Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
2.	This Office Action is issued in response to the claims filed on 07/07/2022.
Claims 1-23 are pending in this Office Action.	

Priority
3.	Acknowledgement is made of applicant’s priority benefit claim of continuation of U.S. Patent Application No. 16/909,627, filed on June 23, 2020, which is a continuation of U.S. Patent Application No. 15/811,385, filed on November 13, 2017, now U.S. Patent No. 10,701,089, which is a continuation of U.S. Patent Application No. 15/699,765, filed on September 8, 2017, which claims the benefit of U.S. Provisional Application No. 62/466,279 filed on March 2, 2017.

Information Disclosure Statement
4.	The information disclosure statement (IDS) dated 07/07/2022 has been considered by the Examiner.
Claim Objections
5.	Claims 4, 8, and 10 are objected to because they lack proper antecedent bases.
	Claim 4, line 2, recites “...to invoke the analytics rules…to invoke the machine learning models…” which lacks proper antecedent basis and should be “...to invoke [[the]] analytics rules… to invoke the [[machine]] learning models…”
	Claim 8, line 1, recites “...to invoke the analytics rules…” which lacks proper antecedent basis and should be “...to invoke [[the]] analytics rules…”
	Claim 10, lines 2-3, recites “… the alerting system…” 	which lacks proper antecedent basis.  Since claim 10 depends from claim 1 which has recited an alerting engine, the Examiner presumes the limitation in claim 10 as “… the alerting [[system]] engine…”
Appropriate corrections for these claim objections are required.

Claim Rejections - 35 USC § 101
6.	35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


7.	Claims 1-20 are rejected under 35 U.S.C. 101 because the claims do not fall within at least one of the four categories of patent eligible subject matter.
	Claim 1 recites a system with engines which can be interpreted as software per se because the claim or the specification does not explicitly disclose the system requires hardware(s) or define these engines as hardware. Therefore, claim 1 is rejected under 35 USC 101.
	Claims 2-20 depend from claim 1 and they do not limit independent claim 1 or themselves to one of the four categories of statutory subject matter; therefore, they are also rejected under 35 USC 101.

Claim Rejections - 35 USC § 103
8.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

9.	Claims 1-5, 7-11, and 13-15 are rejected under 35 U.S.C. 103 as being unpatentable over Garman et al. (US 2018/0077187), hereinafter “Garman” and in view of Valencia et al. (US 2016/0253498), hereinafter “Valencia”.
Regarding claim 1, Garman discloses a cyber security threat detection system for one or more endpoints within a computing environment (paragraphs [0002], [0031] and [0097-98]: cybersecurity incident detection computing system with plurality of servers and clients), the system comprising: 
a [plurality] of collector engine[s] (Fig. 1 with associated text and paragraph [0064]: activity monitoring module 140-collector engine- observes, filters and stores observed activity on a computer system in the observed activity databases 120), [each of the collector engines previously installed on an endpoint of a plurality of endpoints] and configured to acquire statistical information at the endpoint, wherein the statistical information includes behavioral information and resource information associated with the endpoint (paragraphs [0034-39], [0048], and [0067-68]: monitor activities include user’s activities- behavioral information- and resource activities); 
an aggregator engine configured to aggregate the statistical information [from each of the endpoints] into aggregated information (paragraph [0064]: activity monitoring module 140 observes, filters and stores observed activity on a computer system in the observed activity databases 120.  Note: the monitoring module 140 could also be considered as aggregator engine for filtering-aggregating- observed information to store in the observed activity databases 120); 
an analytics engine configured to receive the aggregated information (Fig. 1 with associated text and paragraph [0064]: activity monitoring module 140-collector engine- observes, filters and stores observed activity on a computer system in the observed activity databases 120.  Fig. 1 with associated text: Incident detection module 160- analytics engine.  Paragraph [0063]: incident detection module determines whether an observed activity is suspicious. Note: The activity monitoring module collect observed activity and the incident detection module uses the observed activity. The incident detection module must receive the observed activity information), and to invoke learning models to output deviation information for each of the endpoints based on the aggregated information and expected fingerprints associated with the endpoints (Paragraph [0078]: comparing monitored activity with expected activities using arithmetic or percentage difference.  Paragraph [0080]: detecting differences between actual and expected patterns of activity- expected fingerprints- using baseline activity data.  Fig. 2, step 230 and Fig. 3 step 330 with associated text: data is added to a behavioral baseline database to update expected patterns of activity which is used for comparison.  The process of updating the behavioral database and using it for comparison to have a result –which could be a deviation-is considered as invoking learning models); and 
an alerting engine configured to issue one or more alerts indicating one or more security threats have occurred for each of the endpoints in response to the deviation information for the endpoint (paragraphs [0075] and [0083]: incident detection engine issues security alert as needed.  Note: the incident detection engine also acts as an alerting engine).
