Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
2.	This Office Action is issued in response to the claims filed on 7/19/2022.
Claims 1-18 are pending in this Office Action.	

Priority
3.	Acknowledgement is made of applicant’s priority claim of continuation of U.S. Patent Application No. 16/926,507 filed on July 10, 2020, which is a continuation of U.S. Patent Application No. 15/699,777 filed on September 8, 2017, now U.S. Patent No. 10,728,261, which claims the benefit of U.S. Provisional Application No. 62/466,279 filed on March 2, 2017.

Information Disclosure Statement
4.	The information disclosure statements (IDS) submitted on 7/19/2022 and 7/27/2022 have been considered by the Examiner.
Claim Objections
5.	a. Claim 1 is objected to because it recites “…an aggregator in the networked computing environment configured receive…(line 8)….transfer the generated security risk level to the company security dashboard…(line 22)”.  The first emphasized part seems to have a typo and the latter emphasized part lacks proper antecedent basis.  The Examiner suggests the limitations as “…an aggregator in the networked computing environment configured to receive….transfer the generated security risk level to [[the]] a company security dashboard... “
	b. Claim 9 recites “..an aggregator…configured receive… (line 9) … transfer the generated security risk level to the company security dashboard…(line 26)”.  Similar analyses and suggestions from claim 1 in preceding part 5a are applied to claim 9.
c. Claim 16 is objected to because it recites “The method of claim 15, wherein the method further comprise: saving the received behavioral activity information, collected by a collector service and a collector agent on hardware endpoints, that has been acquired over a period of time in a memory as historic data in the cloud service.”  Since claim 15 which claim 16 depends from recites “...receiving behavioral activity information, collected by a collector service and a collector agent on hardware endpoints, that has been acquired over a period of time and aggregated;” the examiner assumes the collector and the agent cited in claim 15 and claim 16 are the same collector and the same agent.  Therefore, claim 16 should be ““The method of claim 15, wherein the method further comprise: saving the received behavioral activity information, collected by [[a]] the collector service and [[a]] the collector agent on hardware endpoints, that has been acquired over a period of time in a memory as historic data in the cloud service.”  
d. Claim 18 is objected to because it recites “…transmitting the generated security risk level to the company security operations dashboard…(lined 1-2)” which lacks proper antecedent basis and should be “…transmitting the generated security risk level to [[the]] a company security operations dashboard…”
Appropriate corrections for the above claim objections are required.
35 U.S.C. § 112(f)
6.	The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

7.	The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
8.	This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitations are: “…an aggregator … configured receive (line 8) …cloud service…configured to (line 21)” in claim 1 and “…an aggregator … configured receive (line 9) …cloud service…configured to (line 25)” in claim 9.
Because these claim limitations are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
A review of the specification shows that the following appears to be the corresponding structure described in the specification for the 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph limitations: cloud service in Fig. 10 with associated text and paragraph [0128]: “the system 3000 may be used as part of the cloud service 212 as shown in Figure 2.”
If applicant does not intend to have these limitations interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitations to avoid them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitations recite sufficient structure to perform the claimed function so as to avoid them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 112
9.	The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

10.	Claims 1-14 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claims contain subject matters which were not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. The specification is devoid of any structure that performs the functions in the claims that are interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph for the limitation “aggregator” in claim 1 and claim 9.  Therefore, claim 1 and claim 9 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph. Claims 2-8 and 10-14 depend from independent claims 1 or 9; therefore, they are also rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph.


11.	The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.




12.	Claim limitations “…an aggregator … configured receive” (line 8) in claim 1 and “…an aggregator … configured receive” (line 9) in claim 9 invoke 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. The disclosure is devoid of any structure that performs the functions for the limitation “aggregator” in the claims. Therefore, the claims are indefinite and are rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph.  Claims 2-8 and 10-14 depend from independent claims 1 or 9; therefore, they are also rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph.
Applicant may:
(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(c)        Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 
(a)        Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.
	For purpose of examination, the Examiner interprets the aggregator as a software.
