THREAT MITIGATION SYSTEM AND METHOD

DETAILED ACTION A Request for Continued Examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous office action has been withdrawn pursuant to 37 CFR 1.114. Applicant’s submission filed on April 16, 2026 has been entered. Claims 1, 4-11, 14-21, and 24-30 are currently pending and directed toward a THREAT MITIGATION SYSTEM AND METHOD. Any claim objection/rejection not repeated below is withdrawn due to Applicant's amendment. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Response to Arguments Applicant’s arguments with regards to claims 1, 4-11, 14-21, and 24-30 have been fully considered, but they are moot, because of new grounds of rejection. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1, 4-11, 14-21, and 24-30 are rejected under 35 U.S.C. 103 as being unpatentable over Murphy (US 2021/0160274, Pub. Date: May 27, 2021) from IDS, in view of LIU et al. (A Review of Rule Learning-Based Intrusion Detection Systems and Their Prospects in Smart Grids, IEEEAcess, April 20, 2021, pages 57542-57564), hereinafter referred to as Murphy and LIU. As per claim 1, Murphy teaches a computer-implemented method, executed on a computing device, comprising: defining a universal detection rule for execution on a computing platform (defining a unified query on a unified platform concerning the plurality of security-relevant subsystems; Murphy, Claim 1), wherein the universal detection rule is configured to detect when malicious activity occurs on the computing platform (Referring also to FIG. 30, threat mitigation process 10 may be configured to automatically classify and investigate a detected security event. As discussed above and in response to a security event being detected, threat mitigation process 10 may obtain 1550 one or more artifacts (e.g., artifacts 250) concerning the detected security event. Examples of such a detected security event may include but are not limited to one or more of: access auditing; anomalies; authentication; denial of services; exploitation; malware; phishing; spamming; reconnaissance; and web attack., Murphy, [0242]); processing the universal detection rule to generate a first detection rule that is executable on a first security-relevant subsystem within the computing platform (denormalizing the unified query to define a subsystem-specific query for each of the plurality of security-relevant subsystems, thus defining a plurality of subsystem-specific queries; Murphy, Claim 1); providing the first detection rule to the first security-relevant subsystem for execution on the first security-relevant subsystem (providing the plurality of subsystem-specific queries to the plurality of security-relevant subsystems. Murphy, Claim 1); detecting a plurality of security events (For example, security-relevant subsystem 1650 may generate subsystem specific result set 1696, security-relevant subsystem 1652 may generate subsystem-specific result set 1698, and security-relevant subsystem 1654 may generate subsystem-specific result set 1700. Murphy, [0327], for a specific example see also [0159]) occurring on the first security-relevant subsystem (Threat mitigation process 10 may denormalize 1616 the unified query (e.g., query 1694) to define a subsystem-specific query for each of the plurality of security relevant subsystems (e.g., security-relevant subsystem 1650, security-relevant subsystem 1652 and security-relevant subsystem 1654), thus defining a plurality of subsystem-specific queries (e.g., subsystem-specific queries 1702, 1704, 1706). Murphy, [0316]) using the first detection rule, thus defining a first plurality of detection events (when denormalizing 1616 the unified query (e.g., query 1694) to define a plurality of subsystem-specific queries (e.g., subsystem-specific queries 1702, 1704, 1706), threat mitigation process 10 may translate 1618 the syntax of the unified query (e.g., query 1694) so that: [0323] subsystem-specific query 1702 has a first structure and/or utilizes a first nomenclature; [0324] subsystem-specific query 1704 has a second structure and/or utilizes a second nomenclature; [0325] subsystem-specific query 1706 has a third structure and/or utilizes a third nomenclature. Murphy, [0322]-[0325]); processing the universal detection rule to generate a second detection rule that is executable on a second security-relevant subsystem within the computing platform (denormalizing the unified query to define a subsystem-specific query for each of the plurality of security-relevant subsystems, thus defining a plurality of subsystem-specific queries; Murphy, Claim 1); providing the second detection rule to the second security-relevant subsystem for execution on the second security-relevant subsystem (providing the plurality of subsystem-specific queries to the plurality of security-relevant subsystems. Murphy, Claim 1); and detecting a plurality of security events (For example, security-relevant subsystem 1650 may generate subsystem specific result set 1696, security-relevant subsystem 1652 may generate subsystem-specific result set 1698, and security-relevant subsystem 1654 may generate subsystem-specific result set 1700. Murphy, [0327], for a specific example see also [0159]) occurring on the second security-relevant subsystem (Threat mitigation process 10 may denormalize 1616 the unified query (e.g., query 1694) to define a subsystem-specific query for each of the plurality of security relevant subsystems (e.g., security-relevant subsystem 1650, security-relevant subsystem 1652 and security-relevant subsystem 1654), thus defining a plurality of subsystem-specific queries (e.g., subsystem-specific queries 1702, 1704, 1706). Murphy, [0316]) using the second detection rule, thus defining a second plurality of detection events (when denormalizing 1616 the unified query (e.g., query 1694) to define a plurality of subsystem-specific queries (e.g., subsystem-specific queries 1702, 1704, 1706), threat mitigation process 10 may translate 1618 the syntax of the unified query (e.g., query 1694) so that: [0323] subsystem-specific query 1702 has a first structure and/or utilizes a first nomenclature; [0324] subsystem-specific query 1704 has a second structure and/or utilizes a second nomenclature; [0325] subsystem-specific