DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the Amendment filed on 08/24/2022.
In the instant Amendment, claims 20-39 have been added; claims 1-19 are cancelled; and claims 20, 27, and 34 are independent claims.  Claims 20-39 have been examined and are pending.  This Action is made Final.
Response to Arguments
The statutory double patenting rejection to claims 1-2 and 4-8 is withdrawn as the claims have been amended.
The non-statutory obviousness type double patenting rejection to claims 20-39 is maintained.
The rejection of claim 3 under 35 U.S.C. § 112 (b) is withdrawn as the claims have been amended.
Applicants’ arguments with respect to claims 20-39 have been considered but are moot in view of the new ground(s) of rejection, which were necessitated by amendment.
Claim Interpretation
Regarding claim 25; Claim 25 recites the limitation “if an amount of time between the first occurrence and the second occurrence exceeds a threshold time period” (emphasis added).  The aforementioned limitations are preceded by the term ‘if’.  Claim scope is not limited by claim language that suggests or makes optional but does not require the steps to be performed, or by claim language that does not limit a claim to a particular structure (See MPEP 2111.04 [R-08.2017]). Accordingly, the limitation(s) is merely capable of performing the recited or desired functions of “the first occurrence being temporally distant from the second occurrence”.  Under the broadest reasonable interpretation, a system (or apparatus or product) claim with conditional “if-then” claim limitations that include structure that performs a function, which only needs to occur if a condition precedent is met, requires only the structure for performing the function should the condition occur (See MPEP 2111.04 II. [R-10.2019]). In the event that the claimed condition for performing a contingent step of a method claim is not satisfied, then the performance recited by the step need not be carried out in order for the claimed method to be performed (See MPEP 2111.04 II. [R-10.2019]).
Regarding claim 26, 32-33, and 38-39; claims 26, 32-33, and 38-39 also recites optional claim limitations beginning with conditional “if” statements and are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, via similar rational as claim 25.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claim 20, 22-27, 29-34, and 36-39 are rejected under 35 U.S.C. 103 as being unpatentable over Ferragut et al. (US 2015/0106927; Hereinafter “Ferragut”) in view of Altman et al. (US 9,183,387; Hereinafter “Altman”).
Regarding claim 20, Ferragut teaches a method for guiding a response to a security incident, comprising (Ferragut: Para. [0011], A system is described for receiving a stream of events and scoring the events based on anomalousness and maliciousness (or other classification).): 
monitoring a plurality of occurrences in a computer system (Ferragut: Para. [0012], The input stream typically includes events, which are actions or occurrences that are detected by a program or hardware component. The events can be associated with a time-stamp in conjunction with captured data.), wherein the plurality of occurrences includes (1) a first occurrence whereby a first file instantiates a first process that creates or registers a second file (Ferragut: Para. [0012], The input stream can be received in component 120, which collects log files. The component 120 can include memory registers and processing capacity to implement a parser, which analyzes the syntax of the input streaming data and transforms it into a standard format (e.g., JSON or other text-based languages). The parsed event data can then be placed in a message queue for consumption by a data model 130. Para. [0035]-[0036]), and (2) a second occurrence whereby the computer system instantiates a second process from the second file (Ferragut: Para. [0012], The parsed event data can then be placed in a message queue for consumption by a data model 130. Para. [0013], The data model 130 pulls event data from the message queue and transforms the data into a Position, Value, Time format. Para. [0035]-[0036]); 
and guiding the response to the security incident at least by presenting, to a user, data corresponding to the selected occurrences (Ferragut: Fig. 1, Fig. 2, Para. [0035], In process block 250, one or more scores associated with an event can be outputted, such as on a display. The event scores can include the overall anomaly score and possible other scores, such as the output score of the classifier 180 (FIG. 1), which indicates if the event is of interest. [anomaly scores generated from contexts of data sets grouped into multiple sub-groups are displayed to the user] Para. [0034], Finally, a display 190 is shown as coupled to the classifier 180 for displaying the event data of interest. In the case of network traffic, the display can present malicious events in any desired fashion. The maliciousness and anomalousness scores help point an analyst at suspicious traffic, but ultimately it is the human domain expert that must examine suspicious events to determine if they constitute an attack. To support this process, the visualization facilitates real-time situational understanding and provides interaction mechanisms and additional views that allow the analyst to gather additional information on suspicious activity. Para. [0036]).
