Prosecution Insights
Last updated: July 05, 2026
Application No. 17/849,537

Distributed Digital Security System for Predicting Malicious Behavior

Final Rejection §103
Filed
Jun 24, 2022
Examiner
DILUZIO, NICHOLAS JOSEPH
Art Unit
2498
Tech Center
2400 — Computer Networks
Assignee
CrowdStrike Inc.
OA Round
4 (Final)
31%
Grant Probability
At Risk
5-6
OA Rounds
0m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants only 31% of cases
31%
Career Allowance Rate
4 granted / 13 resolved
-27.2% vs TC avg
Strong +100% interview lift
Without
With
+100.0%
Interview Lift
resolved cases with interview
Typical timeline
3y 0m
Avg Prosecution
15 currently pending
Career history
44
Total Applications
across all art units

Statute-Specific Performance

§101
1.4%
-38.6% vs TC avg
§103
96.4%
+56.4% vs TC avg
§112
2.1%
-37.9% vs TC avg
Black line = Tech Center average estimate • Based on career data from 13 resolved cases

Office Action

§103
DETAILED ACTION Examiner acknowledges receipt of Applicant’s amendment filed on 01/13/2026 Claims 1, 7, 12, 16, and 17 are currently amended Claims 3-6, 13-15, and 18-20 have been cancelled Claims 1-2, 7-12, and 16-17 remain pending Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Information Disclosure Statement The information disclosure statement (IDS) submitted on 01/13/2026 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. Response to Amendment Examiner has fully considered Applicant’s amendments to the Specification and Claims in the arguments filed on 01/13/2026. Claims 1-2, 7-12, and 16-17 remain pending in the application. Examiner has withdrawn the objections to the Specification and 112(a) rejections of the Claims based on the amendments. Response to Arguments Applicant’s arguments filed 01/13/2026, with respect to the rejections of claims 1-2, 7-12, and 16-17 under 35 USC 103 have been fully considered and are persuasive. Therefore, the rejections have been withdrawn. However, upon further consideration, new ground(s) of rejection are made in view of the previously applied references from Diehl and Thomas, in addition to a newly applied reference from Givental et al. (US 20230185923 A1), hereinafter Givental. Examiner respectfully submits that it is Diehl, rather than Thomas, teaches the newly amended limitations including “a context collection comprising new event data based on the event data in the event stream” and “the context collection specifying a context collection format that defines data elements or attributes of the new event data, and specifying a context collection interface that defines a minimum number of data elements in the new event data”, and the new combination of Diehl, Thomas, and Givental is sufficient to render obvious the amended limitation “selecting, by the predictions engine, one or more of a plurality of machine learning models to which to apply at least a portion of the new event data, according to the context collection comprising the new event data”. Please refer to the detailed claim mappings in the prior-art rejection section below. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-10, and 12-20 are rejected under 35 U.S.C. 103 as being unpatentable over Diehl et al. (US 20210326453 A1), hereinafter Diehl, in view of Thomas et al. (US 20230114821 A1), hereinafter Thomas, and Givental et al. (US 20230185923 A1), hereinafter Givental. Regarding Claim 1: Diehl teaches a computer-implemented method, comprising (Diehl – Paragraph [0027]: Described herein are systems and methods for a distributed digital security system that can address these and other deficiencies of digital security systems): receiving, by a compute engine located in a security network and executing remotely from one or more client computing devices coupled in communication with the security network (Diehl – Figure 1: Illustration of a distributed security system including a compute engine in a security network that is executed remotely from a client computing device) an event stream (Diehl – Paragraph [0083]: In a cloud instance of the compute engine 102, in some example the event stream may be received via the storage engine 116) comprising event data associated with an occurrence of one or more events on one or more client computing devices (Diehl – Paragraph [0083]: The event data 122 may have originated from an event detector 124 of a security agent 108 that initially detected or observed the occurrence of an event on a client device 104); generating, by the compute engine, a context collection comprising new event data based on the event data in the event stream (Diehl – Paragraph [0083]: The event data 122 may have originated from an event detector 124 of a security agent 108 that initially detected or observed the occurrence of an event on a client device 104, and/or may be event data 122 that has been produced using refinement operations 202 and/or composition operations 302 by the compute engine 102 or a different instance of the compute engine 102; and Paragraph [0035]: The event data 122 may also be referred to as a “context collection” of one or more data elements; Examiner’s Comment: event data produced using refinement operations and/or composition operations is interpreted as the claimed new event data), the context collection specifying a context collection format that defines data elements or attributes of the new event data (Diehl – Paragraph [0041]: [0041] An ontological definition 134 of a context collection format 136 can define data elements and/or a layout for corresponding event data 122. For example, an ontological definition 134 of a context collection format 136 can identify specific types of information, fields, or data elements that should be captured in event data 122 about a type of event that occurs on a client device 104. For example, although any number of attributes about an event that occurs on a client device 104 could be captured and stored in event data 122, an ontological definition 134 of a context collection format 136 can define which specific attributes about that event are to be recorded into event data 122 for further review and processing), and specifying a context collection interface that defines a minimum number of data elements in the new event data (Diehl – Paragraph [0044]: An ontological definition 134 of a context collection interface 138 can indicate a set of one or more data elements that a component of the distributed security system 100 expects to be present within event data 122 in order for the component to consume and/or process the event data 122. In particular, an ontological definition 134 of a context collection interface 138 can define a minimum set of data elements, such that event data 122 that includes that minimum set of data elements may satisfy the context collection interface 138); the context collection comprising the new event data (Diehl – Paragraph [0083]: The event data 122 may have originated from an event detector 124 of a security agent 108 that initially detected or observed the occurrence of an event on a client device 104, and/or may be event data 122 that has been produced using refinement operations 202 and/or composition operations 302 by the compute engine 102 or a different instance of the compute engine 102; and Paragraph [0035]: The event data 122 may also be referred to as a “context collection” of one or more data elements); the context collection comprising the new event data (Diehl – Paragraph [0083]: The event data 122 may have originated from an event detector 124 of a security agent 108 that initially detected or observed the occurrence of an event on a client device 104, and/or may be event data 122 that has been produced using refinement operations 202 and/or composition operations 302 by the compute engine 102 or a different instance of the compute engine 102; and Paragraph [0035]: The event data 122 may also be referred to as a “context collection” of one or more data elements). Diehl does not expressly teach receiving, by a predictions engine located in the security network and executing remotely from the one or more client computing devices, the context collection comprising the new event data; applying, by the predictions engine, the at least the portion of the new event data to the selected one or more of a plurality of machine learning models; generating, by the selected one or more of the plurality of machine learning models, a prediction result that indicates whether the occurrence of the one or more events from which the new event data was generated represents one or more target behaviors, responsive to the applying, by the predictions engine, the at least the portion of the new event data to the selected one or more of the plurality of machine learning models. However, Thomas teaches teach receiving, by a predictions engine located