DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted on 02/10/2021 were filed before the mailing date of this office action.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.
Claim Objections
Claims 5 and 17 objected to because of the following informalities: 
Claim 5, lines 2-3, “the output of the second vendor tool and the output of the second vendor tool,” should read “the output of the first vendor tool and the output of the second vendor tool,”.
Claim 17, lines 7, 12 and 14, “the commonalities” should read “the primary set of commonalities”
Appropriate correction is required.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 10-16 are rejected under 35 U.S.C. 101 because the claimed invention under claim 10 is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because the "An artificial intelligence ("AI") filter", "a first vendor tool ", "a second vendor tool", "a database" and "an AI engine " under the broadest reasonable definition, may be interpreted as being directed to software per se.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-19 are rejected under 35 U.S.C. 103 as being unpatentable over US-PGPUB No. 2019/0312890 A1 to Perilli, US-PGPUB No. 2019/0124106 A1 to Navarro, and further in view of US-PGPUB No. 2018/0322419 A1to Bugenhagen
Regarding claim 1:
Perilli discloses:
(¶13: “… a system 100 for mitigating cyber-attacks by automatically coordinating responses …”) detected by disparate vendor tools (¶14: “… cyber-security tools 106a-b …”) deployed across an enterprise organization (¶13: “… a system 100 for mitigating cyber-attacks by automatically coordinating responses from cyber-security tools 106a-b …”, ¶14: “… a company … makes the cyber-security tool 106a … another company … makes another cyber-security tool 106b …”), the 
receiving output (¶21: “… receive as output an indication of whether or not the events indicate a cyber-attack 122.”) from a first vendor tool (¶14: “… cyber-security tool 106a …”) comprising: 
a first cyberthreat detected by the first vendor tool (¶18: “… the cyber-security tool 106a can transmit a notification to the cyber-security engine 102 indicating that bandwidth consumption is unusually high …”); and 
a first set of countermeasures that neutralize the first cyberthreat (¶28: “… the cyber-security engine 102 can transmit a command 116 to cyber-security tool 106a to cause cyber-security tool 106a to close a port, close a network connection, quarantine a portion of memory (e.g., RAM or a hard disk), or erase a file.”); 
receiving output (¶21: “… receive as output an indication of whether or not the events indicate a cyber-attack 122.”) from a second vendor tool (¶14: “… cyber-security tool 106b …”) comprising: 
a second cyberthreat detected by the second vendor tool (¶18: “… cyber-security tool 106b can transmit a notification to the cyber-security engine 102 indicating that an unusual pattern of copying files has been detected.”); and 
a second set of countermeasures that neutralize the second cyberthreat (¶28: “… the cyber-security engine 102 can transmit commands to the cyber-security tools 106a-b to cause the cyber-security tools 106a-b to implement respective portions of the coordinated-response strategy.”); and 
applying machine learning techniques to the output of the first vendor tool and the output of the second vendor tool and thereby (¶21: “… the machine-learning model 120a can be trained using training data that includes thousands or millions of relationships cyber-attacks and between various events detectable by the cyber-security tools 106a-b.”, see also Fig. 1 for Machine Learning Models 120a and 120b): 
However, Perilli does not disclose the following limitations taught by Navarro:
determining a set of overlapping actions (Navarro, ¶48: “… if all vulnerability reports recommend the same remediation for a vulnerability (“Yes” branch, block 318) …”), wherein each member of the set of overlapping actions is included in the first set of countermeasure and included in the second set of countermeasures (Navarro, ¶40: “Each vulnerability report 218 lists at least a vulnerability reference number and a proposed remediation, which is a recommendation of specific steps to provide a fix to the vulnerability.”, ¶43: “… each report would be analyzed and compared to others in an attempt to confirm that a vulnerability listed in a first report is the same as a vulnerability listed under a different reference number in a second report.”); 
associating the set of overlapping actions with a detected cyberthreat associated with the enterprise organization (Navarro, ¶48: “… the recommended remediation is labeled “high” at block 320, and an entry is made to the history 238 at block 320A to indicate that the implementation was made as recommended.”); 
determining a third set of countermeasures (Navarro, ¶48: “… a remediation should be implemented …”) based on the detected cyberthreat (Navarro, ¶48: “The remediation is then integrated into the development process as recommended (block 326).”); and 
deploying the third set of countermeasure to neutralize the detected cyberthreat (Navarro, ¶51: “When no further issues are detected (“No” branch, block 330), then the remediation is fully deployed at block 334.”).   