Garman discloses multiple modules performing different tasks (Fig. 1 with associated text), but Garman does not explicitly disclose a separate aggregator engine or separate alerting engine.  However, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have different modules or engines performing specific functions of choice and the motivation is to make the system easier to manage and repair, which is an advantage of an integrated system.    
Garman discloses the activity monitoring module observes and collects information for the computing system which includes clients and servers as presented above. Garman does not explicitly disclose and Valencia discloses a plurality of collector engines and each of the collector engines previously installed on an endpoint of a plurality of endpoints (Fig. 2 with associated text: behavior observer module and behavior extractor module are implemented for each mobile computing device).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Garman’s teaching of cyber security threat detection system with Valencia’s teaching of a plurality of collector engines and each of the collector engines previously installed on an endpoint of a plurality of endpoints.  The motivation to do so would be to efficiently monitor a device behavior for determining a severity of risk posed by the device behavior as taught by Valencia (paragraph [0004]).
Regarding claim 2, Garman and Valencia disclose the system of claim 1, wherein: the analytics engine is further configured to generate a cumulative risk level based on the deviation information (a. Garman, Fig. 2, steps 220- 230 and Fig. 3 step 330 with associated text: expected patterns of activity are updated in behavioral baseline database and the updated behavioral baseline database is used in determining whether the newly observed activity is expected.  b. Valencia, paragraphs [0058]-[0059]: cumulative and multiple labels of different observed activities with different threat values.  The combination of Garman and Valencia’s teachings would have a predictable and obvious result of a cumulative risk based on the deviation information), and the alerting engine is configured to issue the alerts in response to the cumulative risk level (c. Garman, paragraphs [0075] and [0083]: incident detection engine issues security alert as needed.  Note: the security alert is resulted from comparing observed activity to expected patterns of activity from cumulative behavioral baseline database.  The combination of (a), (b), and (c) would have a predictable and obvious result of issuing alert in response to the cumulative risk level).
Regarding claim 3, Garman and Valencia disclose the system of claim 1, wherein: the behavioral information includes activity events associated with the endpoint (Garman, paragraphs [0034] and [0068]: pattern of activities includes the rate at which a particular operation or type of operation is performed, the frequency with which a user performs a particular type of activity, and the frequency of a particular occurrence involving the user), and the resource information includes central processing unit (CPU) utilization (Valencia, paragraph [0074]: observing a software application’s execution in a processing core of the mobile computing device- CPU utilization), memory footprint, disk free space (Valencia, paragraph [0075]: monitoring memory management), and network throughput of the endpoint (Valencia, paragraph [0079]: monitoring network traffic has been transmitted from or generated by the computing device).
Regarding claim 4, Garman and Valencia disclose the system of claim 1, wherein the analytics engine comprises: a behavioral analytics engine configured to invoke the analytics rules to output some information of the deviation information, and a metric analytics engine configured to invoke the machine learning models to output other information of the deviation information (Garman, paragraphs [0067-68]: behavioral baseline database with standards, rules and exception is used to determine whether an activity is expected.  Paragraphs [0073] and [0084]: updating expected patterns of activity creates learning data which is used in future determination of expected patterns of activity. Paragraph [0078]: deviation information is determined from difference of monitored activity and expected activity which is from baseline database.  Note: Garman does not explicitly disclose a separate behavioral analytics engine or a metric analytics engine.  However, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have different modules or engines performing specific functions of choice and the motivation is to make the system easier to manage and repair, which is an advantage of an integrated system).
