets (i.e. network event profile)) such that the network event profile includes (i) at least a portion of the incident data (see Lee 0016: collecting security event data and converting it into an input for the neural network | 0037: collecting raw data of security events and aggregating the security events | 0038: security event data profile includes a set of security events {e1, e2, …en}) that triggered the network event (see Meir Fig. 1 #108, 3:65-4:12: event data #108 includes data about specific event (i.e. incident data) | 3:59-4:19: agent monitors processes running on endpoint in order to detect events (i.e. incident) that correspond to the monitored processes, i.e. a triggering incident. The detected events are then filtered and aggregated by the event processor before grouping the events into event buckets (i.e. network event profile)) or a hash value related to the incident data that triggered the network event and (ii) one or more attributes representative of the network event (see Lee 0036: generating a data profile of a security event from baseline data, training data, and collected raw data | 0037: raw security data includes event type data, 0038: events are grouped into a set according to event type, i.e. the event type is an attribute representative of both the individual and the collective network event), the hash value being obtained based on a hashing of at least a portion of the incident data (see Meir 4:51-54: hashing event bucket attributes | 4:25-36: event bucket attributes are obtained from the input event data (i.e. incident data) that triggered the network event (see Meir 3:59-4:19: agent monitors processes running on endpoint in order to detect events (i.e. incident) that correspond to the monitored processes, i.e. a triggering incident. The detected events are then filtered and aggregated by the event processor before grouping the events into event buckets (i.e. network event profile)); and 
provide the network event profile to the neural network to determine a classification for the network event (see Lee 0012: generating a learning model, converting security event data into an input for the neural network (i.e. provide the network event profile to the neural network), and using the learning model when determining whether the security event is normal or threat (i.e. to determine a classification for the network event) | 0016: converting security event data into an input for the neural network involves determining a similarity of the security event’s data profile and a plurality of baseline profiles).

Lee did not explicitly that the incident data “triggered the network event” or that “the hash value being obtained based on a hashing of at least a portion of the incident data”. However in a related art of training and detecting security events (see Meir abstract), Meir disclosed an endpoint agent monitoring processes running on endpoint in order to detect events (i.e. incident) that correspond to the monitored processes, i.e. a triggering incident. The detected events are then filtered and aggregated by the event processor before grouping the events into event buckets (i.e. network event profile). Meir also disclosed hashing event bucket attributes which are obtained from the input event data, i.e. incident data. The Meir citations are presented in the above claim mapping. 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Lee and Meir to further clarify that network events are triggered by an incident and to describe how to hash of incident data. Including Meir’s teachings would enable hash-lookups of event data (see Meir 43-45) and increase accuracy in flagging abnormal behavior among high-volume security events (see Meir 2:7-12).



Regarding claim 2, Lee-Mier disclosed the system of claim 1, wherein the computer system is caused to: 
determine the classification of the network event as a first classification based on (see Meir 6:43-53: determining if the flagged candidate malicious events have triggered or were triggered by another event. If another event was involved, then the candidate malicious event becomes a candidate malicious causality chain and is forwarded to a threat detection model | 6:54-67: threat detection model accepts a set of event data as input (e.g. the candidate malicious causality chain from the next limitation) and outputs a metric indicating the likelihood (i.e. confidence interval from the last limitation) that the candidate event is malicious and if the likelihood metric is above a threshold (i.e. second threshold from the last limitation), then the candidate malicious event is sent to the event causality database, logger, and notifier, i.e. determining a first classification of the network event): 
a quantity of network events having reference profiles that match the network event profile exceeding a first threshold (see Meir 6:43-53: determining if the flagged candidate malicious events have triggered or were triggered by another event. If another event was involved, then the candidate malicious event becomes a candidate malicious causality chain and is forwarded to a threat detection model. The first threshold is interpreted as an involvement of at least two events, such that the network event classification is determined to be a candidate malicious causality chain when one, i.e. quantity, network event in the set of network events involves another event and therefore exceeds the first threshold), and 
a confidence interval of the first classification exceeding a second threshold (see Meir 6:54-67: threat detection model accepts a set of event data as input and outputs a metric indicating the likelihood (i.e. confidence interval) that the candidate event is malicious and if the likelihood metric is above a threshold (i.e. second threshold), then the candidate malicious event is sent to the event causality database, logger, and notifier.), wherein the first classification is one of one or more classifications of the network events having reference profiles that match the network event profile (see Meir 6:36-53: event scanner receives a batch of incoming events (i.e. set of network events) from an event normalizer (From previously cited Fig. 1, the event normalizer groups similar events in buckets (i.e. network event profile)); the event scanner retrieves the corresponding [adaptive normal] profile (i.e. reference profile) from database 322 and identifies which events match or do not match the normal profile (i.e. identifying if the events’ network event profile matches or does not match with the reference profile) such that events that match are considered normal (normal classification) and events that do not match are flagged and identified as being candidate malicious events (malicious classification) and are forwarded for further investigation to the threat detection model. This classification of normal vs. candidate malicious is based on a match between network event profile and reference profile. identifying which events match or do not match the normal profile).
The motivation to combine Lee and Mier is the same as that presented in claim 1 above.

Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Lee-Mier, as applied to claim 1 above, and further in view of Williams et al. (U.S. Patent Publication 2015/0254555).

Regarding claim 3, Lee-Mier disclosed the invention, substantially as claimed, as described in claim 1 above, but did not explicitly disclose the following limitations which are taught in a related art, Williams,
wherein the computer system is caused to: in response to determining a classification mode to be an “audit” mode (see Williams 0103: model performance evaluation component in which a human evaluates the classification decisions made by the machine learning model | 0113: tuning of machine learned classifications via a quality assurance process, i.e. “audit mode”, involving an expert user): generating the classification as a second classification in the network event data (see Williams 0105: machine learning model determines classifications), wherein the network event data includes a first classification indicating a classification of the network event determined by an entity other than the processor (see Williams 0108: user tunes the classification made by the machine learning model). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Lee-Mier and Williams to further describe how a machine learned classification is audited. Including Williams’ teachings regarding reviewing decisions by a machine learning process would increase the accuracy of classifications (see Williams 0022).


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Angela Widhalm de Rodriguez whose telephone number is (571)272-1035. The examiner can normally be reached M-F: 6am-2:30pm.

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Thu Nguyen can be reached on (571) 272-6967. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/A.M.W/Examiner, Art Unit 2452                                                                                                                                                                                             
Angela.Widhalm@upsto.gov21 November 2022


/Patrice L Winder/Primary Examiner, Art Unit 2452