13.	Claims 2, 10 and 14 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
a. The term “substantially” in claim 2 and claim 10 (substantially behaves (line 3) and substantially diverges (line 5)) is a relative term which renders the claims indefinite. The term “substantially” is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention. Therefore, the limitations “substantially behaves” and “substantially diverges” make claims 2 and 10 indefinite and the claims are rejected under 35 U.S.C. 112(b).  For purpose of examination, the Examiner considers any behavioral activity that behaves in accordance with expected behavioral activity is ‘substantially behave’ and any difference or change of activity or behavior is ‘substantially diverge’.
b. Claim 14 recites “… wherein the absent activity is either a behavioral activity or a matric that is the behavior, or the metric expected at the network enabled hardware end points.”  The limitations “the absent activity” and “the metric expected…” lack proper antecedent bases because claim 9 which claim 14 depends from does not recite these limitations. The limitation “or a matric that is the behavior” is ambiguous and the disclosed specification does not provide support for it.  Therefore, the claim is rejected under 35 U.S.C. 112(b).  The Examiner notes that claim 13 recites determining an expected activity is absent from the new behavioral activity.  For purpose of examination, the Examiner assumes claim 14 as “The cyber security threat detection system of claim [[9]] 13, wherein the absent activity is either a behavioral activity or [[a matric that is the behavior, or the]] a metric expected at the network enabled hardware end points.”
Duplicate Claims
14.	Applicant is advised that should claim 4 be found allowable, claim 5 will be objected to under 37 CFR 1.75 as being a substantial duplicate thereof. When two claims in an application are duplicates or else are so close in content that they both cover the same thing, despite a slight difference in wording, it is proper after allowing one claim to object to the other as being a substantial duplicate of the allowed claim. See MPEP § 608.01(m).

Claim Rejections - 35 U.S.C. § 103
15.	The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed  or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negated by the manner in which the invention was made.
16.	Claims 1, 2, 4, 5, 9, 10, 12, 15, 16, and 18 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Tom Miltonberger (US 8,280,833), hereinafter "Miltonberger" in view of Carpenter et al. (US 2016/0050225), hereinafter “Carpenter”.
	Regarding claim 1, Miltonberger discloses a cyber security threat detection system for a networked computing environment (Fig. 1 with associated text: fraud detection system 100), the system comprising: a plurality of network enabled hardware end points communicably linked to the networked computing environment enabled for user access (Fig. 1 with associated text: consumers and business users’ computers- network enabled hardware end points); 
[a collector engine comprising at least a collector service and an agent installed on the network enabled hardware end points, configured to acquire user behavioral activity information at the end point; an aggregator in the networked computing environment configured receive user behavioral activity information from the end points and to aggregate the received behavioral activity information] and send it to a cloud service having a processing capability and storage in at least a cloud based processing system, for storage of the behavioral activity information and for processing the behavioral activity information (Col. 5, lines 3-7: “The risk engine 202 –cloud service- is a real-time event processor that receives data of user events- user behavioral activity information- or a set of events. The risk engine 202 also stores the user account model for the particular user. The risk engine 202 calculates a risk score using the event data and the user account model. The risk engine 202 uses the risk score and details of the observed event to update the user account model, and stores the updated user account model for use in evaluating the next subsequent set of event data (of a session) of the user.” Fig. 2A with associated text and Col. 14, lines 15-60: components of the fraud detection system including processor-based devices are distributed over WAN and internet); 
wherein the cloud service processing capability further comprise: a prediction [engine] operating on the acquired behavioral activity information, configured to predict expected behavioral activity based on historic behavioral activity from the recorded behavioral activity information (Abstract and Col. 6, lines 7-26: predict expected behavior of the user using the casual model comprising estimating components of the casual using event parameters of a previous event), to compare new behavioral activity with the expected behavioral activity (Col. 6, lines 54-57: comparing second event parameters with predicted event parameters), and to determine a probability of occurrence of the new behavioral activity based on the comparison (Col. 7, lines 47-50: calculate probability of occurrence); 
an analytics [engine] configured to generate a security risk level based on the probability of occurrence of the new behavioral activity (Col.7, lines 50-52: calculate risk score-risk level- based on probability); and 
the cloud service further configured to transfer the generated security risk level to [the company security dashboard] in the networked computing environment (Col. 5, lines 11-15: “The risk engine 202 also transfers the risk score to the online banking application 210. The risk application 204 also provides alerts and allows authorized personnel to perform correlations, reporting, and investigations using the event data.”)
