Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of claims
This office action is in response to application filed 03/10/2022.
Claims 1-20 are pending and rejected; Claims 1, 7 and 13 are independent claims.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 03/10/2022 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 rejected on the ground of nonstatutory double patenting over claims 1-20 of U.S. Patent No. 11,310,245 B2 since the claims, if allowed, would improperly extend the “right to exclude” already granted in the patent.
The subject matter claimed in the instant application is fully disclosed in the patent and is covered by the patent since the patent and the application are claiming common subject matter, as follows: 
US Patent No.: 11,310,245 B2
Instant application
1. A computer-implemented method, comprising: under control of one or more processors: 
receiving, from a computing device operating on a telecommunications network, Indicator of Compromise (IoC) metadata derived from a client interaction at the computing device via the telecommunications network, the client interaction involving at least one of a change to a systems configuration file or a bypass of a communications channel; 
analyzing the IoC metadata to identify data patterns between the IoC metadata and one or more malicious threats; 
identifying at least one malicious threat from the one or more malicious threats, based at least in part on analysis of the IoC metadata; 
retrieving, from a third-party data repository, a data record associated with the at least one malicious threat, the data record including a first point-in-time that the at least one malicious threat was reported active; 
determining, a time-period for which the at least one malicious threat is likely to remain active after the first point-in-time, based at least in part on the data record; determining a second point-in-time that corresponds to a likely expiration of the at least one malicious threat based at least in part on the first point-in-time and the time-period; 
performing a mitigation analysis of environmental criteria associated with the computing device using the data record that is maintained until an expiration of the second point-in-time, the environmental criteria comprising measures that protect, mitigate or quarantine an impact of the at least one malicious threat on the computing device; 
determining a vulnerability score that is associated with the at least one malicious threat, wherein the vulnerability score is determined to numerically combine a severity of the at least one malicious threat and mitigating environmental criteria; and 
generating reporting data that includes at least the vulnerability score associated with the IoC metadata.
1. A computer-implemented method, comprising: under control of one or more processors: 
receiving, from a computing device operating on a telecommunications network, Indicator of Compromise (IoC) metadata derived from a client interaction at the computing device via the telecommunications network, the client interaction involving at least one of a change to a systems configuration file or a bypass of a communications channel; 
analyzing the IoC metadata to identify data patterns between the IoC metadata and one or more malicious threats; 
identifying at least one malicious threat from the one or more malicious threats, based at least in part on analysis of the IoC metadata; 
retrieving, from a third-party data repository, a data record associated with the at least one malicious threat, the data record including a point-in-time that the at least one malicious threat was reported active; 
performing a mitigation analysis of environmental criteria associated with the computing device using the data record, the environmental criteria comprising measures that protect, mitigate or quarantine an impact of the at least one malicious threat on the computing device; 
determining a vulnerability score that is associated with the at least one malicious threat, wherein the vulnerability score is determined to numerically combine a severity of the at least one malicious threat and mitigating environmental criteria; 
determining a time-period for which the at least one malicious threat is to remain active after the point-in-time, wherein the time-period remains undefined for the at least one malicious threat that is difficult to mitigate, quarantine, or protect against; and 
generating reporting data that includes at least the vulnerability score associated with the IoC metadata.


Furthermore, there is no apparent reason why applicant was prevented from presenting claims corresponding to those of the instant application during prosecution of the application which matured into a patent. See In re Schneller, 397 F.2d 350, 158 USPQ 210 (CCPA 1968). See also MPEP § 804.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-6, 9-13, 15, 16 and 18-24 are rejected under 35 U.S.C. 103 as being unpatentable over De Jesus US Pub. No.: 2020/0344248 A1 (hereinafter De) in view of Hovor et al. US Pub. No.: 2016/0065599 A1 (hereinafter Hovor).