Regarding claim 5, Garman and Valencia disclose the system of claim 1.  Garman further discloses wherein the analytics engine is further configured to perform individual metrics checking (Garman, paragraph [0068]: determine pattern of activity based on specific criteria), historical and cross endpoint comparatives (Garman, paragraph [0084]: updating expected pattern from previous activity and actual pattern is compared with expected patterns), and activity sequences using the aggregated information and the expected fingerprints associated with the endpoints (Garman, paragraph [0034]: observing a sequential pattern of activity.  Paragraphs [0068] and [0084]: actual pattern of activity is compared with expected patterns of activities-fingerprint- in a computer system).
Regarding claim 7, Garman and Valencia disclose the system of claim 1.  Garman further discloses wherein the analytics engine performs analysis of activity sequences from the behavior information associated with the endpoint including a determination whether one or more specific activities have occurred (Garman, paragraph [0034]: “a sequential pattern of activity (e.g., a sequence in which particular operations or types of operations are performed, a sequence in which particular resources or types of resources are accessed, a sequence of particular occurrences or types of activities, etc.)”)
Regarding claim 8, Garman and Valencia disclose the system of claim 1.  Garman further discloses wherein to invoke the analytics rules and machine learning models to output the deviation information for each of the endpoints, the analytics engine further invokes a profile management handler that compares the aggregated information to the expected fingerprints and provides results of the comparison (Garman, paragraph [0012]: “behavioral baselines for a computer system can be accurately and efficiently established by (1) monitoring occurrences on the computer system (e.g., particular occurrences, particular types of occurrences, etc.), (2) determining, based on security rules or heuristics, which of the observed occurrences are associated with potential security risks, (3) identifying, based on the observed occurrences, patterns of activity”. Paragraphs [0067-68]: behavioral baseline database with standards, rules and exception is used to determine whether an activity is expected.  Paragraphs [0073] and [0084]: updating expected patterns of activity creates learning data which is used in future determination of expected patterns of activity. Paragraph [0078]: deviation information is determined from difference of monitored activity and expected activity- expected fingerprints- which is from baseline database. Garman does not explicitly disclose a specific profile management handler performing the comparison, but as presented in claim 1, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have different modules or engines performing specific functions of choice to have a profile management handler performing the comparison and the motivation is to make the system easier to manage and repair, which is an advantage of an integrated system.)
Regarding claim 9, Garman and Valencia disclose the system of claim 1, wherein: the deviation information are associated with a plurality of categories of threat (a. Garman, paragraph [0062]:  classify type of pattern of activity with security problem(s)- multiple types-categories- associated with multiple security problems), each of the categories of threat associated with a specific risk value, and some categories of threat comprise risk values that are weighted differently from risk values of other categories of threat (b. Valencia, paragraphs [0036]: weighted behavior feature is based on data type; paragraphs [0058]-[0059]: cumulative and multiple labels of different observed activities with different threat values; paragraph [0136]: weighted results.  The combination of Garman’s teaching in (a) and Valencia’s teaching in (b) would result in a predictable result of categories of threats with different weights).
Regarding claim 10, Garman and Valencia disclose the system of claim 1, wherein: to issue the alerts indicating the security threats for each of the endpoints (a. Garman, paragraphs [0075] and [0083]: issuing alert.  b.Valencia, paragraph [0028]: informing users of the device behaviors), the alerting system determines whether an alert is to be issued based on a cumulative risk level, the cumulative risk level being a summation of specific risk values associated with one or more categories of threat that are associated with the deviation information, wherein each category of threat is associated with one of the specific risk values that is registered each time an associated trigger event occurs (c. Garman, paragraph [0062]:  classifying type of pattern of activity with security problem(s). d. Valencia, paragraphs [0058]-[0059]: cumulative and multiple labels of different observed activities), and the alert is to be issued in response to a determination that the cumulative risk level exceeds a risk threshold (e. Valencia, paragraph [0136]: weighted average results are compared to a threshold value.  The combination of Garman and Valencia’ teachings in (a), (b), (c), (d) and (e) results in a predictable and obvious result of issuing and alert when the cumulative risk level exceeds a risk threshold).