	Miltonberger does not explicitly disclose the cloud service includes a specific analytics engine and a specific prediction engine, a collector engine comprising at least a collector service and an agent installed on the network enabled hardware end points, configured to acquire user behavioral activity information at the end point, an aggregator in the networked computing environment configured receive user behavioral activity information from the end points and to aggregate the received behavioral activity information, and the generated security risk level is transferred to a company security dashboard.  However, Carpenter discloses a local agent at a monitored device collects vulnerability data and event data and sends them to an aggregator (paragraphs [0022]-[0023]: local agent; paragraph [0025]: Rule Engine and Aggregation module-aggregator-reads data from data collection module 121 and translates it into normalized data and groupings) and security risk information is sent to a company security dashboard (Fig. 4A-4E with associated text).
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Miltonberger’s teaching of cyber security threat detection system with Carpenter’s teaching of a local agent at a monitored device collects vulnerability data and event data and sends them to an aggregator and security risk information is sent to a company security dashboard because the results would be predictable and resulted in having an agent installed locally at a device to collect device information, sending the collected device information to an aggregator which sends collected device information to the risk engine for further analysis and displaying security risk information on a company security dashboard. 
Miltonberger discloses the Risk Engine performing different functionalities as presented above, but Miltonberger and Carpenter do not explicitly disclose the cloud service includes plurality of engines that each performs a specific functionality and a collector engine comprising a collector service and an agent.  However, it is known in the art before the effective filing date of the claimed invention to have different components of a system performing different functionalities.  Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have Miltonberger’s Risk Engine with sub-engines that each performs a specific task of analytics and prediction respectively and Carpenter’s collector agent comprising a collector service and an agent. The motivation to do so would be to make the system easier to manage and repair, which is an advantage of an integrated system. 
	Regarding claim 2, Miltonberger and Carpenter disclose the cyber security threat detection system of claim 1, wherein the security risk level based on probability of occurrence of the new behavioral activity decreases if the new behavioral activity substantially behaves in accordance with the expected behavioral activity; and security risk level based on probability of occurrence of the new behavioral activity increases if the new behavioral activity substantially diverges from the expected behavioral activity, thereby indicating a possible security breach (Col. 6, lines 29-33: “generating a risk score 508 of the next event using the expected event parameters and the fraud event parameters. The risk score indicates the relative likelihood the future event is performed by the user versus the fraudster.” Col. 6, lines 48-60: comparing actual event parameters to predicted event parameters to generate a risk score.  Col. 7, lines 44- Col. 8, line 14: relation of observed parameters with risk score and probability of occurrence.  Col. 11, lines 1-45: updating probability model based on recent event parameter.  Therefore, event parameters, risk scores and probability of occurrence inter-depend on each other. Security risk increases when new behavioral activity behaves in accordance with the expected behavioral activity and decreases when new behavioral activity does not behaves in accordance with the expected behavioral activity.)
Regarding claim 4, Miltonberger and Carpenter disclose the cyber security threat detection system of claim1, wherein the probability of occurrence of the new behavioral activity is combined with additional metrics to derive an overall security risk level (Col. 7, line 41-Col.8, line 65: PUM which relates to user behavioral activity and PFM which uses other session or online data are combined to have overall security data-overall security risk).
Regarding claim 5, Miltonberger and Carpenter disclose the cyber security threat detection system of claim1, wherein the probability of occurrence of the new behavioral activity is combined with additional metrics to derive an overall security risk level (Col. 7, line 41-Col.8, line 65: PUM which relates to user behavioral activity and PFM which uses other session or online data are combined to have overall security data-overall security risk).
