Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
Applicant’s amendment filed 11/2/2022 has been entered.  Claims 1 and 6 were amended for typographical reasons.  The 101 rejection in the Non-Final Office action mailed 8/11/2022 is withdrawn.  Claims 1-7 are presented for examination.

Response to Arguments
Applicant's arguments filed 11/2/2022 have been fully considered but they are not persuasive. 
On page 6, bottom ¶ to page 7 top ¶, Applicant argues that Pinto is interpreted too broadly.  Examiner respectfully disagrees.  The claim recites “the machine learning algorithm determining the security vulnerabilities based on a vector of configuration characteristics for the VM.”  The claim is rejected under §103 by Pinto (9,306,962) and Mohanty (2017/0279826).  Pinto teaches classifying events with a machine learning module using malicious events and actors according to its configuration1.  Mohanty teaches VM configuration vectors.
On page7, ¶ 2-3, Applicant argues that actors are not relied upon by the invention.  An actor (external source) of malicious activity is reasonably interpreted as a security vulnerability.  If the argument is that security vulnerabilities are internal only, the claim limitation “security vulnerabilities” does not exclude external threat sources nor limit the vulnerabilities to be internal threats only.
 On page7, ¶ 2-3 Applicant argues that Pinto’s invention describes identifiable actors and that the determination of security vulnerabilities is distinct from the filed application.  That is, the filed application does not rely on information about an actor, but no support is identified in the specification to teach such an interpretation.  The specification teaches to the contrary2, a security occurrence is an attack.  Therefore it is not clear why Pinto’s malicious events and actors are not a security vulnerability.  Malicious actors are security threats.  Applicant then argues that there are differences in both generation and application of the predictive models without identifying a difference.
On page 8, Applicant argues that Pinto’s Time-based weighting decay does not teach “associating a modified form of the vector of vulnerabilities with each of the further VM configuration vectors.”  Applicant has admitted Pinto teaches Time-based weighting decay (weighted time interval, the vector is modified according to the time relative to time of reference) which satisfies modified vector of vulnerabilities3.  Pinto teaches configuration changes which satisfies modified configuration vector4. 
The §103 rejection of Pinto (9,306,962) and Mohanty (2017/0279826) is maintained as shown in the rejection below.

Priority
Receipt is acknowledged of certified copies of papers required by 37 CFR 1.55.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11/02/2022 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-7 are rejected under 35 U.S.C. 103 as being unpatentable over Pinto (9,306,962) in view of Mohanty (2017/0279826).