Ferragut does not explicitly teach determining, based on adjacency data, that at least a subset of the plurality of occurrences is relevant to the second process, wherein the subset includes the first occurrence and the second occurrence, wherein the adjacency data includes data indicating relevance of the first occurrence to the second occurrence; estimating a respective utility of investigating each occurrence in the subset; selecting two or more occurrences from the subset based, at least in part, on the estimated utilities, the selected occurrences including the first occurrence and the second occurrence.
In an analogous art, Altman teaches determining, based on adjacency data, that at least a subset of the plurality of occurrences is relevant to the second process (Altman: Col. 3, Lines 31-40, After one or more events are detected at the event detection 110 stage, to determine or increase the confidence level that the events are attack events, pipeline 100 processes the events through the propagation analysis stage 120 (described with FIGS. 3 and 4A below), clustering analysis stage 130 (described with FIGS. 4B-4D and 5A-5D below), and post processing stage 140 (described with FIG. 5E below). Col. 3, Lines 54-67), wherein the subset includes the first occurrence and the second occurrence, wherein the adjacency data includes data indicating relevance of the first occurrence to the second occurrence (Altman: Col. 6, Lines 11-42, propagation analysis 120 follows an algorithm that considers two events occurring in association with two users, e.g., Bob at node 2 and Daisy at node 4. The two events propagate (e.g., from Bob to Daisy) if the following conditions are all met: (1) Bob (at node 2) has a social connection (e.g., a link, arc, or edge) with Daisy (at node 4). (2) The two events occurred at both Bob and Daisy have the same type (e.g., if the events are messages, they are the same, similar, or related; if the events are actions, they are the same, similar, or related). (3) The event at Daisy occurs at a time T.sub.3 that is later than the event at Bob occurs at a time T.sub.2 (i.e., T.sub.3 is later than T.sub.2)., Col. 6, Lines 43-67, Applying the above described algorithm for propagation analysis reveals that, for example, events of the same type have occurred at node 2, node 5 and node 6, at times T.sub.2, T.sub.4, and T.sub.5, respectively. With this information, DAG 400A is expanded to include nodes 2, 5 and 6. The edge from node 2 is shown pointing to node 4 due to, for example, T.sub.2<T.sub.3. The edge from node 4 points to node 5 due to, for example, T.sub.3<T.sub.4. The edge from node 4 points to node 6 due to, for example, T.sub.3<T.sub.5. DAG 400A shows that, for example, events of the same type are propagating through some nodes. If an event is the posting/reposting of a message or a post on a social network, two posts are considered of same type if they have the same content or similar content. The propagation of the event is the posting and reposting of the message or similar message (e.g., the message content or a link or hash code of the message), for example, from node 2 to node 3 then to nodes 5 and 6.); 
estimating a respective utility of investigating each occurrence in the subset (Altman: Col. 7, Lines 23-50, At any point during an analysis or before a new analysis, the analysis may reach a stopping condition, for example, when an event has found at enough nodes to provide a high certainty that the event is an attack event. Col. 8, Lines 25-67, Col. 9, Lines 1-67, In some analyses, such as for identifying an attack or a social network abuse, the clarity of an attack or abuse may be revealed by the size of a DAG or cluster (e.g., cluster 580 with 18 nodes shows a clearer sign of attack or abuse than the other cluster 560). The bigger the DAG or cluster, the higher the probability that the related events associated with it are correlated to an attack (e.g., on a social network). Col. 10, Lines 1-53, a DAG may be evaluated based on other DAGs (e.g., a large number of other DAGs, which may be created using parallel or massively parallel processing methods). For example, the average number of nodes of the large number of other DAGs is X and the number of nodes of the DAG under evaluation is greater or much greater than X, the underlying events used to create the DAG under evaluation may be concluded as attack events, likely attack events, suspicious events (e.g., to be reviewed by an administrator), etc.); 
selecting two or more occurrences from the subset based, at least in part, on the estimated utilities, the selected occurrences including the first occurrence and the second occurrence (Altman: Col. 9, Lines 17-67, Based to part 2 (above) of the generated list, users b, d, f, and g of graph 510 all experience events Y and are represented in DAG 530 (FIG. 5C). Based to part 3 (above) of the generated list, users b, d-f, and h-j of graph 510 all experience events Z and are represented in cluster 540 (FIG. 5D). Each cluster, which groups one or more subgraphs or DAGs per event X, Y, or Z, is a distinct subset of the graph 510. Subgraphs 520-540 may be generated using pipeline 100 (FIG. 1) or one or more other processes that detect the events X, Y, and Z. The pipeline then analyzes the propagations of the events, such as generating tuples that represent events X propagate from users a to b then from b to f.  For example, the clustering stage creates subgraph 520 based on the tuples that represent events X propagate from users a to b then from b to f. A post processing stage may be executed to identify non-attacking events, attacking events and/or potential attacking event. The algorithm for each stage and/or goal, which may create intermediary results, can be executed in parallel on, for example, the entire graph 510, on more than one graph, on the users, and/or events.).