De teaches:
As to claim 1, a computer-implemented method, comprising: 
under control of one or more processors (see Fig. 1, processor): 
receiving, from a computing device operating on a telecommunications network, Indicator of Compromise (IoC) metadata derived from a client interaction at the computing device via the telecommunications network (see De ¶¶60, scoring a cyber-event tree as a cyber-attack tree may be based on one or more of the following parameters: cyber-intelligence [ e.g. Indicators of Compromise [IOCs] such as file hashes, domain names, IP addresses etc.), the client interaction involving at least one of a change to a systems configuration file or a bypass of a communications channel (see De ¶50, detected may be events at the node level including at individual end-nodes and/or the network level. Exemplary, non-limiting cyber-events include : changes to the Windows Registry; changes to the Windows File System; changes to the Windows Management Instrumentation (WMI) Repository; changes to the process space; changes to network connection; and network traffic); 
analyzing the IoC metadata to identify data patterns between the IoC metadata and one or more malicious threats (see De ¶57, provided as an illustrative example only of an analysis which may occur upon receipt of an email: An email is received and the email's source and destination, along with its header metadata, are analyzed and scored); 
identifying at least one malicious threat from the one or more malicious threats, based at least in part on analysis of the IoC metadata (see De ¶57, provided as an illustrative example only of an analysis which may occur upon receipt of an email: An email is received and the email's source and destination, along with its header metadata, are analyzed and scored); 
performing a mitigation analysis of environmental criteria associated with the computing device using the data record, the environmental criteria comprising measures that protect, mitigate or quarantine an impact of the at least one malicious threat on the computing device (see De ¶48, cyber defense operator perform investigative or mitigative response activities; ¶66, an automated active response that utilizes pre-authorized client approved measures to mitigate possible on-going cyber-attacks is triggered by context specific conditions); 
determining a vulnerability score that is associated with the at least one malicious threat (see De ¶60, statistical models including but not limited to machine learning (ML) algorithms are utilized to score likelihood that an cyber-event tree is normal or anomalous through direct scoring); and, 
De does not explicitly teach but the related art Hovor teaches:
retrieving, from a third-party data repository, a data record associated with the at least one malicious threat, the data record including a point-in-time that the at least one malicious threat was reported active (see Hovor ¶48, the third parties 100a-b may analyze the data in the data constructs 106a-b, e.g., to determine historical perspectives, trends, or both); 
wherein the vulnerability score is determined to numerically combine a severity of the at least one malicious threat and mitigating environmental criteria (see Hovor Tables 2-4, and ¶¶129-136, the parser determines that a first similarity score for a particular sentence, e.g., "The vulnerabilities described in this advisory affect Application A versions 0.9.6j and 0.9.6k," and a particular pattern, e.g., "mitigation strategies," is low, e.g., zero, and a second similarity score for another pattern, e.g., " vulnerabilities described advisory affect versions" is high, e.g., one); 
determining a time-period for which the at least one malicious threat is to remain active after the point-in-time, wherein the time-period remains undefined for the at least one malicious threat that is difficult to mitigate, quarantine, or protect against (see Hovor ¶105, for each threat actor included in the threat actors graph 402, the threat actors details 404 may include the number of attacks performed by that actor, e.g., during the predetermined period of time or at any time, an attack percentage for the respective actor, e.g., a ratio of the quantity of attacks associated with the respective actor to; and 
generating reporting data that includes at least the vulnerability score associated with the IoC metadata (see Hovor ¶33, patterns of the observable conditions may be mapped to related TTP context information, include relevant metadata about confidence in the indicator's assertion, handling restrictions, valid time windows, likely impact, sightings of the information indicator, structured test mechanisms for detection, related campaigns, or suggested COA, or both related TTP context information and relevant metadata). 
Therefore, it would have been obvious to one with ordinary skill in the art before the effective filing date of the invention, to modify the methods and systems for monitoring cyber events by De to include the unstructured security threat information analysis, as thought by Hovor, in order to generate a report including the vulnerability score associated with the IoC metadata. One of ordinary skill in the art would have been motivated to include generate a report with at least the vulnerability score associated with IoC metadata in order to enhance security and usability.