Regarding claim 9, Miltonberger discloses a cyber security threat detection system for a networked computing environment (Fig. 1 with associated text: fraud detection system 100, the consumers and business users and online service belong to a networked computing environment) the system comprising: 
a plurality of network enabled hardware end points communicably linked to the networked computing environment, from within and outside the computing environment, enabled for user access (Fig. 1 with associated text: the consumers and business users’ computers are network enabled hardware end points within the computing environment.  The computers that operate fraud and info security, risk management and business operations are network enabled hardware end points outside the computing environment); 
[a collector engine comprising at least a collector service and an agent installed on the network enabled hardware end points, configured to acquire user behavioral activity information at the end point; an aggregator in the networked computing environment configured receive user behavioral activity information from the end points within the networked computing environment and to aggregate the received behavioral activity information] and send it to a cloud service (Col. 5, lines 3-5: “The risk engine 202-cloud service-is a real-time event processor that receives data of user events- user behavioral activity information- or a set of events. Fig. 2A with associated text and Col. 14, lines 15-60: components of the fraud detection system including processor-based devices are distributed over WAN and internet); and 
[the network enabled hardware end points outside the computing environments configured to provide the collected behavioral activity information to the cloud service over the network]; 
wherein the cloud service is configured with a processing capability and storage in at least a cloud based processing system for storage of the behavioral activity information and for processing the behavioral activity information (Col. 5, lines 3-7: “The risk engine 202 is a real-time event processor that receives data of user events- user behavioral activity information- or a set of events. The risk engine 202 also stores the user account model for the particular user. The risk engine 202 calculates a risk score using the event data and the user account model. The risk engine 202 uses the risk score and details of the observed event to update the user account model, and stores the updated user account model for use in evaluating the next subsequent set of event data (of a session) of the user.”); 
wherein the cloud service processing capability further comprise: 
a prediction [engine] operating on the acquired behavioral activity information, configured to predict expected behavioral activity based on historic behavioral activity from the recorded behavioral activity information (Abstract and Col. 6, lines 7-26: predict expected behavior of the user using the casual model comprising estimating components of the casual using event parameters of a previous event), to compare new behavioral activity with the expected behavioral activity(Col. 6, lines 54-57: comparing second event parameters with predicted event parameters) , and to determine a probability of occurrence of the new behavioral activity based on the comparison (Col. 7, lines 47-50: calculate probability of occurrence); 
an analytics [engine] configured to generate a security risk level based on the probability of occurrence of the new behavioral activity (Col.7, lines 50-52: calculate risk score-risk level- based on probability); and 
the cloud service further configured to transfer the generated security risk level to [the company security dashboard] in the networked computing environment (Col. 5, lines 11-15: “The risk engine 202 also transfers the risk score to the online banking application 210. The risk application 204 also provides alerts and allows authorized personnel to perform correlations, reporting, and investigations using the event data.”)
Miltonberger does not explicitly disclose the cloud service includes a specific analytics engine and a specific prediction engine, a collector engine comprising at least a collector service and an agent installed on the network enabled hardware end points, configured to acquire user behavioral activity information at the end point, an aggregator in the networked computing environment configured receive user behavioral activity information from the end points and to aggregate the received behavioral activity information, the network enabled hardware end points outside the computing environments configured to provide the collected behavioral activity information to the cloud service over the network and the generated security risk level is transferred to a company security dashboard.  However, Carpenter discloses a local agent at a monitored device collects vulnerability data and event data and sends them to an aggregator which is outside of a network (paragraphs [0022]-[0023]: local agent; paragraph [0025]: Rule Engine and Aggregation module-aggregator-reads data from data collection module 121 and translates it into normalized data and groupings.  Fig. 1 with associated text: rules engine and aggregation receives data collection from workstations 135. Control system 120 are computing environments.  The Rule Engine and Aggregation are outside of the computing environments) and security risk information is sent to a company security dashboard (Fig. 4A-4E with associated text).
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Miltonberger’s teaching of cyber security threat detection system with Carpenter’s teaching of a local agent at a monitored device collects vulnerability data and event data and sends them to an aggregator which is outside of a network and security risk information is sent to a company security dashboard because the results would be predictable and resulted in having an agent installed locally at a device to collect device information, sending the collected device information to an aggregator which is outside of a network, sending collected device information to the risk engine for further analysis and displaying security risk information on a company security dashboard. 
Miltonberger discloses the Risk Engine performing different functionalities as presented above, but Miltonberger and Carpenter do not explicitly disclose the cloud service includes plurality of engines that each performs a specific functionality and a collector engine comprising a collector service and an agent.  However, it is known in the art before the effective filing date of the claimed invention to have different components of a system performing different functionalities.  Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have Miltonberger’s Risk Engine with sub-engines that each performs a specific task of analytics and prediction respectively and Carpenter’s collector agent comprising a collector service and an agent. The motivation to do so would be to make the system easier to manage and repair, which is an advantage of an integrated system. 