Regarding claim 1, Pinto teaches
a computer implemented method to generate training data for a machine learning algorithm for determining security vulnerabilities (Pinto, Col 4, lines 26-31, The events that have been selected and grouped together by behavior are used to train a classification machine learning model with the previously calculated features by behavior and time interval. In one embodiment, the machine learning models are used independently to predict the likelihood of malicious activity) of a virtual machine (VM) in a virtualised computing environment, (Pinto Col 4, lines 58-64, These sensors and log sources 102 can include, non-exhaustively, for example, network routers, switching equipment or firewalls, network-based or host-based intrusion detection or prevention systems, log entries from operational aspects from applications, web servers, database, operating systems, virtualization platforms  Col 3, lines 35-36, Moreover, the invention can be practiced in Internet-based or cloud computing environments,)  the machine learning algorithm determining the vulnerabilities based on a vector of … characteristics.., (Pinto, Col 3, lines 51-54, An aspect of this invention is a representation of a machine learning based malicious event classifier, where existing historical and real-time event, log entries, interrupts and signals from an arbitrary number of event sources can be analyzed and mined for patterns that can be interpreted by a machine learning classifier.)  the method comprising: 
receiving a plurality of …vectors for each of one or more training VMs, each … vectors including attributes of a configuration … and having a temporal indication; (Pinto, Col 4, lines 16-19,  In addition to the identification and proximity or group membership, the events to be analyzed must have timestamps, as they will be evaluated for feature engineering and prediction model creation on pre-defined time intervals,  Col  4, lines 26-32, The events that have been selected and grouped together by behavior are used to train a classification machine learning model with the previously calculated features by behavior and time interval. In one embodiment, the machine learning models are used independently to predict the likelihood of malicious activity from an identified actor, conditioned also on its behavior and the time interval in which it has been seen)
receiving a security occurrence identification being referable to a … vector for a training VM based on a temporal indication of the security occurrence, (Pinto, Col 4, lines 20-23, their membership on a specific time interval is necessary for the correct calculation of the numeric features and their usage in the prediction model training Col 3, line 65 – Col 4 line 3, the events and log data to be mined in the feature engineering aspect of the invention must have an identifiable actor that can be represented as an IP address, domain name, user name, user identifier or some other form that can be uniquely identified) the security occurrence identification including information for defining a vector of vulnerabilities for the training VM associated with the referenced … vector, (Pinto, Col 4, lines 53-57, These sensors and log sources 102 and the absence or the presence of these events, log entries, interrupts and signals can be interpreted by those familiar with the art as the absence or presence of malicious activity on a computing environment ) and associating the referenced … vector with the vulnerability vector as a first training example; (Pinto, Col 8, lines 27-31, Having both the malicious and non-malicious event sources, and the calculated features from the Feature Engineering Storage 138, the Machine Learning Module can then train a model for each behavior and time interval association,)
identifying one or more further … vectors for the training VM, each of the further … vectors having temporal indications preceding that of the referenced … vector; and (Pinto, Col 7, lines 4-10,  The function of the Time-based Weighting Decay 136 component is to further summarize the feature information from the selected behaviors at the Event Clustering Engine 132  Col 5, lines 29-41,  In one aspect, these events and log data are imported into the feature engineering 130 component of the invention, more specifically on the Event Clustering Engine 132. As described previously, these events and log data to be imported can, in one aspect, be imported from the log and event data repository 112 and the correlation engine 114 from one or more SIEM/Log management solutions 110. In another aspect of the invention, these events and log data can also be exported from, partially or in full, an independent sensor 104 that is not related to a SIEM or log management solution 110.) (Examiner Note: SIEM – Security Information and Event Management)
associating a modified form of the vulnerability vector with each of the further … vectors as further training examples, the vulnerability vector being modified for each further … vector by a reverse decay function such that each temporally earlier … vector is associated with a vulnerability vector indicating vulnerability to a lesser degree (Pinto, Col 7, lines 4-18,  The function of the Time-based Weighting Decay 136 component is to further summarize the feature information from the selected behaviors at the Event Clustering Engine 132 by applying a time decay function on time intervals that precede a time interval that is used as reference for a prediction.  This process is in place to represent the intuition that the entire history of a specific identifiable actor is relevant in the prediction of a specific behavior, but that events that happened closer to the time of reference on the prediction are more relevant and as such deserve to be “remembered” more clearly in the prediction process.)
Pinto does not teach VM configuration vectors.
However Mohanty teaches VM configuration vectors  (Mohanty, [0056] At step 320, the security system examines the configuration data for the temporary virtual machine instance. In examining the configuration data for the temporary virtual machine instance, the security system generally obtains metadata associated with the temporary virtual machine instance from the cloud platform using one or more APIs provided by the cloud platform that expose the characteristics of the virtual machine instance. The security system additionally obtains a list of the applications deployed on the temporary virtual machine instance through a software deployment tool provided by the cloud platform. [0032] Security system 150 can use information about the configuration and software deployed on a temporary virtual machine to generate a recommended security policy to be applied to the temporary virtual machine instance 130. [0029] Additionally, if a temporary virtual machine instance 130 includes software that is a security risk, informing security engine 150 of the applications that are deployed on the temporary virtual machine instances 130 allows security system 150 to identify remediation actions that should be performed on the temporary virtual machine instance 130 and other peer virtual machine instances to remedy security risks that exist in cloud platform 120.)
	Mohanty teaches a security system analyzing VM configuration vectors to generate security policies.  It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Mohanty’s virtual machine configuration vector with Pinto’s machine learning and classification of malicious events because doing so protects the virtual machines in the network (Mohanty [0029] In response, as discussed in further detail below, the temporary virtual machine instance 130 receives a security policy to protect the temporary virtual machine instance 130 and other virtual machine instances in the same network from a variety of security risks (e.g., unauthorized system access from outside users, data corruption caused by various types of malware, and so on. [0054] The message may indicate the application that is the target of the remediation actions and may additionally indicate, to security agent 134, the remediation actions that should be taken to eliminate security risks from the temporary virtual machine instance 130 (and peer virtual machine instances).).