As to claim 2, the combination of De and Hovor teaches the computer-implemented method of claim 1, wherein an undefined time-period has no expiration date relative to the point-in-time (see De ¶51, monitoring is real-time monitoring. In specific embodiments, all cyber-events, including all user actions are monitored).

As to claim 3, the computer-implemented method of claim 1, further comprising: 
retrieving, from a data repository, at least one of a first set of malicious threats that were historically identified within the telecommunications network, or a second set of malicious threats that were historically identified by third-party threat intelligence entities (see Hovor ¶48, the third parties 100a-b may analyze the data in the data constructs 106a-b, e.g., to determine historical perspectives, trends, or both); 
generating an IoC monitoring list that includes IoCs that correspond to at least one of the first set of malicious threats or the second set of malicious threats (see Hovor ¶53, web crawler to scan documents referenced by specified uniform resource identifiers (URIs), e.g., for one or more of the unstructured data sources 204); and 
monitoring the computing device on the telecommunications network to identify instances of the IoCs associated with the IoC monitoring list, and wherein, receiving, from the computing device, the IoC metadata is based at least in part on monitoring the computing device on the telecommunications network (see Hovor, determine which intelligence types 224 are associated with the unstructured data or a subset of the unstructured data. Some examples of the intelligence types 224 include observables, indicators of compromise (IOC)). 

As to claim 4, the combination of De and Hovor teaches the computer-implemented method of claim 1, further comprising: 
monitoring the computing device on the telecommunications network on a continuous basis, per a predetermined schedule, or in response to a triggering event, the triggering event corresponding to message indicating that an instance of a malicious threat has been identified within one of the telecommunications network or an alternate, third-party communications network, and wherein, receiving the IoC metadata occurs in response to monitoring of the computing device on the telecommunications network  (see Hovor Fig. 3 and ¶104, for all known threat actors during the particular period of time. The quantity of threat actors may include only unique instances of threat actors or may include multiple instances of the same threat actor). 

As to claim 5, the combination of De and Hovor teaches the computer-implemented method, further comprising: 
generating a similarity score for the IoC metadata by identifying data patterns between the IoC metadata and individual ones of the one or more malicious threats, and wherein, identifying the at least one malicious threat is based at least in part on the similarity score for the at least one malicious threat being greater than or equal to a predetermined similarity threshold (see De ¶57, provided as an illustrative example only of an analysis which may occur upon receipt of an email: An email is received and the email's source and destination, along with its header metadata, are analyzed and scored; ¶60, statistical models including but not limited to machine learning (ML) algorithms are utilized to score likelihood that an cyber-event tree is normal or anomalous through direct scoring). 

As to claim 6, the combination of De and Hovor teaches the computer-implemented method, further comprising: 
retrieving, from a data repository, a response protocol associated with the at least one malicious threat, the response protocol including at least one action that prevents or mitigates an impact of the at least on malicious threat (see Hovor ¶47, action from the system and update rules for an intrusion prevention system using the received courses of action); and 
generating a response data packet for transmission to the computing device, the response data packet including computer-executable instructions that dynamically execute the response protocol on the computing device (see Hovor ¶100, the particular third party system may automatically perform one or more actions in response to receipt of the requested course of action).

As to claim 18, the combination of De and Hovor teaches the computer-implemented method of claim 1, wherein analyzing the IoC metadata further comprises: 
analyzing the IoC metadata relative to non-active historical malicious threats within a historical- threat data repository; calculating a similarity between the IoC metadata and a non-active historical malicious threat (see De ¶57, provided as an illustrative example only of an analysis which may occur upon receipt of an email: An email is received and the email's source and destination, along with its header metadata, are analyzed and scored; ¶60, statistical models including but not limited to machine learning (ML) algorithms are utilized to score likelihood that an cyber-event tree is normal or anomalous through direct scoring); and 
determining that the at least one malicious threat corresponds to a derivative of the non-active historical malicious threat, based at least in part on the similarity (see De ¶¶60, scoring a cyber-event tree as a cyber-attack tree may be based on one or more of the following parameters: cyber-intelligence [ e.g. Indicators of Compromise [IOCs] such as file hashes, domain names, IP addresses etc.).