Regarding claim 10, Miltonberger and Carpenter disclose the cyber security threat detection system of claim 9, wherein the security risk level based on probability of occurrence of the new behavioral activity decreases if the new behavioral activity substantially behaves in accordance with the expected behavioral activity; and security risk level based on probability of occurrence of the new behavioral activity increases if the new behavioral activity substantially diverges from the expected behavioral activity, thereby indicating a possible security breach (Col. 6, lines 29-33: “generating a risk score 508 of the next event using the expected event parameters and the fraud event parameters. The risk score indicates the relative likelihood the future event is performed by the user versus the fraudster.” Col. 6, lines 48-60: comparing actual event parameters to predicted event parameters to generate a risk score.  Col. 7, lines 44- Col. 8, line 14: relation of observed parameters with risk score and probability of occurrence.  Col. 11, lines 1-45: updating probability model based on recent event parameter.  Therefore, event parameters, risk scores and probability of occurrence inter-depend on each other. Security risk increases when new behavioral activity behaves in accordance with the expected behavioral activity and decreases when new behavioral activity does not behaves in accordance with the expected behavioral activity.)
Regarding claim 12, Miltonberger and Carpenter disclose the cyber security threat detection system of claim 9, wherein the probability of occurrence of the new behavioral activity is combined with additional metrics to derive an overall security risk level (Col. 7, line 41-Col.8, line 65: PUM which relates to user behavioral activity and PFM which uses other session or online data are combined to have overall security data-overall security risk).
Regarding claim 15, Miltonberger discloses a computer-implemented method for cyber security threat detection, the method implemented by one or more processors operating within a computing environment and a plurality of processors in the cloud service (Fig. 1 with associated text: fraud detection system 100. Col. 14. Lines 24-65: components of the fraud detection system are distributed over WAN and internet and includes processors-based devices and computers), the method comprising: 
receiving behavioral activity information, [collected by a collector service and a collector agent on hardware endpoints], that has been acquired over a period of time and [aggregated] (Col. 5, lines 3-7: “The risk engine 202-cloud service-is a real-time event processor that receives data of user events- user behavioral activity information- or a set of events); operating on the received behavioral activity information by a processor, associated with a prediction [engine] in a cloud service (Col. 5, lines 6-7: “The risk engine 202 calculates a risk score using the event data and the user account model.”), to predict expected behavioral activity based on historic behavioral activity from the received and stored behavioral activity information (Abstract and Col. 6, lines 7-26: predict expected behavior of the user using the casual model comprising estimating components of the casual using event parameters of a previous event); and determining by a processor associated with an analytic [engine] in the cloud service, a risk level from a probability of occurrence of new abnormal behavioral activity based on a comparison of the new behavioral activity with the expected behavioral activity (Col. 6, lines 54-57: comparing second event parameters with predicted event parameters. Col.7, lines 50-52: calculate risk score-risk level- based on probability).
Miltonberger does not explicitly disclose the cloud service includes a specific analytics engine, a specific prediction engine, data is collected by a collector service and an agent installed on the hardware end points and aggregated before being received by the cloud service.  However, Carpenter discloses a local agent at a monitored device collects vulnerability data and event data and sends them to an aggregator (paragraphs [0022]-[0023]: local agent; paragraph [0025]: Rule Engine and Aggregation module-aggregator).
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Miltonberger’s teaching of cyber security threat detection system with Carpenter’s teaching of a local agent at a monitored device collects vulnerability data and event data and sends them to an aggregator because the results would be predictable and resulted in having an agent installed locally at a device to collect device information, send the collected device information to an aggregator which sends collected device information to the risk engine for further analysis and display security risk information on a company security dashboard. 
Miltonberger discloses the Risk Engine performing different functionalities as presented above, but Miltonberger and Carpenter do not explicitly disclose the cloud server includes plurality of engines that each performs a specific functionality and a collector engine comprising at least a collector service and an agent.  However, it is known in the art before the effective filing date of the claimed invention to have different components of a system performing different functionalities.  Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have Miltonberger’s Risk Engine with sub-engines that each performs a specific task and Carpenter’s collector agent comprising a collector service and an agent. The motivation to do so would be to make the system easier to manage and repair, which is an advantage of an integrated system. 