Regarding claim 11, Garman and Valencia disclose the system of claim 10, wherein some categories of threat comprise risk values that are weighted differently from risk values of other categories of threat (Valencia, paragraphs [0027] and  [0058]-[0059]: categories of threat with different weights).
Regarding claim 13, Garman and Valencia disclose the system of claim 1, wherein the behavioral information for the endpoint include at least one of the following: firewall metric, internet protocol (IP) address metric (Valencia, paragraph [0083]: monitoring data network activity including protocols and port numbers), activity counter metric (Valencia, paragraph [0083]: monitoring data network activity including number of connections, volume or frequency of communications, number of calls or messages sent out, received, or intercepted), process information metric, keyboard metric, and mouse metric.
Regarding claim 14, Garman and Valencia disclose the system of claim 1.  Valencia further discloses wherein the behavioral information for the endpoint include at least one of the following: mouse telemetry, keyboard connections and activations (Garman, paragraph [0035]: a pattern of activity may characterize activity involving peripheral device.  Valencia, paragraph [0085]: monitoring peripheral devices of the mobile computing devices.  Note:  a keyboard is a peripheral device), process usage, and hot desk information.
Regarding claim 15, Garman and Valencia disclose the system of claim 1, wherein each of the security threats is classified as at least one of the following: manual or automated, malware or custom (Garman, paragraph [0043]: pattern of activity include execution of malware) hardware or software, and internal or external.
10.	Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Garman et al. (US 2018/0077187), hereinafter “Garman”, in view of Valencia et al. (US 2016/0253498), hereinafter “Valencia” and in view of Manganaris et al. (US 2002/0082886), hereinafter “Manganaris”.
Regarding claim 6, Garman and Valencia disclose the system of claim 1.  Garman discloses observing a sequential pattern of activity (paragraph [0034]).  Garman and Valencia do not explicitly disclose determining whether specific metrics are absent from any of the activity sequences.  However, determining absent metric in anomalous detection is known in the art and Manganaris’ teaching is an example (paragraph [0022]: lack of occurrence of expected behavior could be considered as abnormal and could trigger alarm).
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Garman and Valencia’s teachings of cyber security threat detection with a plurality of collector engines and each of the collector engines previously installed on an endpoint of a plurality of endpoints with Manganaris’s teaching of determining absent metric in anomalous detection.  The motivation to do so would be to detect unusual events in computer intrusion detection as taught by Manganaris (Abstract).	
11.	Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Garman et al. (US 2018/0077187), hereinafter “Garman”, in view of Valencia et al. (US 2016/0253498), hereinafter “Valencia” and in view of Mahadik et al. (US 2013/0246605), hereinafter “Mahadik”.
Regarding claim 12, Garman and Valencia disclose the system of claim 11, wherein: a baseline level is computed over time for the cumulative risk level, value excursions for the cumulative risk level with respect to the baseline level are tracked over time, and [the risk threshold is computed based on the tracked excursions] (Garman, Fig. 2, steps 220- 230 and Fig. 3 step 330 with associated text: expected patterns of activity are updated in behavioral baseline database and the updated behavioral baseline database is used in determining whether the newly observed activity is expected.  Paragraphs [0067-68]: behavioral baseline database with standards, rules and exception is used to determine whether an activity is expected.  Paragraphs [0073] and [0084]: updating expected patterns of activity creates learning data which is used in future determination of expected patterns of activity. Paragraph [0078]: deviation information is determined from difference of monitored activity and expected activity which is from baseline database.  Valencia, paragraph [0136]: weighted average results are compared to a threshold value).  Garman and Valencia do not explicitly disclose the risk threshold is computed based on the tracked excursions.  However, adjusting risk level based on risk threshold that is computed based on tracked deviation is known in the art and Mahadik’s teaching is an example (Fig. 2 with associated text: monitored activity is tracked over time to update tracking data and adjust activity weight. Paragraphs [0004-5] and [0032-33]: relation of security risk with thresholds and activity weights.)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Garman and Valencia’s teachings of cyber security threat detection with a plurality of collector engines and each of the collector engines previously installed on an endpoint of a plurality of endpoints with Mahadik’s teaching of adjusting risk level based on risk threshold that is computed based on tracked deviation. The motivation to do so would be to ensure fewer false detection in network security as taught by Mahadik (paragraphs [0001] and [0007]).