As to claim 19, the combination of De and Hovor teaches the computer-implemented method of claim 1, further comprising: 
performing a threat analysis to determine that the at least one malicious threat is to infiltrate the computing device via service configuration files (see De ¶50, changes to the Windows Registry; changes to the Windows File System; changes to the Windows Management Instrumentation (WMI) Repository; changes to the process space; changes to network connection; and network traffic); and 
generating a response protocol to prevent the at least one malicious threat from infiltrating the computing device, the response protocol including preventing client access to the service configuration files, and wherein, the reporting data further includes the response protocol (see Hovor ¶47, action from the system and update rules for an intrusion prevention system using the received courses of action).
De teaches:
As to claim 7,  One or more non-transitory computer-readable media collectively storing computer- executable instructions that, when executed with one or more processors, collectively cause computers to perform acts comprising: 
monitoring, a client interaction of a computing device operating within an enterprise network, the client interaction involving at least one of a change to a systems configuration file or a bypass of a communications channel (see De ¶50, detected may be events at the node level including at individual end-nodes and/or the network level. Exemplary, non-limiting cyber-events include : changes to the Windows Registry; changes to the Windows File System; changes to the Windows Management Instrumentation (WMI) Repository; changes to the process space; changes to network connection; and network traffic); 
retrieving, from the computing device, Indicator of Compromise (IoC) metadata derived from the client interaction of the computing device on the enterprise network (see De ¶¶60, scoring a cyber-event tree as a cyber-attack tree may be based on one or more of the following parameters: cyber-intelligence [ e.g. Indicators of Compromise [IOCs] such as file hashes, domain names, IP addresses etc.); 
analyzing the IoC metadata relative to data records of one or more malicious threats (see De ¶57, email is received and the email's source and destination, along with its header metadata, are analyzed and scored); 
identifying at least one malicious threat from the one or more malicious threats, based at least in part on analysis of the IoC metadata (see De ¶57, email is received and the email's source and destination, along with its header metadata, are analyzed and scored); 
perform a mitigation analysis of environmental criteria associated with the computing device, the environmental criteria including access restrictions of the computing device to the enterprise network (see De ¶48, cyber defense operator perform investigative or mitigative response activities; ¶66, an automated active response that utilizes pre-authorized client approved measures to mitigate possible on-going cyber-attacks is triggered by context specific conditions); 
De does not explicitly teach but the related art Hovor teaches:
retrieving a data record associated with the at least one malicious threat, the data record including a point-in-time that the at least one malicious threat was reported active (see Hovor ¶33, patterns of the observable conditions may be mapped to related TTP context information, include relevant metadata about confidence in the indicator's assertion, handling restrictions, valid time windows, likely impact, sightings of the information indicator, structured test mechanisms for detection, related campaigns, or suggested COA, or both related TTP context information and relevant metadata); 
generating a similarity score for the IoC metadata, based at least in part on analysis of the IoC metadata (see Hovor Tables 2-4, and ¶¶129-136, the parser determines that a first similarity score for a particular sentence, e.g., "The vulnerabilities described in this advisory affect Application A versions 0.9.6j and 0.9.6k," and a particular pattern, e.g., "mitigation strategies," is low, e.g., zero, and a second similarity score for another pattern, e.g., " vulnerabilities described advisory affect versions" is high, e.g., one); 
determining a vulnerability score for the at least one malicious threat, based at least in part on the similarity score and the mitigation analysis (see Hovor Tables 2-4, and ¶¶129-136, the parser determines that a first similarity score for a particular sentence, e.g., "The vulnerabilities described in this advisory affect Application A versions 0.9.6j and 0.9.6k,"); 
determining a time-period for which the at least one malicious threat is to remain active after the point-in-time, wherein the time-period remains undefined for the at least one malicious threat that is difficult to mitigate, quarantine, or protect against (see Hovor ¶105, for each threat actor included in the threat actors graph 402, the threat actors details 404 may include the number of attacks performed by that actor, e.g., during the predetermined period of time or at any time, an attack percentage for the respective actor, e.g., a ratio of the quantity of attacks associated with the respective actor to); and 
generating reporting data that includes at least the vulnerability score for the malicious threat (see Hovor ¶33, patterns of the observable conditions may be mapped to related TTP context information, include relevant metadata about confidence in the indicator's assertion, handling restrictions, valid time windows, likely impact, sightings of the information indicator, structured test mechanisms for detection, related campaigns, or suggested COA, or both related TTP context information and relevant metadata).
Therefore, it would have been obvious to one with ordinary skill in the art before the effective filing date of the invention, to modify the methods and systems for monitoring cyber events by De to include the unstructured security threat information analysis, as thought by Hovor, in order to generate a report including the vulnerability score associated with the IoC metadata. One of ordinary skill in the art would have been motivated to include generate a report with at least the vulnerability score associated with IoC metadata in order to enhance security and usability.
As to claim 8, the combination of De and Hovor teaches the one or more non-transitory computer-readable media of claim 7, wherein the acts further comprise: 
retrieving, from a third-party data repository, a data-set of one or more malicious threats, based at least in part on the IoC metadata (see De ¶57, provided as an illustrative example only of an analysis which may occur upon receipt of an email: An email is received and the email's source and destination, along with its header metadata, are analyzed and scored); 
determining an additional similarity score for the IoC metadata relative to individual ones of the one or more malicious threats, based at least in part on the IoC metadata (see De ¶57, provided as an illustrative example only of an analysis which may occur upon receipt of an email: An email is received and the email's source and destination, along with its header metadata, are analyzed and scored); 
identifying at least one malicious threat of the one or more malicious threats, based at least in part on the additional similarity score being greater than a predetermined similarity threshold (see Hovor ¶¶33, 48, the third parties 100a-b may analyze the data in the data constructs 106a-b, e.g., to determine historical perspectives, trends, or both); and 
generating an additional vulnerability score for the at least one malicious threat, based at least in part on the environmental criteria associated with the enterprise network, and wherein, generating the reporting data further includes the additional vulnerability score for the at least one malicious threat, based at least in part on the additional vulnerability score being greater than a predetermined vulnerability threshold (see Hovor ¶33, patterns of the observable conditions may be mapped to related TTP context information, include relevant metadata about confidence in the indicator's assertion, handling restrictions, valid time windows, likely impact, sightings of the information indicator, structured test mechanisms for detection, related campaigns, or suggested COA, or both related TTP context information and relevant metadata).