Regarding claim 16, Miltonberger and Carpenter disclose method of claim 15, wherein the method further comprise: saving the received behavioral activity information, collected by a collector service and a collector agent on hardware endpoints, that has been acquired over a period of time in a memory as historic data in the cloud service (Miltonberger, Col. 5, lines 3-7: “The risk engine 202-cloud service-is a real-time event processor that receives data of user events- user behavioral activity information- or a set of events. The risk engine 202 also stores the user account model for the particular user. The risk engine 202 calculates a risk score using the event data and the user account model. The risk engine 202 uses the risk score and details of the observed event to update the user account model, and stores the updated user account model for use in evaluating the next subsequent set of event data (of a session) of the user.” Col. 8, lines 15-33: user model is based on collected user behavior. Fig. 2A with associated text and Col. 14, lines 51-60: Risk engine 202 could be a cloud service.  Carpenter, paragraphs [0022]-[0023]: local agent collects data and sends to data collection 121; paragraph [0025]: Rule Engine and Aggregation module-aggregator-reads data from data collection module 121 and translates it into normalized data and groupings).
Regarding claim 18, Miltonberger and Carpenter disclose method of claim 15, further comprising generating and transmitting the generated security risk level to the company security operations dashboard in the networked computing environment (Miltonberger, Col. 5, lines 11-15: “The risk engine 202 also transfers the risk score to the online banking application 210. The risk application 204 also provides alerts and allows authorized personnel to perform correlations, reporting, and investigations using the event data.” Carpenter, Fig. 4A-4E with associated text: security risk information is displayed on a company security dashboard).
17.	Claims 3, 6-8, 11, 13, 14, and 17 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Tom Miltonberger (US 8,280,833), hereinafter "Miltonberger", in view of Carpenter et al. (US 2016/0050225), hereinafter “Carpenter” and in view of Garman et al. (US 2018/0077187), hereinafter “Garman”.	
Regarding claim 3, Miltonberger and Carpenter disclose the cyber security threat detection system of claim 1. Miltonberger and Carpenter do not explicitly disclose wherein a lower probability of occurrence of the new behavioral activity indicates a greater security risk level, and vice versa.  However, parameter having low probability of occurrence indicates a greater security risk is known in the art before the effective filing date of the invention and Garman’s teaching is an example (paragraph [0068]: “the behavioral baseline data may include data indicating that a particular user is expected to run a particular set of applications, and the user's execution of an application outside the indicated set of applications may therefore be treated as a suspicious activity.”  Note: The lower probability that the user run the expected particular set of applications, the higher chance of having suspicious activity which indicates security risk.)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to combine Miltonberger and Carpenter’s teachings of cyber security threat detection system with a local agent at a monitored device collects vulnerability data and event data and sends them to an aggregator and security risk information is sent to a company security dashboard with Garman’s teaching of parameter having low probability of occurrence indicates a greater security risk.  The motivation to do so would be to enhance the performance of cybersecurity system as taught by Garman (paragraph [0002]).
Regarding claim 6, Miltonberger and Carpenter disclose the cyber security threat detection system of claim 1. Miltonberger and Carpenter do not explicitly disclose wherein the security risk level increases in response to a determination that an expected activity with the high probability of occurrence is absent from the new behavioral activity.  However, determining security risk based on detecting absence of an activity is known in the art and Garman’s teaching is an example (paragraph [0068]: “the behavioral baseline data may include data indicating that a particular user is expected to run a particular set of applications, and the user's execution of an application outside the indicated set of applications may therefore be treated as a suspicious activity.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to combine Miltonberger and Carpenter’s teachings of cyber security threat detection system with a local agent at a monitored device collects vulnerability data and event data and sends them to an aggregator and security risk information is sent to a company security dashboard with Garman’s teaching of determining security risk based on detecting absence of an activity. The motivation to do so would be to enhance the performance of cybersecurity system as taught by Garman (paragraph [0002]).
Regarding claim 7, Miltonberger, Carpenter, and Garman disclose the cyber security threat detection system of claim 6, wherein the absent activity includes an absence of an expected metric (Garman, paragraph [0068]: “the behavioral baseline data may include data indicating that a particular user is expected to run a particular set of applications-expected metric, and the user's execution of an application outside the indicated set of applications may therefore be treated as a suspicious activity.”)