12.	Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Garman et al. (US 2018/0077187), hereinafter “Garman”, in view of Valencia et al. (US 2016/0253498), hereinafter “Valencia” and in view of Stacy Stubblefield (2014/0282964), hereinafter “Stubblefield”.
Regarding claim 16, Garman and Valencia disclose the system of claim 5.  Garman and Valencia do not explicitly disclose wherein the activity sequences include an activity sequence associated with an endpoint user logging into the endpoint using stolen credentials or using an unlocked endpoint. However, identifying unauthorized accessing using stolen credential and preventing such action is known in the art before the effective filing date of the claimed invention and Stubblefield’s teaching is an example (paragraphs [0002] and [0021]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Garman and Valencia’s teachings of cyber security threat detection with a plurality of collector engines and each of the collector engines previously installed on an endpoint of a plurality of endpoints and with Stubblefield’s teaching of identifying unauthorized accessing using stolen credential and preventing such action.  The motivation to do so would be to prevent fraud as taught by Stubblefield (paragraph [0017]).
13.	Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Garman et al. (US 2018/0077187), hereinafter “Garman”, in view of Valencia et al. (US 2016/0253498), hereinafter “Valencia” and in view of Althouse et al. (US 2017/0339166), hereinafter “Althouse”.
Regarding claim 17, Garman and Valencia disclose the system of claim 5.  Garman and Valencia do not explicitly disclose wherein the activity sequences include an activity sequence associated with a cyber attack performed by attaching to a privileged process with reverse shell access.
However, intrusion detection of reverse shell access is known in the art before the effective filing date of the claimed invention and Althouse’s teaching is an example (paragraph [0073]: detecting intrusion of reverse shell).
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Garman and Valencia’s teachings of cyber security threat detection with a plurality of collector engines and each of the collector engines previously installed on an endpoint of a plurality of endpoints with Althouse’s teaching of intrusion detection of reverse shell.  The motivation to do so would be to protect a system from vulnerable to intrusion by an unauthorized user as taught by Althouse (Abstract).
14.	Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Garman et al. (US 2018/0077187), hereinafter “Garman”, in view of Valencia et al. (US 2016/0253498), hereinafter “Valencia” and in view of Turgeman et al. (US 2015/0310196), hereinafter “Turgeman”.
Regarding claim 18, Garman and Valencia disclose the system of claim 1.  Garman and Valencia do not explicitly disclose wherein the alerting engine is further configured to issue no alert in response to a determination that an authorized user successfully answers a challenge sent out of band (OoB).
However, using out of band verification to determine security action is known in the art before the effective filing date of the claimed invention and Turgeman’s teaching is an example (paragraph [0033]: “The user identity determination module 205 may trigger or activate a fraud mitigation module 206 able to perform one or more fraud mitigating steps based on that determination; for example, by requiring the current user to respond to a challenge, to answer security question(s), to contact customer service by phone, to perform two-step authentication or two-factor authentication, or the like.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Garman and Valencia’s teachings of cyber security threat detection with a plurality of collector engines and each of the collector engines previously installed on an endpoint of a plurality of endpoints with Turgeman’s teaching of using out of band verification to determine security action because the result would be predictable and resulted in not issuing an alert when an authorized user gives a confirmation by answering a challenge sent out of band.  
15.	Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Garman et al. (US 2018/0077187), hereinafter “Garman”, in view of Valencia et al. (US 2016/0253498), hereinafter “Valencia”, in view of in view of Carpenter et al. (US 2017/0208086), hereinafter “Carpenter” and in view of Bohbot et al. (US 2005/0001717), hereinafter “Bohbot”.