As to claim 9,  The one or more non-transitory computer-readable media of claim 8, wherein the acts further comprise: 
determining an expiration date of the at least one malicious threat, based at least in part on the point-in-time that the at least one malicious threat was reported active and a time-interval associated with a probable lifecycle of the at least one malicious threat (see Hovor ¶105, the quantity of attacks that have been carried out by all other threat actors, and the number of threat campaigns performed by the respective threat actor, e.g., during the predetermined period of time or at any time); and 
adjusting, within an active-threat data repository, data record for the at least one malicious threat to include the expiration date, wherein the active-threat data repository is configured to store the data record for the at least one malicious threat until the expiration date (se De ¶51, level of monitoring may evolve or be adjusted. For example, when a network is actively under attack the level of monitoring may be increased).

As to claim 10, the combination of De and Hovor teaches  the one or more non-transitory computer-readable media of claim 7, 
wherein the environmental criteria associated with the enterprise network include at least one of a computing device access to a particular domain associated with the one or more malicious threats, computing device access to operating system files within the enterprise network, or computing device capability to bypass a communications network within the enterprise network (see De ¶60, statistical models including but not limited to machine learning (ML) algorithms are utilized to score likelihood that a cyber-event tree is normal or anomalous through direct scoring).  disclosing the limitation, “determining a vulnerability score that is associated with the at least one malicious threat”).