in the security network and executing remotely from the one or more client computing devices, the [context collection comprising the] new event data (Thomas – Paragraph [0089]: The threat detection tools 314 may be any of the threat detection tools, algorithms, techniques or the like described herein, or any other tools or the like useful for detecting threats or potential threats within an enterprise network. This may, for example, include signature based tools, behavioral tools, machine learning models, and so forth. In general, the threat detection tools 314 may use event data provided by endpoints within the enterprise network, as well as any other available context such as network activity, heartbeats, and so forth to detect malicious software or potentially unsafe conditions for a network or endpoints connected to the network. In one aspect, the threat detection tools 314 may usefully integrate event data from a number of endpoints (including, e.g., network components such as gateways, routers, and firewalls) for improved threat detection in the context of complex or distributed threats; and Figure 3: illustration of a threat management facility 308 that operates remotely from one or more endpoints 302); applying, by the predictions engine, the at least the portion of the new event data to the selected one or more of a plurality of machine learning models … (Thomas – Paragraph [0256]: the threat management facility 1806 may be configured to calculate a composite threat score for a compute instance by mapping the security events in the event stream to an attack matrix that enumerates malware strategies in a first dimension and malware techniques for each of the malware strategies in a second dimension... The threat management facility 1806 may also or instead be configured to calculate the composite threat score by applying a machine learning algorithm to the pattern of traversal of the attack matrix to determine a likelihood of threat; and Paragraph [0085]: The threat management facility 308 may also or instead store and deploys a number of security tools such as a web-based user interface that is supported by machine learning models to aid in the identification and assessment of potential threats by a human user); generating, by the [selected] one or more of the plurality of machine learning models (Thomas – Paragraph [0085]: The threat management facility 308 may also or instead store and deploys a number of security tools such as a web-based user interface that is supported by machine learning models to aid in the identification and assessment of potential threats by a human user), a prediction result that indicates whether the occurrence of the one or more events from which the new event data was generated represents one or more target behaviors (Thomas – Paragraph [0256]: The threat management facility 1806 may also or instead be configured to calculate the composite threat score by applying a machine learning algorithm to the pattern of traversal of the attack matrix to determine a likelihood of threat; and Paragraph [0294]: the threat score may include a weighted sum of probabilities of different types of threats, as identified by a machine learning model. In another aspect, e.g., where a rules-based technique is used, the threat score may be based on a type of malware predicted using one or more detection rules, or as a weighted sum of probabilities for different types of threats indicated by the rules based technique), responsive to the applying, by the predictions engine, the at least the portion of the new event data to the selected one or more of the plurality of machine learning models … (Thomas – Paragraph [0256]: the threat management facility 1806 may be configured to calculate a composite threat score for a compute instance by mapping the security events in the event stream to an attack matrix that enumerates malware strategies in a first dimension and malware techniques for each of the malware strategies in a second dimension... The threat management facility 1806 may also or instead be configured to calculate the composite threat score by applying a machine learning algorithm to the pattern of traversal of the attack matrix to determine a likelihood of threat; and Paragraph [0085]: The threat management facility 308 may also or instead store and deploys a number of security tools such as a web-based user interface that is supported by machine learning models to aid in the identification and assessment of potential threats by a human user). It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Diehl, further incorporating Thomas to arrive at the conclusion of the claimed invention. One would be motivated to incorporate Thomas’s teaching of a predictions engine utilizing machine learning models remotely from client devices to detect potential malicious behavior into Diehl’s method for implementing a security network to detect anomalous behavior. This combination would provide the method with an enhanced capability to gain additional knowledge from event data useful for predicting malicious activity in the network. The combination of Diehl and Thomas does not expressly teach selecting, by the predictions engine, one or more of a plurality of machine learning models to which to apply at least a portion of the new event data, according to [the context collection comprising the received new] event data; applying … event data to the selected one or more of the plurality of machine learning models according to [the context collection comprising the new] event data; and the selected one or more of the plurality of machine learning models according to [the context collection comprising the new] event data. However, Givental teaches selecting, by the predictions engine, one or more of a plurality of machine learning models to which to apply at least a portion of the new event data, according to [the context collection comprising the received new] event data (Givental – Paragraph [0005]: The method further includes selecting, by the machine learning feature predictor, for a new input data instance, the selected features from the new input data instance and selecting a trained machine learning model from the plurality of the machine learning models trained based on the selected features; and Paragraph [0026]: An incoming log is analyzed by the feature predictor to derive a feature set to use when evaluating a security risk. Based on the feature set, a corresponding ML model can be selected that can optimally predict a threat disposition using that feature set. Once selected the ML can make a classification and produce a threat disposition, e.g., anomalous (security risk or threat) or non-anomalous. This mechanism enables different ML models to be utilized on different feature subsets within the log dataset. That is, while individual ML models may not perform well overall on all the features of the logs, they will perform well on particular types of features derived from the logs; and Paragraph [0034]: Using the feature set groupings 140, the feature predictor 150 can select the feature set that corresponds to the predicted security risk. The selected features 155 can then be used to select a corresponding ML model 165 from the ML model collection 160 that was trained using those features. The selected ML model 165 can then be used to generate a classification 180 for the incoming data 170); applying … event data to the selected one or more of the plurality of machine learning models according to [the context collection comprising the new] event data (Givental – Paragraph [0005]: The method further includes selecting, by the machine learning feature predictor, for a new input data instance, the selected features from the new input data instance and selecting a trained machine learning model from the plurality of the machine learning models trained based on the selected features; and Paragraph [0026]: An incoming log is analyzed by the feature predictor to derive a feature set to use when evaluating a security risk. Based on the feature set, a corresponding ML model can be selected that can optimally predict a threat disposition using that feature set. Once selected the ML can make a classification and produce a threat disposition, e.g., anomalous (security risk or threat) or non-anomalous. This mechanism enables different ML models to be utilized on different feature subsets within the log dataset. That is, while individual ML models may not perform well overall on all the features of the logs, they will perform well on particular types of features derived from the logs; and Paragraph [0034]: Using the feature set groupings 140, the feature predictor 150 can select the feature set that corresponds to the predicted security risk. The selected features 155 can then be used