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Perilli to incorporate the functionality of the threat remediator to create a cross-reference from analyses of multiple vulnerability reports, as disclosed by Navarro, such modification would allow the system to provide an efficiency of not considering the same vulnerability multiple times, and provide a more accurate assessment of whether inconsistencies exist between proposed remedies.
The combination of Perilli and Navarro does not disclose the following limitation taught by Bugenhagen:
An artificial intelligence ("AI") (Bugenhagen, ¶21: “… a method for a model-driven AI learning framework … includes performing, via an artificial intelligence engine, an action responsive to a trigger, based at least in part on one or more data inputs”) 	
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Perilli and Navarro to incorporate the functionality of the artificial intelligence engine to implement one or more artificial intelligent models  that can be configured to intelligently work with other third party defense systems in an enterprise’s network against threats, as disclosed by Bugenhagen, such modification would enable the system to have the expected advantages of artificial intelligence such as 24x7 availability, unbiased decisions, and to detect a previously unknown threat earlier as well as enact one or more autonomous responses to implement a faster response time to contain a detected threat. 
Regarding claim 2:
The combination of Perilli, Navarro and Bugenhagen discloses:
The AI method of claim 1, wherein: 
the output of the first vendor tool is in a first proprietary format that is incompatible with the second vendor tool (Perilli, ¶17: “… the cyber-security tool 106a may accept commands in a REST format and provide data in an extensible markup language (XML) format.”); and 
the output of the second vendor tool is in a second proprietary format that is incompatible with the first vendor tool (Perilli, ¶17: “… the cyber-security tool 106b may accept commands in a proprietary format and provide data in JavaScript Object Notation (JSON) format.”).  
Regarding claim 3:
The combination of Perilli, Navarro and Bugenhagen discloses:
The AI method of claim 1, wherein the detected cyberthreat associated with the enterprise organization maps onto a cyberthreat classification standard (Navarro, ¶29: “The threat remediator 214 includes a standardized threat report 216 that is received from an external source, such as NIST (National Institutes of Standards and Technology).”).  
The same motivation which is applied for the rejection of claim 1, with regards to Navarro, applies to claim 3.
Regarding claim 4:
The combination of Perilli, Navarro and Bugenhagen discloses:
The AI method of claim 3, further comprising applying the machine learning techniques to the output of the first vendor tool and the detected cyberthreat, and thereby determining that the first cyberthreat maps onto the cyberthreat classification standard (Navarro, ¶40: “… the security tools 224 may be executed in conjunction with an attempt to reproduce a vulnerability identified in a standardized threat report 216, e.g. CVE listings from NIST.”).  
The same motivation which is applied for the rejection of claim 1, with regards to Navarro, applies to claim 4.
Regarding claim 5:
The combination of Perilli, Navarro and Bugenhagen discloses:
The AI method of claim 1, further comprising applying the machine learning techniques to the output of the second vendor tool and the output of the second vendor tool, and thereby determining that the first cyberthreat and the second cyberthreat are discrete cyberthreats (Perilli, ¶21: “After the machine-learning model 120a has been trained, the cyber-security engine 102 can receive information about various events from the cyber-security tools 106a-b, feed the information into the machine-learning model 120a, and receive as output an indication of whether or not the events indicate a cyber-attack 122.”).  