As to claim 11, the combination of De and Hovor teaches the one or more non-transitory computer-readable media of claim 7, 
wherein the acts further comprise: determining that the vulnerability score associated with the at least one malicious threat is less than a predetermined vulnerability threshold (see De ¶60, statistical models including but not limited to machine learning (ML) algorithms are utilized to score likelihood that a cyber-event tree is normal or anomalous through direct scoring).  disclosing the limitation, “determining a vulnerability score that is associated with the at least one malicious threat”).; and 
generating a message to an operator of the enterprise network identifying the at least one malicious threat and a corresponding expiration date, and wherein, the reporting data further includes the message (see De ¶48, cyber defense operator perform investigative or mitigative response activities; ¶66, an automated active response that utilizes pre-authorized client approved measures to mitigate possible on-going cyber-attacks is triggered by context specific conditions.

As to claim 12, the combination of De and Hovor teaches the one or more non-transitory computer-readable media of claim 7, wherein the acts further comprise: 
retrieving, from a third-party data repository, information associated with at least one malicious threat, the information relating to a tangible impact of at least one malicious threat on the computing device and an availability of one or more actions to prevent or mitigate an impact of the at least one malicious threat on the computing device, and wherein, the vulnerability score for the at least one malicious threat is based at least in part on the information (see Hovor ¶33, context information, include relevant metadata about confidence in the indicator's assertion, handling restrictions, valid time windows; ¶121, send data constructs to the third party, e.g., and determine the data constructs that have been created or updated since the last time data constructs were sent to the particular third party).
De teaches: 
As to claim 13, teaches a system comprising: 
one or more processors (see De Fig. Fig. 1, computer network [i.e. including processor]); 
memory coupled to the one or more processors (see De Fig. Fig. 1, computer network [i.e. including a memory]), the memory including one or more modules that are executable by the one or more processors to: 
monitor a client interaction, on a computing device operating with an enterprise network, for Indicator of Compromise (IoC) metadata based at least in part on an IoC monitoring list, the client interaction involving at least one of a change to a systems configuration file or a bypass of a communications channel (see De ¶50, detected may be events at the node level including at individual end-nodes and/or the network level. Exemplary, non-limiting cyber-events include : changes to the Windows Registry; changes to the Windows File System; changes to the Windows Management Instrumentation (WMI) Repository; changes to the process space; changes to network connection; and network traffic); 
analyze the IoC metadata relative to data records of one or more malicious threats (see De ¶57, provided as an illustrative example only of an analysis which may occur upon receipt of an email: An email is received and the email's source and destination, along with its header metadata, are analyzed and scored); 
identify at least one malicious threat of the one or more malicious threats, based at least on the IoC metadata (see De ¶57, provided as an illustrative example only of an analysis which may occur upon receipt of an email: An email is received and the email's source and destination, along with its header metadata, are analyzed and scored); 
retrieve, from a data repository, a data record associated with the at least one malicious threat, the data record including first point-in-time that the at least one malicious threat was reported active (see De ¶9, determination that a communication is "suspicious" is most often based on cyber threat intelligence, typically provided by third party); 
perform a mitigation analysis of environmental criteria associated with the computing device using the data record, the environmental criteria including access restrictions of the computing device to the enterprise network (see De ¶48, cyber defense operator perform investigative or mitigative response activities; ¶66, an automated active response that utilizes pre-authorized client approved measures to mitigate possible on-going cyber-attacks is triggered by context specific conditions); 
De does not explicitly teach but the related art Hovor teaches:
determine a vulnerability score for the at least one malicious threat that numerically combines a severity of the malicious threat with mitigating environmental criteria, based at least in part on the mitigation analysis (see Hovor Tables 2-4, and ¶¶129-136, the parser determines that a first similarity score for a particular sentence, e.g., "The vulnerabilities described in this advisory affect Application A versions 0.9.6j and 0.9.6k," and a particular pattern, e.g., "mitigation strategies," is low, e.g., zero, and a second similarity score for another pattern, e.g., " vulnerabilities described advisory affect versions" is high, e.g., one); 
determining a time-period for which the at least one malicious threat is to remain active after the point-in-time, wherein the time-period remains undefined for the at least one malicious threat that is difficult to mitigate, quarantine, or protect against (see Hovor ¶105, for each threat actor included in the threat actors graph 402, the threat actors details 404 may include the number of attacks performed by that actor, e.g., during the predetermined period of time or at any time, an attack percentage for the respective actor, e.g., a ratio of the quantity of attacks associated with the respective actor to); and 
generate reporting data that includes at least the vulnerability score for the at least one malicious threat (see Hovor ¶33, patterns of the observable conditions may be mapped to related TTP context information, include relevant metadata about confidence in the indicator's assertion, handling restrictions, valid time windows, likely impact, sightings of the information indicator, structured test mechanisms for detection, related campaigns, or suggested COA, or both related TTP context information and relevant metadata).