to select a corresponding ML model 165 from the ML model collection 160 that was trained using those features. The selected ML model 165 can then be used to generate a classification 180 for the incoming data 170); and the selected one or more of the plurality of machine learning models according to [the context collection comprising the new] event data (Givental – Paragraph [0005]: The method further includes selecting, by the machine learning feature predictor, for a new input data instance, the selected features from the new input data instance and selecting a trained machine learning model from the plurality of the machine learning models trained based on the selected features; and Paragraph [0026]: An incoming log is analyzed by the feature predictor to derive a feature set to use when evaluating a security risk. Based on the feature set, a corresponding ML model can be selected that can optimally predict a threat disposition using that feature set. Once selected the ML can make a classification and produce a threat disposition, e.g., anomalous (security risk or threat) or non-anomalous. This mechanism enables different ML models to be utilized on different feature subsets within the log dataset. That is, while individual ML models may not perform well overall on all the features of the logs, they will perform well on particular types of features derived from the logs; and Paragraph [0034]: Using the feature set groupings 140, the feature predictor 150 can select the feature set that corresponds to the predicted security risk. The selected features 155 can then be used to select a corresponding ML model 165 from the ML model collection 160 that was trained using those features. The selected ML model 165 can then be used to generate a classification 180 for the incoming data 170). It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Diehl and Thomas, further incorporating Givental to arrive at the conclusion of the claimed invention. One would be motivated to incorporate Givental’s teaching to select a particular machine learning model to based on an input set of features for making a prediction into Diehl and Thomas’s combined method for implementing a security network to detect anomalous behavior. A skilled artisan would find it obvious to apply the model selection techniques taught by Givental into the method for gathering, analyzing, and predicting outcomes taught by the combination of Diehl and Thomas. This combination results in the obvious benefit of optimized classifications/evaluations based on fine-grained feature sets and corresponding models tailored to specific risks or threats. Regarding Claim 2: The combination of Diehl, Thomas, and Givental teaches the computer-implemented method of claim 1. Diehl further teaches further comprising receiving, by the compute engine from a compiler of the security network, a configuration (Diehl – Paragraph [0039]: Cloud elements such as the compiler 114, the bounding service 118, and/or the experimentation engine 120 can generate configurations 132 for other elements of the distributed security system 100. Such configurations 132 can include configurations 132 for local and/or cloud instances of the compute engine 102) that includes a compiled set of executable instructions (Diehl – Paragraph [0039]: Configurations 132 can be channel files, executable instructions, and/or other types of configuration data) for processing the event data associated with occurrences of one or more events on or by the one or more client computing devices (Diehl – Paragraph [0040]: For example, rules and other data included in configurations 132 for the compute engine 102, bounding manager 128, and/or other elements can be based on ontological definitions 134 maintained at the ontology service 110; and Paragraph [0041]: although any number of attributes about an event that occurs on a client device 104 could be captured and stored in event data 122, an ontological definition 134 of a context collection format 136 can define which specific attributes about that event are to be recorded into event data 122 for further review and processing). The motivation to combine the arts is the same as that of Claim 1. Regarding Claim 7: The combination of Diehl, Thomas, and Givental teaches the computer-implemented method of claim 1. Diehl further teaches wherein generating, by the compute engine, the context collection comprising the new event data based on the event data in the event stream (Diehl – Paragraph [0083]: The event data 122 may have originated from an event detector 124 of a security agent 108 that initially detected or observed the occurrence of an event on a client device 104, and/or may be event data 122 that has been produced using refinement operations 202 and/or composition operations 302 by the compute engine 102 or a different instance of the compute engine 102; and Paragraph [0035]: The event data 122 may also be referred to as a “context collection” of one or more data elements; Examiner’s Comment: event data produced using refinement operations and/or composition operations is interpreted as the claimed new event data), comprises generating, by the compute engine using at least one of one or more query operations, one or more refinement operations, or one or more composition operations, the context collection comprising the new event data (Diehl – Paragraph [0051]: a compute engine 102 and/or other elements of the distributed security system 100 can process incoming event data 122 to generate new event data 122, for example by refining and/or combining received event data 122 using refinement operations and/or composition operations) based on the event data in the event stream (Diehl – Paragraph [0066]: compute engine 102 can process event data 122 in an event stream using refinements and/or compositions of a fundamental model according to instructions provided in a configuration 132). The motivation to combine the arts is the same as that of Claim 1. Regarding Claim 8: The combination of Diehl, Thomas, and Givental teaches the computer-implemented method of claim 1. Thomas further teaches wherein generating, by the selected one or more of the plurality of machine learning models (Thomas – Paragraph 0085]: The threat management facility 308 may also or instead store and deploys a number of security tools such as a web-based user interface that is supported by machine learning models to aid in the identification and assessment of potential threats by a human user), the prediction result that indicates whether the occurrence of the one or more events from which the new event data was generated represents the one or more target behaviors (Thomas – Paragraph [0093]: The endpoint 302 may include a filter 322 to manage a flow of information from the data recorder 304 to a remote resource such as the threat detection tools 314 of the threat management facility 308. In this manner, a detailed log of events may be maintained locally on each endpoint, while network resources can be conserved for reporting of a filtered event stream that contains information believed to be most relevant to threat detection; and Paragraph [0089]: the threat detection tools 314 may use event data provided by endpoints... to detect malicious software or potentially unsafe conditions for a network or endpoints connected to the network) comprises generating a confidence score associated with the prediction results (Thomas – Paragraph [0256]: The threat management facility 1806 may also or instead be configured to calculate the composite threat score by applying a machine learning algorithm to the pattern of traversal of the attack matrix to determine a likelihood of threat). The motivation to combine the arts is the same as that of Claim 1. Regarding Claim 9: The combination of Diehl, Thomas, and Givental teaches the computer-implemented method of claim 1. Thomas further teaches further comprising transmitting, by the security network (Thomas – Figure 1: block diagram of a threat management system), the prediction result to the one or more client computing devices (Thomas – Paragraph [0382]: the method 2800 may also include displaying the composite threat score to a user in the user interface associated with the investigation container, or otherwise facilitating investigation and remediation of any related threats. The method 2800 may also include creating an alert or notification to a user when the composite threat score meets the predetermined threshold, such as a message containing a link to the investigation container (or a user interface displaying data from the investigation container); and Paragraph [0136]: The user interface 900 may be provided, e.g., as a web page or other content presented from the threat management facility for display on a user device such