Regarding claim 6:
The combination of Perilli, Navarro and Bugenhagen discloses:
The AI method of claim 1, further comprising: 
overriding the first set of countermeasures generated by the first vendor tool (Navarro, ¶50: “If no two reports recommend the same remediation for a vulnerability (“No” branch, block 318), then there is a “low” confidence that any one of the remediations should be implemented as recommended … The vulnerability issue is then directed appropriately to receive more attention for design and development (block 324, Design/Develop Remediation).”); and 
applying the third set of countermeasures to neutralize the first cyberthreat detected by the first vendor tool (Navarro, ¶51: “… potential remediations are developed and tested on a sub-set of an enterprise information system. … the remediation is deployed into the entire enterprise information system.”).  
The same motivation which is applied for the rejection of claim 1, with regards to Navarro, applies to claim 6.
Regarding claim 7:
The combination of Perilli, Navarro and Bugenhagen discloses:
The AI method of claim 1, wherein the third set of countermeasures includes members of the first set of countermeasures and members of the second set of countermeasures (Navarro, ¶48: “… if all vulnerability reports recommend the same remediation for a vulnerability (“Yes” branch, block 318), then the recommend remediation is labeled “high” at block 320, and an entry is made to the history 238 at block 320A) to indicate that the implementation was made as recommended. The remediation is then integrated into the development process as recommended (block 326).”).  
The same motivation which is applied for the rejection of claim 1, with regards to Navarro, applies to claim 7.
Regarding claim 8:
The combination of Perilli, Navarro and Bugenhagen discloses:
The AI method of claim 1, comprising applying the machine learning techniques and classifying the first cyberthreat as corresponding to the second cyberthreat (Perilli, ¶21: “… the machine-learning model 120a can include a neural network, decision tree, classifier, or any combination of these. The machine-learning model 120a can be trained to determine correlations between various events and a cyber-attack 122. … the machine-learning model 120a can be trained using training data that includes thousands or millions of relationships cyber-attacks and between various events detectable by the cyber-security tools 106a-b.”).  
Regarding claim 9:
The combination of Perilli, Navarro and Bugenhagen discloses:
The AI method of claim 1, wherein: 
the first vendor tool is deployed on a first hardware system (Perilli, see Fig. 3, Cyber-security tool 106a); and 
the second vendor tool is deployed on a second hardware system (Perilli, see Fig. 3, Cyber-security tool 106b).
Regarding claim 10:
In addition to the following limitations, claim 10 substantially recites the same limitations as claim 1in the form of an Artificial Intelligence (“AI”) filter to realize the corresponding method, therefore it is rejected by the same rationale.
a database (Perilli, ¶24: “… a database 124b …”) storing cyberthreats (Perilli, ¶24: “… the database 124b can include various types of cyber-attacks …”) detected and neutralized by a human cybersecurity team (Perilli, ¶24: “The database 124b can be constructed by a cyber-security professional, a system administrator, or another entity.”); and 
an (Perilli, ¶13: “… a cyber-security engine 102 …”) that: 
filters the first output and the second output and generates a single cyberthreat (Perilli, ¶18: “… a cyber-attack 122. … a hacker downloading a large volume of critical files …”) (Perilli, ¶18: “… the cyber-security engine 102 can use the software modules 108a-b to communicate with the cyber-security tools 106a-b in order to detect a cyber-attack 122.”); and 
utilizes the database to determine a set of countermeasures for neutralizing the single cyberthreat (Perilli, ¶24: “… the cyber-security engine 102 can determine a coordinated-response strategy using a database 124b.”).
However, Perilli does not disclose the following limitation taught by Bugenhagen:
an AI (Bugenhagen, ¶23: “… an AI-engine 105 …”).
The same motivation which is applied for the rejection of claim 1, with regards to Bugenhagen, applies to claim 10.
Regarding claim 11:
The combination of Perilli, Navarro and Bugenhagen discloses:
The AI filter of claim 10, wherein the AI engine identifies the first output as a false positive (Bugenhagen, ¶75: “… an AI engine may be configured to determine whether a decision is a false positive. … the AI engine may be configured to automatically detect (e.g., flag) a false positive based on learned historic usage patterns …”).