Regarding claim 19, Garman and Valencia disclose the system of claim 1.  Garman and Valencia do not explicitly disclose wherein: the alerting engine is further configured to send a text message to a security administrator from a specific phone number, and a mobile device of the security administrator is programmed to respond with a specific tone when a time critical alert is generated.
However, sending text message to alert predetermined user from a specific center is known in the art before the effective filing date of the claimed invention and Carpenter’s teaching is an example (paragraphs [0063], [0065]: sending text messaging to external users using system center.  Note: it is well known in the art before the effective filing date of the invention that a system center has a specific number identifying it when it sends out information).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Garman and Valencia’s teachings of cyber security threat detection with a plurality of collector engines and each of the collector engines previously installed on an endpoint of a plurality of endpoints with Carpenter’s teaching of sending text message to alert predetermined user from a specific center because the result would be predictable and resulted in having a system center with a specific number sending notification to users.
Garman, Valencia and Carpenter do not explicitly disclose a mobile device of the security administrator is programmed to respond with a specific tone when a time critical alert is generated.  However, a mobile device receives a specific alert tone is known in the art before the effective filing date of the claimed invention and Bohbot’s teaching is an example (paragraph [0092]: differing sounds for different alerts.  Paragraph [0115]: mobile device).
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Garman, Valencia and Carpenter’s teaching of cyber security threat detection, a plurality of collector engines and each of the collector engines previously installed on an endpoint of a plurality of endpoints and sending text message to alert predetermined user from a specific center with Bohbot’s teaching of a mobile device receives a specific alert tone.  The motivation to do so would be to get a user’s attention of kind of threat so that they could act accordingly.
16.	Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Garman et al. (US 2018/0077187), hereinafter “Garman”, in view of Valencia et al. (US 2016/0253498), hereinafter “Valencia” and in view of Tom Miltonberger (US 8,280,833), hereinafter “Miltonberger”.
Regarding claim 20, Garman and Valencia disclose the system of claim 1.  Garman further discloses monitoring types applications and expected set if application that a particular user runs (paragraphs [0038] and [0068]) and issuing security alert related to unexpected pattern of activity (paragraph [0075]).  Garman and Valencia do not explicitly disclose a prediction engine configured to predict patterns of a software application based on a determined probability and to traverse an alert threshold according to the determined probability when operating patterns of the software application diverge from the predicted patterns.  However, using probability to predict patterns of activity and adjustable threshold based on user behavior are known in the art before the effective filing date of the claimed invention and Miltonberger’s teaching is an example (Col. 4, lines 3-27: adjustable threshold and risk score; Col. 7, lines 47-52: calculate probability of occurrence of new behavioral activity and the probability is used to calculate risk score).  
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Garman and Valencia’s teachings of cyber security threat detection with a plurality of collector engines and each of the collector engines previously installed on an endpoint of a plurality of endpoints with Miltonberger’s teaching of using probability to predict patterns of activity and adjustable threshold based on user behavior.  The motivation to do so would be to better manage evolving threats.
17.	Claims 21-23 are rejected under 35 U.S.C. 103 as being unpatentable over Garman et al. (US 2018/0077187), hereinafter “Garman” in view of in view of Mahadik et al. (US 2013/0246605), hereinafter “Mahadik”.