Regarding claim 2, Pinto and Mohanty teach
the method of claim 1, wherein the reverse decay function is a 0.5Kt function based on an increasing time past (t) for a chronologically earlier VM configuration vector and a constant (k) (Pinto, Col 7, lines 29-35, So, for example, if we take a feature group having an exponential time decay process with a half-life of 7 applied to it with a reference time interval of now, the values it has calculated from the Affinity-based Feature Generation 134 from 7 time intervals ago would have half their value, where ones that had been calculated 14 time intervals ago would have a quarter of their value propagated.) (Examiner Note: since K can be any constant, Pinto’s exponentiation satisfies the limitation)

Regarding claim 3, Pinto and Mohanty teach
the method of claim 1, further comprising training the machine learning algorithm based on the training examples to classify a configuration vector for a VM to a vector of vulnerabilities (Mohanty [0069] VM instance analyzer 620 is generally configured to examine a repository of previously-applied security policies (e.g., security policy library 630) for a security policy associated with a virtual machine instance with the same or similar characteristics and set of deployed applications. If VM instance analyzer 620 has generated a security policy for a virtual machine instance with the same or similar characteristics and set of deployed applications, VM instance analyzer 620 can apply the same security policy to the newly created temporary virtual machine instance.)
Mohanty is combined with Pinto for the same reasons as claim 1.
 
Regarding claim 4, Pinto and Mohanty teach
the method of claim 1, wherein a vector of configuration characteristics includes an indicator of a state of each of a plurality of configuration characteristics for a VM (Mohanty, [0058] Subsequently, the security system can use information about the applications deployed on the temporary virtual machine instance to modify the base security policy generated from the characteristics of the temporary virtual machine instance.  The security system can modify a base security policy, for example, to open certain ports on the temporary virtual machine instance to allow applications deployed on the temporary virtual machine instance to provide the services that are enabled by the applications (e.g., opening port 80 for an HTTP server).)
Mohanty is combined with Pinto for the same reasons as claim 1.

Regarding claim 5, Pinto and Mohanty teach
the method of claim 1, wherein a vulnerability vector includes an indicator of each of a plurality of security vulnerabilities of a VM (Pinto, Col 3, lines 56-61, This machine learning classifier is then able to provide clear feedback to information security analysts or the log generating sources themselves to perform the necessary decisions and actions to defend the network, host, application or any other target deemed relevant to be defended on an information security monitoring practice  Col 9, lines 51-58,  For example, if we have an event on a network where a username from a specific IP address accesses an application on a specific network port successfully, the identifying actors on this event (IP address and username), can be run against behavioral models of IP addresses attempting to attack specific ports and usernames attempting to perform malicious activities on that specific application. The independent results for the models can then be combined or reported separately.)

Claim 6 is a system claim for the method claim 1 and is rejected for the same reasons as claim 1.

Claim 7 is a computer program element (media) claim for the method claim 1 and is rejected for the same reasons as claim 1.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRUCE S ASHLEY whose telephone number is (571)270-0315. The examiner can normally be reached 9-5 PDT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jay Kim can be reached on 571-272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/BRUCE S ASHLEY/Examiner, Art Unit 2494                                                                                                                                                                                                        
/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        11-23-2022


    
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
    

    
        1 Pinto, Col 1, lines 19-22, The invention has particular utility in the context of identification of malicious events and actors in a computer network, although other utilities are contemplated.  Col  4, lines 26-32, The events that have been selected and grouped together by behavior are used to train a classification machine learning model with the previously calculated features by behavior and time interval. In one embodiment, the machine learning models are used independently to predict the likelihood of malicious activity from an identified actor, conditioned also on its behavior and the time interval in which it has been seen  Col 10, lines 6-11, In one aspect, a completely different class of feedback can be provided by having the functionality to export Configuration Changes 166 to the sensors and log sources 102 and the independent sensors and log sources 104 so that these components can provide a proper source of active response to the attempted malicious behavior
        2 Specification page 7, line 20 to page 8 line 1, A security occurrence includes an attack or other security event that corresponds, at least in part, to the realization of the effect of a security vulnerability existing in a VM having a particular VM configuration.  Thus, training examples are required for the machine learning algorithm for which a security occurrence was realized and including a configuration vector 202 for a training VM and a corresponding vulnerability vector 210 in view of the security occurrence.
        
        3 Pinto Col 4, lines 20-22,  their membership on a specific time interval is necessary for the correct calculation of the numeric features and their usage in the prediction model training
        
        4 Pinto Col 4, lines 36-40 Given a classification prediction of malicious activity is deemed positive in the testing, the invention will then notify analysts and sensors alike by using methods consistent with the art, including reports, alerts and direct communication with sensors to perform configuration changes Col 10, lines 6-11 In one aspect, a completely different class of feedback can be provided by having the functionality to export Configuration Changes 166 to the sensors and log sources 102 and the independent sensors and log sources 104 so that these components can provide a proper source of active response to the attempted malicious behavior