as an end user endpoint). The motivation to combine the arts is the same as that of Claim 1. Regarding Claim 10: The combination of Diehl, Thomas, and Givental teaches the computer-implemented method of claim 9. Thomas further teaches wherein transmitting, by the security network (Thomas – Figure 1: block diagram of a threat management system), the prediction result to one or more of the plurality of client computing devices comprises (Thomas – Paragraph [0382]: the method 2800 may also include displaying the composite threat score to a user in the user interface associated with the investigation container, or otherwise facilitating investigation and remediation of any related threats. The method 2800 may also include creating an alert or notification to a user when the composite threat score meets the predetermined threshold, such as a message containing a link to the investigation container (or a user interface displaying data from the investigation container); and Paragraph [0136]: The user interface 900 may be provided, e.g., as a web page or other content presented from the threat management facility for display on a user device such as an end user endpoint) transmitting, by the security network (Thomas – Figure 1: block diagram of a threat management system), the prediction result to one or more of the plurality of client computing devices (Thomas – Paragraph [0382]: the method 2800 may also include displaying the composite threat score to a user in the user interface associated with the investigation container, or otherwise facilitating investigation and remediation of any related threats. The method 2800 may also include creating an alert or notification to a user when the composite threat score meets the predetermined threshold, such as a message containing a link to the investigation container (or a user interface displaying data from the investigation container); and Paragraph [0136]: The user interface 900 may be provided, e.g., as a web page or other content presented from the threat management facility for display on a user device such as an end user endpoint) responsive to the prediction result indicating that the occurrence of the one or more events from which the new event data is generated represents the one or more target behaviors (Thomas – Paragraph [0089]: the threat detection tools 314 may use event data provided by endpoints... to detect malicious software or potentially unsafe conditions for a network or endpoints connected to the network; and Paragraph [0382]: the method 2800 may also include displaying the composite threat score to a user in the user interface associated with the investigation container, or otherwise facilitating investigation and remediation of any related threats. The method 2800 may also include creating an alert or notification to a user when the composite threat score meets the predetermined threshold, such as a message containing a link to the investigation container (or a user interface displaying data from the investigation container); and Paragraph [0357]: The investigation container 2606 may advantageously be launched, e.g., when the composite threat score for a threat meets a predetermined threshold indicative of a high likelihood of malicious activity; and Paragraph [0136]: The user interface 900 may be provided, e.g., as a web page or other content presented from the threat management facility for display on a user device such as an end user endpoint). The motivation to combine the arts is the same as that of Claim 1. Regarding Claim 12: Diehl teaches a computer system located in a security network, comprising Diehl – Paragraph [0027]: Described herein are systems and methods for a distributed digital security system that can address these and other deficiencies of digital security systems; and Figure 1: Illustration of a distributed security system): one or more processors (Diehl – Paragraph [0214]: The one or more cloud computing elements 1600 can also include processor(s) 1606) executing remotely from one or more client computing devices coupled in communication with the security network (Diehl – Figure 1: Illustration of a distributed security system including a compute engine in a security network that is executed remotely from a client computing device); memory storing computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising (Diehl – Paragraph [0216]: In various examples, any or all of system memory 1602, removable storage 1608, and non-removable storage 1610, store computer-executable instructions which, when executed, implement some or all of the herein-described operations of the security network 106 and its cloud computing elements 1600): receiving an event stream (Diehl – Paragraph [0083]: In a cloud instance of the compute engine 102, in some example the event stream may be received via the storage engine 116) comprising event data associated with an occurrence of one or more events on the one or more client computing devices (Diehl – Paragraph [0083]: The event data 122 may have originated from an event detector 124 of a security agent 108 that initially detected or observed the occurrence of an event on a client device 104); generating a context collection comprising new event data based on the event data in the event stream (Diehl – Paragraph [0083]: The event data 122 may have originated from an event detector 124 of a security agent 108 that initially detected or observed the occurrence of an event on a client device 104, and/or may be event data 122 that has been produced using refinement operations 202 and/or composition operations 302 by the compute engine 102 or a different instance of the compute engine 102; and Paragraph [0035]: The event data 122 may also be referred to as a “context collection” of one or more data elements; Examiner’s Comment: event data produced using refinement operations and/or composition operations is interpreted as the claimed new event data), the context collection specifying a context collection format that defines data elements or attributes of the new event data (Diehl – Paragraph [0041]: [0041] An ontological definition 134 of a context collection format 136 can define data elements and/or a layout for corresponding event data 122. For example, an ontological definition 134 of a context collection format 136 can identify specific types of information, fields, or data elements that should be captured in event data 122 about a type of event that occurs on a client device 104. For example, although any number of attributes about an event that occurs on a client device 104 could be captured and stored in event data 122, an ontological definition 134 of a context collection format 136 can define which specific attributes about that event are to be recorded into event data 122 for further review and processing), and specifying a context collection interface that defines a minimum number of data elements in the new event data (Diehl – Paragraph [0044]: An ontological definition 134 of a context collection interface 138 can indicate a set of one or more data elements that a component of the distributed security system 100 expects to be present within event data 122 in order for the component to consume and/or process the event data 122. In particular, an ontological definition 134 of a context collection interface 138 can define a minimum set of data elements, such that event data 122 that includes that minimum set of data elements may satisfy the context collection interface 138); the context collection comprising the new event data (Diehl – Paragraph [0083]: The event data 122 may have originated from an event detector 124 of a security agent 108 that initially detected or observed the occurrence of an event on a client device 104, and/or may be event data 122 that has been produced using refinement operations 202 and/or composition operations 302 by the compute engine 102 or a different instance of the compute engine 102; and Paragraph [0035]: The event data 122 may also be referred to as a “context collection” of one or more data elements); the context collection comprising the new event data (Diehl – Paragraph [0083]: The event data 122 may have originated from an event detector 124 of a security agent 108 that initially detected or observed the occurrence of an event on a client device 104, and/or may be event data 122 that has been produced using refinement operations 202 and/or composition operations 302 by the compute engine 102 or a different instance of the compute engine 102; and Paragraph [0035]: The event data 122 may also be referred to as a “context collection” of one or more data elements). Diehl does not expressly teach applying the at least the portion of the new event data to the selected one or more of a plurality of machine learning models …; generating, by