Therefore, it would have been obvious to one with ordinary skill in the art before the effective filing date of the invention, to modify the methods and systems for monitoring cyber events by De to include the unstructured security threat information analysis, as thought by Hovor, in order to generate a report including the vulnerability score associated with the IoC metadata. One of ordinary skill in the art would have been motivated to include generate a report with at least the vulnerability score associated with IoC metadata in order to enhance security and usability.

As to claim 14, the combination of De and Hovor teaches the system of claim 13, wherein the IoC metadata includes a domain name, an Internet Protocol (IP) address, email addresses, an indication of a service configuration change, an indication of a data file being deleted, registry keys, file hashes, or Hyper Text Transfer Protocol (H'1TP) user agents (see De ¶¶60, scoring a cyber-event tree as a cyber-attack tree may be based on one or more of the following parameters: cyber-intelligence [ e.g. Indicators of Compromise [IOCs] such as file hashes, domain names, IP addresses etc.).
As to claim 15, the system of claim 13, wherein the one or more modules are further executable by the one or more processors to: 
retrieving, from the data repository, a response protocol to prevent or mitigate an effect of the at least one malicious threat, the response protocol to include quarantining data files associated with the IoC metadata, and wherein the reporting data further includes computer executable instructions that automatically executes the response protocol on the computing device (see Hovor ¶100, the particular third party system may automatically perform one or more actions in response to receipt of the requested course of action).

As to claim 16, the combination of De and Hovor teaches the system of claim 13, wherein the one or more modules are further executable by the one or more processors to: 
determine a tangible impact of the at least one malicious threat, based at least in part on information associated with the at least one malicious threat, the tangible impact including an indication of an estimated loss of data, an estimated loss of access controls, or an estimated rate of disseminating the at least one malicious threat from the computing device to other computing devices within the enterprise network (see De ¶34, modification local user account access right); and 
identify one or more actions to prevent or mitigate the tangible impact of the at least one malicious threat, and wherein, the vulnerability score is based at least in part on the tangible impact and identification of the one or more actions (see De ¶57, provided as an illustrative example only of an analysis which may occur upon receipt of an email: An email is received and the email's source and destination, along with its header metadata, are analyzed and scored).

As to claim 17, the combination of De and Hovor teaches the system of claim 13, wherein the one or more modules are further executable by the one or more processors to: 
determine a degree of confidence associated with a reliability of an analysis to identify the at least one malicious threat, and wherein, to determine the vulnerability score is further based at least in part on the degree of confidence (see Hovor ¶89, determines whether a particular data construct relates to a malware signature; ¶75, confidence score may represent a probability that the data in the data construct is accurate or a probability that the data in the data construct is from a reputable source, e.g., as determined by the analysis system 202).

As to claim 20, the combination of De and Hovor teaches the system of claim 15, wherein the response protocol further includes computer-executable instructions to prevent client access to service configuration files associated with the computing device (see De ¶34, modification local user account access right).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NEGA WOLDEMARIAM whose telephone number is (571)270-7478. The examiner can normally be reached Monday to Friday, 8am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 5712726798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/NEGA WOLDEMARIAM/               Examiner, Art Unit 2433                                                                                                                                                                                         


/BRANDON HOFFMAN/             Primary Examiner, Art Unit 2433