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Altman with the system and method of Ferragut to include determining, based on adjacency data, that at least a subset of the plurality of occurrences is relevant to the second process, wherein the subset includes the first occurrence and the second occurrence, wherein the adjacency data includes data indicating relevance of the first occurrence to the second occurrence; estimating a respective utility of investigating each occurrence in the subset; selecting two or more occurrences from the subset based, at least in part, on the estimated utilities, the selected occurrences including the first occurrence and the second occurrence because this functionality provides for the ability to detect and mitigate malicious events (Altman: Col. 1, Lines 15-29). 
Regarding claim 22, Ferragut, in combination with Altman, teaches the method of claim 20, wherein the relevance of the first occurrence to the second occurrence is direct relevance (Ferragut: Para. [0013], The data model 130 can perform analysis on the Position to generate multiple overlapping relationships from a single event (i.e., a single log entry). For example, analysis can be done whether traffic originated from a source as well as the likelihood that traffic passed between nodes on the same log entry by using multiple definitions of Position. A configuration file 140 can be coupled to the data model to include multiple definitions of Position, Value and/or Time to define roles for given network resources. Each definition can create a corresponding configurable probabilistic model used to describe anomalousness of traffic data.  Para. [0045], Given an assignment of `role` to machines on a network, such as Firewall, DNS, External Website, a data point can provide evidence of changes in the relationship between roles by using the positional aggregations (role of source ip, role of destination ip) and (role of source ip) Para. [0014]).
Regarding claim 23, Ferragut, in combination with Altman, teaches the method of claim 22, wherein the direct relevance of the first occurrence to the second occurrence is a bidirectional direct relevance or a unidirectional direct relevance (Ferragut: Para. [0013], The data model 130 can perform analysis on the Position to generate multiple overlapping relationships from a single event (i.e., a single log entry). For example, analysis can be done whether traffic originated from a source as well as the likelihood that traffic passed between nodes on the same log entry by using multiple definitions of Position. A configuration file 140 can be coupled to the data model to include multiple definitions of Position, Value and/or Time to define roles for given network resources. Each definition can create a corresponding configurable probabilistic model used to describe anomalousness of traffic data.  Para. [0045], Given an assignment of `role` to machines on a network, such as Firewall, DNS, External Website, a data point can provide evidence of changes in the relationship between roles by using the positional aggregations (role of source ip, role of destination ip) and (role of source ip)).
Regarding claim 24, Ferragut, in combination with Altman, teaches the method of claim 20, wherein the relevance of the first occurrence to the second occurrence is indirect relevance based on a sequence of one or more other occurrences between the first occurrence and the second occurrence (Ferragut: Para. [0030], Example broad categories include groups of IP addresses, groups of ports, groups of protected servers, mail servers, etc. The detectors can examine a sequence of events under Markov assumptions for observing changes in Value and inter-arrival Time of events.).
Regarding claim 25, Ferragut, in combination with Altman, teaches the method of claim 24, wherein the first occurrence is indirectly relevant to the second occurrence based on temporal distance of the first occurrence and the second occurrence (Ferragut: Para. [0028], In sum, the data model 130 transforms a plurality of disparate data sets into a common abstraction so that each event has at least a Position, Value and Time parameter. Para. [0035], In process block 210, an input log file is received. The input log file includes a plurality of events, which are time stamped data sets received from a source component, such as a network component (e.g., firewall, operating system, mail servers, etc.). In process block 220, for each event, multiple contexts are provided. The multiple contexts group the data set into multiple sub-groups. For example, position data can include a source IP address, a destination IP address, a source port, a destination port, and a protocol. One context grouping can include only the source IP address, destination IP address, value and time, whereas another context grouping can include only a source and destination port, Value and Time. Thus, each event has multiple contexts in which it is viewed. In process block 230, multiple anomaly scores are generated for the contexts.), the first occurrence being temporally distant from the second occurrence if an amount of time between the first occurrence and the second occurrence exceeds a threshold time period (Ferragut: Para. [0030], The detectors can examine a sequence of events under Markov assumptions for observing changes in Value and inter-arrival Time of events. The other type is an iteratively updated, multinomial distribution with configurable Bayesian priors to examine the anomalousness of an occurrence of a positional event.).