the selected one or more of the plurality of machine learning models of the security network, a prediction result that indicates whether the occurrence of the one or more events from which the new event data was generated represents one or more target behaviors, responsive to the applying the at least the portion of the new event data to the selected one or more of the plurality of machine learning models. However, Thomas teaches teach applying the at least the portion of the new event data to the selected one or more of a plurality of machine learning models … (Thomas – Paragraph [0256]: the threat management facility 1806 may be configured to calculate a composite threat score for a compute instance by mapping the security events in the event stream to an attack matrix that enumerates malware strategies in a first dimension and malware techniques for each of the malware strategies in a second dimension... The threat management facility 1806 may also or instead be configured to calculate the composite threat score by applying a machine learning algorithm to the pattern of traversal of the attack matrix to determine a likelihood of threat; and Paragraph [0085]: The threat management facility 308 may also or instead store and deploys a number of security tools such as a web-based user interface that is supported by machine learning models to aid in the identification and assessment of potential threats by a human user); generating, by the [selected] one or more of the plurality of machine learning models (Thomas – Paragraph [0085]: The threat management facility 308 may also or instead store and deploys a number of security tools such as a web-based user interface that is supported by machine learning models to aid in the identification and assessment of potential threats by a human user), a prediction result that indicates whether the occurrence of the one or more events from which the new event data was generated represents one or more target behaviors (Thomas – Paragraph [0256]: The threat management facility 1806 may also or instead be configured to calculate the composite threat score by applying a machine learning algorithm to the pattern of traversal of the attack matrix to determine a likelihood of threat; and Paragraph [0294]: the threat score may include a weighted sum of probabilities of different types of threats, as identified by a machine learning model. In another aspect, e.g., where a rules-based technique is used, the threat score may be based on a type of malware predicted using one or more detection rules, or as a weighted sum of probabilities for different types of threats indicated by the rules based technique), responsive to the applying the at least the portion of the new event data to the selected one or more of the plurality of machine learning models … (Thomas – Paragraph [0256]: the threat management facility 1806 may be configured to calculate a composite threat score for a compute instance by mapping the security events in the event stream to an attack matrix that enumerates malware strategies in a first dimension and malware techniques for each of the malware strategies in a second dimension... The threat management facility 1806 may also or instead be configured to calculate the composite threat score by applying a machine learning algorithm to the pattern of traversal of the attack matrix to determine a likelihood of threat; and Paragraph [0085]: The threat management facility 308 may also or instead store and deploys a number of security tools such as a web-based user interface that is supported by machine learning models to aid in the identification and assessment of potential threats by a human user). It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Diehl, further incorporating Thomas to arrive at the conclusion of the claimed invention. One would be motivated to incorporate Thomas’s teaching of a predictions engine utilizing machine learning models remotely from client devices to detect potential malicious behavior into Diehl’s method for implementing a security network to detect anomalous behavior. This combination would provide the method with an enhanced capability to gain additional knowledge from event data useful for predicting malicious activity in the network. The combination of Diehl and Thomas does not expressly teach selecting one or more of a plurality of machine learning models to which to apply at least a portion of the new event data, according to [the context collection comprising the received new] event data; applying … event data to the selected one or more of the plurality of machine learning models according to [the context collection comprising the new] event data; and the selected one or more of the plurality of machine learning models according to [the context collection comprising the new] event data. However, Givental teaches selecting one or more of a plurality of machine learning models to which to apply at least a portion of the new event data, according to [the context collection comprising the received new] event data (Givental – Paragraph [0005]: The method further includes selecting, by the machine learning feature predictor, for a new input data instance, the selected features from the new input data instance and selecting a trained machine learning model from the plurality of the machine learning models trained based on the selected features; and Paragraph [0026]: An incoming log is analyzed by the feature predictor to derive a feature set to use when evaluating a security risk. Based on the feature set, a corresponding ML model can be selected that can optimally predict a threat disposition using that feature set. Once selected the ML can make a classification and produce a threat disposition, e.g., anomalous (security risk or threat) or non-anomalous. This mechanism enables different ML models to be utilized on different feature subsets within the log dataset. That is, while individual ML models may not perform well overall on all the features of the logs, they will perform well on particular types of features derived from the logs; and Paragraph [0034]: Using the feature set groupings 140, the feature predictor 150 can select the feature set that corresponds to the predicted security risk. The selected features 155 can then be used to select a corresponding ML model 165 from the ML model collection 160 that was trained using those features. The selected ML model 165 can then be used to generate a classification 180 for the incoming data 170); applying … event data to the selected one or more of the plurality of machine learning models according to [the context collection comprising the new] event data (Givental – Paragraph [0005]: The method further includes selecting, by the machine learning feature predictor, for a new input data instance, the selected features from the new input data instance and selecting a trained machine learning model from the plurality of the machine learning models trained based on the selected features; and Paragraph [0026]: An incoming log is analyzed by the feature predictor to derive a feature set to use when evaluating a security risk. Based on the feature set, a corresponding ML model can be selected that can optimally predict a threat disposition using that feature set. Once selected the ML can make a classification and produce a threat disposition, e.g., anomalous (security risk or threat) or non-anomalous. This mechanism enables different ML models to be utilized on different feature subsets within the log dataset. That is, while individual ML models may not perform well overall on all the features of the logs, they will perform well on particular types of features derived from the logs; and Paragraph [0034]: Using the feature set groupings 140, the feature predictor 150 can select the feature set that corresponds to the predicted security risk. The selected features 155 can then be used to select a corresponding ML model 165 from the ML model collection 160 that was trained using those features. The selected ML model 165 can then be used to generate a classification 180 for the incoming data 170); and the selected one or more of the plurality of machine learning models according to [the context collection comprising the new] event data (Givental – Paragraph [0005]: The method further includes selecting, by the machine learning feature predictor, for a new input data instance, the selected features from the new input data instance and selecting a trained machine learning model from the plurality of the machine learning models trained based on the selected features; and Paragraph [0026]: An incoming log is analyzed by the feature predictor to derive a feature set to use when evaluating a security risk. Based on the feature set, a corresponding ML model can be selected