Regarding claim 8, Miltonberger, Carpenter, and Garman disclose the cyber security threat detection system of claim 7, wherein the absence of an expected metric increases a probability of abnormal behavior and a weighted risk level associated the metric (Miltonberger, Col. 7, line 41-Col.8, line 65: PUM which relates to user behavioral activity and PFM which uses other session or online data are combined to have overall security data. Garman, paragraph [0068]: suspicious activity which raises security concern is determined based on absence of an expected activity. The combination of Miltonberger and Garman’s teachings makes it obvious that the absence of an activity will affect the risk score that it represents-its weighted risk- on the overall security data -total risk score).
Regarding claim 11, Miltonberger and Carpenter disclose the cyber security threat detection system of claim 9. Miltonberger and Carpenter do not explicitly disclose wherein a lower probability of occurrence of the new behavioral activity indicates a greater security risk level, and vice versa.  However, parameter having low probability of occurrence indicates a greater security risk is known in the art before the effective filing date of the invention and Garman’s teaching is an example (paragraph [0068]: “the behavioral baseline data may include data indicating that a particular user is expected to run a particular set of applications, and the user's execution of an application outside the indicated set of applications may therefore be treated as a suspicious activity.”  Note: The lower probability that the user run the expected particular set of applications, the higher chance of having suspicious activity which indicates security risk.)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to combine Miltonberger and Carpenter’s teachings of cyber security threat detection system with a local agent at a monitored device collects vulnerability data and event data and sends them to an aggregator and security risk information is sent to a company security dashboard with Garman’s teaching of parameter having low probability of occurrence indicates a greater security risk.  The motivation to do so would be to enhance the performance of cybersecurity system as taught by Garman (paragraph [0002]).
Regarding claim 13, Miltonberger and Carpenter disclose the cyber security threat detection system of 9. Miltonberger and Carpenter do not explicitly disclose wherein the security risk level increases in response to a determination that an expected activity with the high probability of occurrence is absent from the new behavioral activity.  However, determining security risk based on detecting absence of an activity is known in the art and Garman’s teaching is an example (paragraph [0068]: “the behavioral baseline data may include data indicating that a particular user is expected to run a particular set of applications, and the user's execution of an application outside the indicated set of applications may therefore be treated as a suspicious activity.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to combine Miltonberger and Carpenter’s teachings of cyber security threat detection system with a local agent at a monitored device collects vulnerability data and event data and sends them to an aggregator which is outside of a network and security risk information is sent to a company security dashboard with Garman’s teaching of determining security risk based on detecting absence of an activity. The motivation to do so would be to enhance the performance of cybersecurity system as taught by Garman (paragraph [0002]).
Regarding claim 14, Miltonberger and Carpenter disclose the cyber security threat detection system of claim 13, wherein the absent activity is either a behavioral activity or the metric expected at the network enabled hardware end points (Garman, paragraph [0068]: “the behavioral baseline data may include data indicating that a particular user is expected to run a particular set of applications-expected metric, and the user's execution of an application outside the indicated set of applications may therefore be treated as a suspicious activity.”)
Regarding claim 17, Miltonberger and Carpenter disclose the method of claim 15. Miltonberger and Carpenter do not explicitly disclose wherein the determination by the risk level by the processor associated with the analytic engine in the cloud service further considering an absence of an expected metric as increasing a probability of occurrence of the abnormal behavioral activity. However, determining security risk based on detecting absence of an activity is known in the art and Garman’s teaching is an example (paragraph [0068]: “the behavioral baseline data may include data indicating that a particular user is expected to run a particular set of applications, and the user's execution of an application outside the indicated set of applications may therefore be treated as a suspicious activity.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to combine Miltonberger and Carpenter’s teachings of cyber security threat detection system with a local agent at a monitored device collects vulnerability data and event data and sends them to an aggregator with Garman’s teaching of determining security risk based on detecting absence of an activity. The motivation to do so would be to enhance the performance of cybersecurity system as taught by Garman (paragraph [0002]).

Conclusion	
18.	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure: see attached PTO-892 Notice of References Cited.
19.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to THANH T. LE whose telephone number is (571)270-0279.  The examiner can normally be reached on Monday-Thursday 8:00 am - 4:00 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).  If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

		/THANH T LE/                      Examiner, Art Unit 2495