Regarding claim 26, Ferragut, in combination with Altman, teaches the method of claim 24, wherein the first occurrence is indirectly relevant to the second occurrence based on spatial distance of the first occurrence and the second occurrence (Ferragut: Para. [0012], A source 110 can be any source that provides streaming data. In one example, the source can be any network component, such as a firewall or an operating system. The input stream typically includes events, which are actions or occurrences that are detected by a program or hardware component. The events can be associated with a time-stamp in conjunction with captured data. Para. [0014], In one particular example, structured log events can be parsed and normalized into the Position-Value-Time (PVT) format, while appending a unique ID and the source of the data to the output tuple. The transformation from raw data to PVT format is as follows: Para. [0015], Log file: P: source IP, destination IP, source port, destination port, and protocol, V: signature, T: timestamp. Para. [0016]), the first occurrence being spatially distant from the second occurrence if the first occurrence and the second occurrence occur on different devices or are associated with different user accounts (Ferragut: Para. [0012], A source 110 can be any source that provides streaming data. In one example, the source can be any network component, such as a firewall or an operating system. The input stream typically includes events, which are actions or occurrences that are detected by a program or hardware component. The events can be associated with a time-stamp in conjunction with captured data. Para. [0046]).
Regarding claim 27, claim 27 is rejected under the same rational as claim 20.
Regarding claims 29-33, claims 29-33 are rejected under the same rational as claims 22-26, respectively.
Regarding claim 34, claim 34 is rejected under the same rational as claim 20.
Regarding claim 36, claim 36 is rejected under the same rational as claims 22-23.
Regarding claims 37-39, claims 37-39 are rejected under the same rational as claims 24-26, respectively.

Claim 21, 28, and 35 are rejected under 35 U.S.C. 103 as being unpatentable over Ferragut et al. (US 2015/0106927; Hereinafter “Ferragut”) in view of Altman et al. (US 9,183,387; Hereinafter “Altman”) in view of Davidson et al. (US 2016/0163186; Hereinafter “Davidson”).
Regarding claim 21, Ferragut, in combination with Altman, teaches the method of claim 20.  Ferragut, in combination with Altman, does not explicitly teach wherein the computer system reboots after the first occurrence and instantiates the second process from the second file after reboot. 
In an analogous art, Davidson teaches wherein the computer system reboots after the first occurrence and instantiates the second process from the second file after reboot (Davidson: Para. [0057], The state information is taken together with sensor information 220 generated by sensors 110 and 114 and pseudo-breaker information from pseudo-breakers 114 to detect any change in risk level. Para. [0039], Pseudo-breakers 113 provide multiple advantages, including the ability to communicate (wired or wirelessly) with one more other controllers within system 100, have internal or external policies attached to them (discussed below), can trigger soft or hard breaker events, and can restart breakers (e.g., a breaker 117 or an embedded breaker within a smart plug / smart power bar 111 or piece of equipment 112) using a timing interval or by direct command to the soft break initiating devices. Para. [0060]-[0061], Para. [0132]-[0149], Para. [0033], Networking management, including the reporting and control of individual subsystems with hard and soft trip capabilities, communications control, and local policy execution when the risk level demands fast response or when external networks not available, is preferably implemented with at least one of building server 103 and unit server 105. Para. [0036]-[0037], [0050]). 
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Davidson with the system and method of Ferragut and Altman to include wherein the computer system reboots after the first occurrence and instantiates the second process from the second file after reboot because this functionality provides for instantiation of processes and file creation before and after device restart when risk thresholds are exceeded (Davidson: Para. [0039]). 
Regarding claim 28, claim 28 is rejected under the same rational as claim 21.
Regarding claim 35, claim 35 is rejected under the same rational as claim 21.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
U.S. Patent Application Publication No. US 2016/0301709 by Hassanzadeh et al. (Para. [0034], timestamps within a threshold similarity value)
Applicant’s amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Nelson Giddins whose telephone number is (571)272-7993.  The examiner can normally be reached on Monday - Friday, 9:00 AM - 5:00 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on (571) 272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/NELSON S. GIDDINS/             Primary Examiner, Art Unit 2437