that can optimally predict a threat disposition using that feature set. Once selected the ML can make a classification and produce a threat disposition, e.g., anomalous (security risk or threat) or non-anomalous. This mechanism enables different ML models to be utilized on different feature subsets within the log dataset. That is, while individual ML models may not perform well overall on all the features of the logs, they will perform well on particular types of features derived from the logs; and Paragraph [0034]: Using the feature set groupings 140, the feature predictor 150 can select the feature set that corresponds to the predicted security risk. The selected features 155 can then be used to select a corresponding ML model 165 from the ML model collection 160 that was trained using those features. The selected ML model 165 can then be used to generate a classification 180 for the incoming data 170). It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Diehl and Thomas, further incorporating Givental to arrive at the conclusion of the claimed invention. One would be motivated to incorporate Givental’s teaching to select a particular machine learning model based on an input set of features for making a prediction into Diehl and Thomas’s combined method for implementing a security network to detect anomalous behavior. A skilled artisan would find it obvious to apply the model selection techniques taught by Givental into the method for gathering, analyzing, and predicting outcomes taught by the combination of Diehl and Thomas. This combination results in the obvious benefit of optimized classifications/evaluations based on fine-grained feature sets and corresponding models tailored to specific risks or threats. Regarding Claim 16: The combination of Diehl, Thomas, and Givental teaches the computer system of claim 12. Diehl further teaches wherein generating the context collection comprising the new event data based on the event data in the event stream, comprises (Diehl – Paragraph [0083]: The event data 122 may have originated from an event detector 124 of a security agent 108 that initially detected or observed the occurrence of an event on a client device 104, and/or may be event data 122 that has been produced using refinement operations 202 and/or composition operations 302 by the compute engine 102 or a different instance of the compute engine 102; and Paragraph [0035]: The event data 122 may also be referred to as a “context collection” of one or more data elements; Examiner’s Comment: event data produced using refinement operations and/or composition operations is interpreted as the claimed new event data) generating through at least one of one or more query operations, one or more refinement operations, or one or more composition operations, the context collection comprising the new event data (Diehl – Paragraph [0051]: a compute engine 102 and/or other elements of the distributed security system 100 can process incoming event data 122 to generate new event data 122, for example by refining and/or combining received event data 122 using refinement operations and/or composition operations) based on the event data in the event stream (Diehl – Paragraph [0066]: compute engine 102 can process event data 122 in an event stream using refinements and/or compositions of a fundamental model according to instructions provided in a configuration 132). The motivation to combine the arts is the same as that of Claim 12. Regarding Claim 17: Diehl teaches one or more non-transitory computer-readable media storing computer-executable instructions for one or more computing elements (Diehl – Paragraph [0216]: System memory 1602, removable storage 1608 and non-removable storage 1610 are all examples of computer-readable storage media. Computer-readable storage media include, but are not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile discs (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by the one or more cloud computing elements 1600 … In various examples, any or all of system memory 1602, removable storage 1608, and non-removable storage 1610, store computer-executable instructions which, when executed, implement some or all of the herein-described operations of the security network 106 and its cloud computing elements 1600) located in a security network remotely from one or more client computing devices coupled in communication with the security network (Diehl – Figure 1: Illustration of a distributed security system including a compute engine in a security network that is situated remotely from a client computing device) that, when executed by one or more processors of the one or more computing elements, cause the one or more computing elements to perform operations comprising (Diehl – Paragraph [0216]: In various examples, any or all of system memory 1602, removable storage 1608, and non-removable storage 1610, store computer-executable instructions which, when executed, implement some or all of the herein-described operations of the security network 106 and its cloud computing elements 1600): receiving an event stream (Diehl – Paragraph [0083]: In a cloud instance of the compute engine 102, in some example the event stream may be received via the storage engine 116) comprising event data associated with an occurrence of one or more events on one or more client computing devices (Diehl – Paragraph [0083]: The event data 122 may have originated from an event detector 124 of a security agent 108 that initially detected or observed the occurrence of an event on a client device 104); generating a context collection comprising new event data based on the event data in the event stream (Diehl – Paragraph [0083]: The event data 122 may have originated from an event detector 124 of a security agent 108 that initially detected or observed the occurrence of an event on a client device 104, and/or may be event data 122 that has been produced using refinement operations 202 and/or composition operations 302 by the compute engine 102 or a different instance of the compute engine 102; and Paragraph [0035]: The event data 122 may also be referred to as a “context collection” of one or more data elements; Examiner’s Comment: event data produced using refinement operations and/or composition operations is interpreted as the claimed new event data), the context collection specifying a context collection format that defines data elements or attributes of the new event data (Diehl – Paragraph [0041]: [0041] An ontological definition 134 of a context collection format 136 can define data elements and/or a layout for corresponding event data 122. For example, an ontological definition 134 of a context collection format 136 can identify specific types of information, fields, or data elements that should be captured in event data 122 about a type of event that occurs on a client device 104. For example, although any number of attributes about an event that occurs on a client device 104 could be captured and stored in event data 122, an ontological definition 134 of a context collection format 136 can define which specific attributes about that event are to be recorded into event data 122 for further review and processing), and specifying a context collection interface that defines a minimum number of data elements in the new event data (Diehl – Paragraph [0044]: An ontological definition 134 of a context collection interface 138 can indicate a set of one or more data elements that a component of the distributed security system 100 expects to be present within event data 122 in order for the component to consume and/or process the event data 122. In particular, an ontological definition 134 of a context collection interface 138 can define a minimum set of data elements, such that event data 122 that includes that minimum set of data elements may satisfy the context collection interface 138); the context collection comprising the new event data (Diehl – Paragraph [0083]: The event data 122 may have originated from an event detector 124 of a security agent 108 that initially detected or observed the occurrence of an event on a client device 104, and/or may be event data 122 that has been produced using refinement operations 202 and/or composition operations 302 by the compute engine 102 or a different instance of the compute engine 102; and Paragraph [0035]: The event data 122 may also be referred to as a “context collection” of one or more data elements); the context collection comprising the new event data (Diehl – Paragraph [0083]: The event data 122 may have originated from an event detector 124 of a security agent 108 that initially detected or observed the occurrence of an event on a client device 104, and/or may be event data 122 that has been produced using refinement operations 202 and/or