Regarding claim 21, Garman discloses a method for detecting cyber security threat of one or more endpoints within a computing environment (paragraphs [0002], [0031] and [0097-98]: cybersecurity incident detection computing system with plurality of servers and clients), the method comprising: 
receiving aggregated information including statistical information from each of the endpoints (Fig. 1 with associated text and paragraph [0064]: activity monitoring module 140-collector engine- observes, filters and stores observed activity on a computer system in the observed activity databases 120.  Fig. 1 with associated text: Incident detection module 160- analytics engine.  Paragraph [0063]: incident detection module determines whether an observed activity is suspicious. Note: The activity monitoring module collect observed activity and the incident detection module uses the observed activity. The incident detection module must receive the observed activity information), wherein the statistical information includes behavioral information and resource information associated with the endpoint (paragraphs [0034-39], [0048], and [0067-68]: monitor activities include user’s activities- behavioral information- and resource activities); 
invoking learning models to output deviation information for each of the endpoints based on the aggregated information and expected fingerprints associated with the endpoints (paragraph [0010]: distinguishing expected and unexpected activity for a specific user.  Paragraph [0078]: comparing monitored activity with expected activities using arithmetic or percentage difference.  Paragraph [0080]: detecting differences between actual and expected patterns of activity- expected fingerprints- using baseline activity data.  Fig. 2, step 230 and Fig. 3 step 330 with associated text: data is added to a behavioral baseline database to update expected patterns of activity which is used for comparison.  The process of updating the behavioral database and using it for comparison to have a result –a deviation-is considered as invoking learning models); and 
issuing one or more alerts indicating one or more security threats have occurred for each of the endpoints in response to the deviation information for the endpoint (paragraphs [0075] and [0083]: incident detection engine issues security alert as needed); 
wherein issuing the alerts comprising: determining whether an alert is to be issued based on a [cumulative risk level, the cumulative risk level being a summation of specific risk values associated with one or more categories of threat that are associated with the deviation information], wherein each category of threat is associated with [one of the specific risk values that is registered each time an associated trigger event occurs] (Paragraph [0062]:  classifying type-category- of pattern of activity with security problem(s).  Paragraph [0078]: comparing monitored activity with expected activities using arithmetic or percentage difference-threshold.  Paragraph [0080]: detecting differences between actual and expected patterns of activity using baseline activity data), and issuing the alert in response to a determination that the [cumulative risk level exceeds a risk threshold].
Garman does not explicitly disclose the alert is to be issued based on a cumulative risk level, the cumulative risk level being a summation of specific risk values associated with one or more categories of threat that are associated with the deviation information, wherein each category of threat is associated with one of the specific risk values that is registered each time an associated trigger event occurs and issuing the alert in response to a determination that the cumulative risk level exceeds a risk threshold.  However, cumulative risk based on multiple monitored activities associated with different values are known in the art and Mahadik’s teaching is an example (paragraph [0004], [0032]-[0035]: assigning weights-categories- to activities and aggregated/combined- cumulative/summation- weight is compared to a risk threshold). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Garman’s teaching of cyber security threat detection system that issues an alert in response to deviation information with Mahadik’s teaching of cumulative risk based on multiple monitored activities associated with different values to have a predictable result of issuing an alert based on a cumulative risk level, the cumulative risk level being a summation of specific risk values associated with one or more categories of threat that are associated with the deviation information, wherein each category of threat is associated with one of the specific risk values that is registered each time an associated trigger event occurs and issuing the alert in response to a determination that the cumulative risk level exceeds a risk threshold.  The motivation to do so would be to ensure fewer false detection in network security as taught by Mahadik (paragraphs [0001] and [0007]).
Regarding claim 22, Garman and Mahadik disclose the method of claim 21.  Mahadik further discloses wherein some categories of threat comprise risk values that are weighted differently from risk values of other categories of threat (Mahadik, paragraph [0004]: assigning weights for activities; paragraph [0019]: adjustable weight of monitor activities will affect security risk.)
Regarding claim 23, Garman and Mahadik disclose the method of claim 22.  Mahadik further discloses computing a baseline level over time for the cumulative risk level, tracking, over time, value excursions for the cumulative risk level with respect to the baseline level, and computing the risk threshold based on the tracked excursions (Mahadik, Fig. 2 with associated text: monitored activity is tracked over time to update tracking data and adjust activity weight. Paragraphs [0004-5] and [0032-33]: relation of security risk with thresholds and activity weights.  Paragraph [0019]: adjustable weight based on observed activities.  Note: activity weight is one type of baseline level).

Conclusion
18.	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure: see attached PTO-892 Notice of References Cited.

19. 	Any inquiry concerning this communication or earlier communications from the examiner should be directed to THANH T LE whose telephone number is (571)270-0279.  The examiner can normally be reached on Monday-Thursday 8:00 am - 4:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

		/THANH T LE/                      Examiner, Art Unit 2495