The same motivation which is applied for the rejection of claim 1, with regards to Bugenhagen, applies to claim 11.
Regarding claim 12:
The combination of Perilli, Navarro and Bugenhagen discloses:
The AI filter of claim 11, wherein the AI engine identifies the first output and the second output as being duplicates (Navarro, ¶43: “… each report would be analyzed and compared to others in an attempt to confirm that a vulnerability listed in a first report is the same as a vulnerability listed under a different reference number in a second report.”).  
The same motivation which is applied for the rejection of claim 1, with regards to Navarro, applies to claim 12.
Regarding claim 13:
The combination of Perilli, Navarro and Bugenhagen discloses:
The AI filter of claim 12, wherein in response to identifying the duplicates, the AI engine generates a standardized expression that corresponds to the first output and corresponds to the second output (Navarro, ¶46: “… the report cross-reference 220 is applied to the integrated list 240 by the list integrator 236. The process of applying the report cross-reference 220 identifies unique entries that relate to the same vulnerability, and that can be consolidated. … the different vulnerability identifiers are associated”).  
The same motivation which is applied for the rejection of claim 1, with regards to Navarro, applies to claim 13.
Regarding claim 14:
The combination of Perilli, Navarro and Bugenhagen discloses:
The AI filter of claim 13, wherein the AI engine prioritizes remediation of duplicative cyberthreats (Navarro, ¶48: “… a remediation should be implemented without further analysis may be implemented. … if all vulnerability reports recommend the same remediation for a vulnerability …then the recommended remediation is labeled “high” …”).  
The same motivation which is applied for the rejection of claim 1, with regards to Navarro, applies to claim 14.
Regarding claim 15:
The combination of Perilli, Navarro and Bugenhagen discloses:
The AI filter of claim 10, wherein the AI engine determines that: 
for a first software application, the first output is a false positive (Bugenhagen, ¶29: “… false positives (e.g., incorrect decisions) from the AI engine 105.”); and 
for a second software application, the first output is an actionable cybersecurity threat (Bugenhagen, ¶29: “… the AI engine 105 … may be refined by a … third-party vendor to remove the false positives …”).  
The same motivation which is applied for the rejection of claim 1, with regards to Bugenhagen, applies to claim 15.
Regarding claim 16:
The combination of Perilli, Navarro and Bugenhagen discloses:
The AI filter of claim 10, wherein the set of countermeasures for neutralizing the single cyberthreat is a null set (Bugenhagen, ¶75: “… determining that a determined action is outside of the capabilities of a given system …”), and based on the null set, classifying the first output and the second output as false positives (Bugenhagen, ¶75: “… the AI engine may be configured to automatically detect (e.g., flag) a false positive based on learned historic usage patterns, and the learned capabilities of a given system or device (e.g., determining that a determined action is outside of the capabilities of a given system).”).
The same motivation which is applied for the rejection of claim 1, with regards to Bugenhagen, applies to claim 16.
Regarding claim 17:
In addition to the following limitations, claim 17 substantially recites the same limitations as claim 1in the form of an Artificial Intelligence (“AI”) system implementing the corresponding method, therefore it is rejected by the same rationale. 