composition operations 302 by the compute engine 102 or a different instance of the compute engine 102; and Paragraph [0035]: The event data 122 may also be referred to as a “context collection” of one or more data elements). Diehl does not expressly teach applying the at least the portion of the new event data to the selected one or more of a plurality of machine learning models …; generating, by the selected one or more of the plurality of machine learning models of the security network, a prediction result that indicates whether the occurrence of the one or more events from which the new event data was generated represents one or more target behaviors, responsive to the applying the at least the portion of the new event data to the selected one or more of the plurality of machine learning models. However, Thomas teaches teach applying the at least the portion of the new event data to the selected one or more of a plurality of machine learning models … (Thomas – Paragraph [0256]: the threat management facility 1806 may be configured to calculate a composite threat score for a compute instance by mapping the security events in the event stream to an attack matrix that enumerates malware strategies in a first dimension and malware techniques for each of the malware strategies in a second dimension... The threat management facility 1806 may also or instead be configured to calculate the composite threat score by applying a machine learning algorithm to the pattern of traversal of the attack matrix to determine a likelihood of threat; and Paragraph [0085]: The threat management facility 308 may also or instead store and deploys a number of security tools such as a web-based user interface that is supported by machine learning models to aid in the identification and assessment of potential threats by a human user); generating, by the [selected] one or more of the plurality of machine learning models (Thomas – Paragraph [0085]: The threat management facility 308 may also or instead store and deploys a number of security tools such as a web-based user interface that is supported by machine learning models to aid in the identification and assessment of potential threats by a human user), a prediction result that indicates whether the occurrence of the one or more events from which the new event data was generated represents one or more target behaviors (Thomas – Paragraph [0256]: The threat management facility 1806 may also or instead be configured to calculate the composite threat score by applying a machine learning algorithm to the pattern of traversal of the attack matrix to determine a likelihood of threat; and Paragraph [0294]: the threat score may include a weighted sum of probabilities of different types of threats, as identified by a machine learning model. In another aspect, e.g., where a rules-based technique is used, the threat score may be based on a type of malware predicted using one or more detection rules, or as a weighted sum of probabilities for different types of threats indicated by the rules based technique), responsive to the applying the at least the portion of the new event data to the selected one or more of the plurality of machine learning models … (Thomas – Paragraph [0256]: the threat management facility 1806 may be configured to calculate a composite threat score for a compute instance by mapping the security events in the event stream to an attack matrix that enumerates malware strategies in a first dimension and malware techniques for each of the malware strategies in a second dimension... The threat management facility 1806 may also or instead be configured to calculate the composite threat score by applying a machine learning algorithm to the pattern of traversal of the attack matrix to determine a likelihood of threat; and Paragraph [0085]: The threat management facility 308 may also or instead store and deploys a number of security tools such as a web-based user interface that is supported by machine learning models to aid in the identification and assessment of potential threats by a human user). It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Diehl, further incorporating Thomas to arrive at the conclusion of the claimed invention. One would be motivated to incorporate Thomas’s teaching of a predictions engine utilizing machine learning models remotely from client devices to detect potential malicious behavior into Diehl’s method for implementing a security network to detect anomalous behavior. This combination would provide the method with an enhanced capability to gain additional knowledge from event data useful for predicting malicious activity in the network. The combination of Diehl and Thomas does not expressly teach selecting one or more of a plurality of machine learning models to which to apply at least a portion of the new event data, according to [the context collection comprising the new] event data; applying … event data to the selected one or more of the plurality of machine learning models according to [the context collection]; and the selected one or more of the plurality of machine learning models according to [the context collection comprising the new] event data. However, Givental teaches selecting one or more of a plurality of machine learning models to which to apply at least a portion of the new event data, according to [the context collection comprising the new] event data (Givental – Paragraph [0005]: The method further includes selecting, by the machine learning feature predictor, for a new input data instance, the selected features from the new input data instance and selecting a trained machine learning model from the plurality of the machine learning models trained based on the selected features; and Paragraph [0026]: An incoming log is analyzed by the feature predictor to derive a feature set to use when evaluating a security risk. Based on the feature set, a corresponding ML model can be selected that can optimally predict a threat disposition using that feature set. Once selected the ML can make a classification and produce a threat disposition, e.g., anomalous (security risk or threat) or non-anomalous. This mechanism enables different ML models to be utilized on different feature subsets within the log dataset. That is, while individual ML models may not perform well overall on all the features of the logs, they will perform well on particular types of features derived from the logs; and Paragraph [0034]: Using the feature set groupings 140, the feature predictor 150 can select the feature set that corresponds to the predicted security risk. The selected features 155 can then be used to select a corresponding ML model 165 from the ML model collection 160 that was trained using those features. The selected ML model 165 can then be used to generate a classification 180 for the incoming data 170); applying … event data to the selected one or more of the plurality of machine learning models according to [the context collection] (Givental – Paragraph [0005]: The method further includes selecting, by the machine learning feature predictor, for a new input data instance, the selected features from the new input data instance and selecting a trained machine learning model from the plurality of the machine learning models trained based on the selected features; and Paragraph [0026]: An incoming log is analyzed by the feature predictor to derive a feature set to use when evaluating a security risk. Based on the feature set, a corresponding ML model can be selected that can optimally predict a threat disposition using that feature set. Once selected the ML can make a classification and produce a threat disposition, e.g., anomalous (security risk or threat) or non-anomalous. This mechanism enables different ML models to be utilized on different feature subsets within the log dataset. That is, while individual ML models may not perform well overall on all the features of the logs, they will perform well on particular types of features derived from the logs; and Paragraph [0034]: Using the feature set groupings 140, the feature predictor 150 can select the feature set that corresponds to the predicted security risk. The selected features 155 can then be used to select a corresponding ML model 165 from the ML model collection 160 that was trained using those features. The selected ML model 165 can then be used to generate a classification 180 for the incoming data 170); and the selected one or more of the plurality of machine learning models according to [the context collection comprising the new] event data (Givental – Paragraph [0005]: The method further includes selecting, by the machine learning feature predictor, for a new input data instance, the selected features from the new input data instance and selecting a trained machine learning model from the plurality of the machine learning models trained based on the selected features; and Paragraph [0026]: An incoming log is analyzed by the feature predictor to derive a feature set to use when evaluating a security risk. Based on the feature set, a corresponding ML model can be selected that can optimally predict a threat disposition using that feature set. Once selected the ML can make a classification and produce a threat disposition, e.g., anomalous (security risk or threat) or non-anomalous. This mechanism enables different ML models to be utilized on different feature subsets within the log dataset. That is, while individual ML models may not perform well overall on all the features of the logs, they will perform well on particular types of features derived from the logs; and Paragraph [0034]: Using the feature set groupings 140, the feature predictor 150 can select the feature set that corresponds to the predicted security risk. The selected features 155 can then be used to select a corresponding ML model 165 from the ML model collection 160 that was trained using those features. The selected ML model 165 can then be used to generate a classification 180 for the incoming data 170). It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Diehl and Thomas, further incorporating Givental to arrive at the conclusion of the claimed invention. One would be motivated to incorporate Givental’s teaching to select a particular machine learning model based on an input set of features for making a prediction into Diehl and Thomas’s combined method for implementing a security network to detect anomalous behavior. A skilled artisan would find it obvious to apply the model selection techniques taught by Givental into the method for gathering, analyzing, and predicting outcomes taught by the combination of Diehl and Thomas. This combination results in the obvious benefit of optimized classifications/evaluations based on fine-grained feature sets and corresponding models tailored to specific risks or threats. Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Diehl, in view of Thomas, Givental, and Nguyen et al. (US 20200314117 A1), hereinafter Nguyen. Regarding Claim 11: The combination of Diehl, Thomas, and Givental teaches the computer-implemented method of Claim 1. Thomas further teaches receiving, from the security network (Thomas – Figure 1: block diagram of a threat management system), the prediction result (Thomas – Paragraph [0382]: the method 2800 may also include displaying the composite threat score to a user in the user interface associated with the investigation container, or otherwise facilitating investigation and remediation of any related threats. The method 2800 may also include creating an alert or notification to a user when the composite threat score meets the predetermined threshold, such as a message containing a link to the investigation container (or a user interface displaying data from the investigation container); and Paragraph [0136]: The user interface 900 may be provided, e.g., as a web page or other content presented from the threat management facility for display on a user device such as an end user endpoint). The combination of Diehl, Thomas, and Givental does not expressly teach further comprising generating behavior detection logic, by the one or more client computing devices, for the one or more client computing devices to execute, responsive to [receiving, from the security network, the prediction result]. However, Nguyen teaches further comprising generating behavior detection logic (Nguyen – Paragraph [0105]: the mitigation module 234 can receive an indication that an event is associated with a security violation, or an indication of a mitigation action to take. The indication can be, e.g., output 242. The mitigation module 234 can then take action to reduce negative effects a dirty process, data stream, or other system component related to the event may cause. For example … mitigation module 234 can take action to monitor a security violation in more detail (e.g., to collect stack traces or profiling data of a process) in order to permit more effectively reducing the negative effects of that security violation), by the one or more client computing devices (Nguyen – Paragraph [0076]: Computer-executable instructions or other data stored on CRM 214 can include instructions of the… mitigation module 234… Processing unit(s) 210 can be configured to execute modules of the plurality of modules. For example, the computer-executable instructions stored on the CRM 214 can upon execution configure a computer such as a computing device 200 to perform operations described herein with reference to the modules of the plurality of modules), for the one or more client computing devices to execute (Nguyen – Paragraph [0076]: Computer-executable instructions or other data stored on CRM 214 can include instructions of the… mitigation module 234… Processing unit(s) 210 can be configured to execute modules of the plurality of modules. For example, the computer-executable instructions stored on the CRM 214 can upon execution configure a computer such as a computing device 200 to perform operations described herein with reference to the modules of the plurality of modules), responsive to receiving, from the security network (Nguyen – Figure 1: diagram of scenario for performing security analysis of network events), the prediction result (Nguyen – Paragraph [0105]: the mitigation module 234 can receive an indication that an event is associated with a security violation, or an indication of a mitigation action to take. The indication can be, e.g., output 242. The mitigation module 234 can then take action to reduce negative effects a dirty process, data stream, or other system component related to the event may cause). It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Diehl, Thomas, and Givental, further incorporating Nguyen to arrive at the conclusion of the claimed invention. One would be motivated to incorporate Nguyen’s teaching to trigger a further behavior detection action in a computing device after receiving a notification of anomalous activity into Diehl, Thomas, and Givental’s combined method for implementing a security network to detect anomalous behavior. This combined functionality would provide devices within the security network with their own capability to investigate detected anomalous behaviors. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Coleman et al. (US 20190028492 A1) teaches systems and methods for triggering preemptive alerts based on detecting potential malicious behavior based on risk predictions generated by selected machine learning models and input features Zawaod et al. (US 20190387005 A1) teaches a system and method for evaluating malicious activity in a network based on extracted feature sets and machine learning models corresponding thereto Arcot Omkar et al. (US 20230359737 A1) teaches a system for monitoring user events to detect potentially malicious behavior, including the selection of at least one machine learning model to make a prediction based on an event type Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to NICHOLAS JOSEPH DILUZIO whose telephone number is (703)756-1229. The examiner can normally be reached Mon - Fri -- 7:30 AM - 5 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached at 571-272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /NICHOLAS JOSEPH DILUZIO/Examiner, Art Unit 2498 /YIN CHEN SHAW/Supervisory Patent Examiner, Art Unit 2498
Read full office action

Prosecution Timeline

Show 2 earlier events
Oct 30, 2024
Response Filed
Jan 24, 2025
Final Rejection mailed — §103
Apr 23, 2025
Response after Non-Final Action
Jun 20, 2025
Request for Continued Examination
Jun 25, 2025
Response after Non-Final Action
Aug 25, 2025
Non-Final Rejection mailed — §103
Jan 13, 2026
Response Filed
Apr 07, 2026
Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12596792
DATA ENCRYPTION DETECTION
4y 0m to grant Granted Apr 07, 2026
Patent 12490087
AUTHENTICATION SERVER FUNCTION SELECTION IN AN AUTHENTICATION AND KEY AGREEMENT
3y 6m to grant Granted Dec 02, 2025
Patent 12475218
METHOD AND SYSTEM FOR IDENTIFYING A COMPROMISED POINT-OF-SALE TERMINAL NETWORK
3y 0m to grant Granted Nov 18, 2025
Patent 12367440
ARTIFICIAL INTELLIGENCE-BASED SYSTEM AND METHOD FOR FACILITATING MANAGEMENT OF THREATS FOR AN ORGANIZATON
2y 11m to grant Granted Jul 22, 2025
Patent 11966466
UNIFIED WORKLOAD RUNTIME PROTECTION
2y 3m to grant Granted Apr 23, 2024
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

5-6
Expected OA Rounds
31%
Grant Probability
99%
With Interview (+100.0%)
3y 0m (~0m remaining)
Median Time to Grant
High
PTA Risk
Based on 13 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month