The system comprising: 
an (Perilli, ¶13: “… a cyber-security engine 102 …”) that: 
filters outputs (Perilli, ¶18: “… identify one or more events indicative of a cyber-attack 122.”) generated by the vendor tools (Perilli, ¶18: “… the cyber-security engine 102 can receive and process data from the cyber-security tools 106a-b to identify one or more events indicative of a cyber-attack 122.”) and generates a primary set of commonalities (Perilli, ¶28: “… a port … a network connection … memory (e.g., RAM or a hard disk), … a file.”) shared by the outputs (Perilli, ¶18: “… the cyber-security engine 102 can receive and process data from the cyber-security tools 106a-b to identify one or more events indicative of a cyber-attack 122.”); 
based on the commonalities, links the outputs to a single cyberthreat (Perilli, ¶18: “… the cyber-security engine 102 can determine that the combination of these events may signal a cyber-attack …”); and 
formulates a set of countermeasures for neutralizing the single cyberthreat (Perilli, ¶22: “… the cyber-security engine 102 can determine a coordinated-response strategy to mitigate the cyber-attack 122.”); and 
a dashboard (Perilli, ¶27: “… a display device …”) for graphically displaying: 
a first subset of the commonalities associated with the outputs (Perilli, ¶18: “… cyber-security tool 106a … indicating that bandwidth consumption is unusually high …”); 
a second subset of the commonalities that define the single cyberthreat (Perilli, ¶18: “… cyber-security tool 106b … indicating that an unusual pattern of copying files has been detected.”); and 
links between each of the countermeasures and the primary set of commonalities (Perilli, ¶22: “… mitigation operations …”).  
However, Perilli does not disclose the following limitation taught by Bugenhagen: 
an AI (Bugenhagen, ¶23: “… an AI-engine 105 …”).
The same motivation which is applied for the rejection of claim 1 applies to claim 17.
Regarding claim 18:
The combination of Perilli, Navarro and Bugenhagen discloses:
The AI system of claim 17 wherein the vendor tools are running on a single hardware architecture or a single software system (Perilli, ¶14: “The cyber-security engine 102 can integrate with the cyber-security tools 106a-b through software modules 108a-b.”).  
Regarding claim 19:
The combination of Perilli, Navarro and Bugenhagen discloses:
The AI system of claim 18 wherein the primary set of commonalities identifies components of the single hardware architecture or the single software system that are exposed to the single cyberthreat (Perilli, ¶22: “After detecting a cyber-attack 122, the cyber-security engine 102 can determine a coordinated-response strategy to mitigate the cyber-attack 122. … mitigation operations can include … modifying, deleting, or quarantining problematic software … closing or opening a port … closing or opening a network connection …”).  
Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Perilli, Navarro, Bugenhagen, and further in view of US-PGPUB No. 2020/0209370 A1 to Zhang et al. (hereinafter “Zhang”)
Regarding claim 20:
The combination of Perilli, Navarro and Bugenhagen discloses the AI system of claim 18, but fails to disclose the following limitation taught by Zhang: 
wherein the dashboard assigns a visual marker to the first subset when the first subset includes a threshold intersection with the second subset (Zhang, ¶99: “… visually convey a partial intersection between a first subset of points of the first set of point … data and a second subset of points of the second set of point … data … updating the user interface … wherein the first set of point … data is displayed in a first color and the second set of point … data is displayed in a second color, wherein the first color is different than the second color.”, ¶103: “… the first set of point … data and the second set of point … data are misaligned by less than a threshold …”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Perilli, Navarro and Bugenhagen to incorporate the functionality of the method to generate a user interface for display wherein the user interface includes a plurality of graphical indicators to display a first subset of points and a second subset of points that are misaligned by less than a threshold, as disclosed by Zhang, such modification would allow the system to provide the user with an interactive display which presents a graphical representation of the threat remediation recommendations and a list of interactive possible actions the user can take.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
Dunn (US-PGPUB No. 2019/0260786-A1)- disclosed a cyber-threat coordinator-component that uses one or more Artificial Intelligence models that are configured to intelligently work with other third-party defense systems in a customer's network against threats.
Chesla (US-PGPUB No 2020/0322371-A1)- disclosed a method and system for scoring the performance of security products which may belong to the same cyber-solution category or to different categories.
Murphy et al. (US-PGPUB No. 2022/0166801-A1)- disclosed a threat mitigation process that may include an Artificial intelligence process/machine learning process that can be configured to process information that may be scanned to detect security events within a monitored computing platform.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHIAS HABTEGEORGIS whose telephone number is (571)272-1916. The examiner can normally be reached M-F 8am-5pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok B Patel can be reached on (571)272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/M.H./Examiner, Art Unit 2491



/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491