query 1706 has a third structure and/or utilizes a third nomenclature. Murphy, [0322]-[0325]). receiving the first plurality of detection events from the first detection rule executed on the first security-relevant subsystem, wherein the first plurality of detection events concerns a plurality of security events occurring on the first security-relevant subsystem (receiving a plurality of subsystem-specific results sets from the plurality of security-relevant subsystems that were generated in response to the plurality of subsystem-specific queries. Murphy, Claim 3); identifying two or more associated detection events included within the first plurality of detection events (Threat mitigation process 10 may receive 1006 plurality of result sets 266 from the plurality of security-relevant subsystems, Murphy, [0180]); grouping the two or more associated detection events to define a single security incident bound together (Threat mitigation process 10 may then combine 1008 plurality of result sets 266 to form unified query result 268. Murphy, [0180]) based upon one or more of common artifacts and log entries (When combining 1008 plurality of result sets 266 to form unified query result 268, threat mitigation process 10 may homogenize 1010 plurality of result sets 266 to form unified query result 268. For example, threat mitigation process 10 may process one or more discrete result sets included within plurality of result sets 266 so that the discrete result sets within plurality of result sets 266 all have a common format, a common nomenclature, and/or a common structure. Murphy, [0180, see also [0234] for log files]) that represent a single malicious action or actor (assuming that it is determined that the streaming of the content is very concerning, as the content is high value and the recipient is a known bad actor. Murphy, [0166]); building an event repository from one or more of the first plurality of detection events and the second plurality of detection events (Further and as discussed above, threat mitigation process 10 may process 1452 this platform information (e.g., log files) to generate processed platform information. And when processing 1452 this platform information (e.g., log files) to generate processed platform information, threat mitigation process 10 may: parse 1454 the platform information (e.g., log files) into a plurality of subcomponents (e.g., columns, rows, etc.) to allow for compensation of varying formats and/or nomenclature; enrich 1456 the platform information (e.g., log files) by including supplemental information from external information resources; Murphy, [0238]); and utilizing machine learning to review the event repository (utilize 1458 artificial intelligence/machine learning (in the manner described above) to identify one or more patterns/trends within the platform information (e.g., log files). Murphy, [0238]) to extract attack patterns (Referring also to FIG. 30, threat mitigation process 10 may be configured to automatically classify and investigate a detected security event. As discussed above and in response to a security event being detected, threat mitigation process 10 may obtain 1550 one or more artifacts (e.g., artifacts 250) concerning the detected security event. Examples of such a detected security event may include but are not limited to one or more of: access auditing; anomalies; authentication; denial of services; exploitation; malware; phishing; spamming; reconnaissance; and web attack. These artifacts (e.g., artifacts 250) may be obtained 1550 from a plurality of sources associated with the computing platform, wherein examples of such plurality of sources may include but are not limited to the various log files maintained by SIEM system 230, and the various log files directly maintained by the security-relevant subsystems. Murphy, [0242]); analyzing the extracted attack patterns (security-relevant information that e.g., defines the symptoms of e.g., a Denial of Services attack and security-relevant rules that define the behavior of e.g., a Denial of Services attack may be utilized by threat mitigation process, Murphy,[0220]); but does not teach modification of rules, LIU however teaches defining a new detection rule based upon, at least in part, the analyzed extracted attack patterns (Unlike descriptive rule learning, predictive rule learning often confronts two types of problems, i.e., multiple rules fire on the same new example, and no rule fires on a new example. In the former case, more than one rule firing on a single example can cause contradiction, and this conflict is resolved either by preferring rules with higher importance or by extracting a separate rule set for handling contradictory predictions. Like in expert systems [38], top-level control parameters are used to handle rule contradictions. The second problem is tackled either by a pre-defined default rule favoring the majority class or by more complex algorithms finding the closest rule, LIU, page 57547). Murphy in view of LIU are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Murphy in view of LIU. This would have been desirable because profiles or rules for attack detection can be specified by using expert knowledge and/or by learning from only limited amount of data. Violation against constructed normal profiles or rules is considered as malicious. Specification based IDS differ from their anomaly based counterparts from the aspect that they try to construct declarative knowledge instead of a set of procedures that does not have any contextual meaning, (LIU, page 57545). As per claim 4, Murphy in view of LIU teaches the computer-implemented method of claim 1 wherein one or more artifacts and log entries are associated with each of first plurality of detection events (As discussed above, threat mitigation process 10 may obtain 954 at least one security-relevant information set (e.g., a log file) from each of the plurality of security-relevant subsystems (e.g., CDN system; DAM system; UBA system; MDM system; IAM system; and DNS system), thus defining plurality of security-relevant information sets 258. Murphy, [0183]). As per claim 5, Murphy in view of LIU teaches the computer-implemented method of claim 4 wherein: identifying two or more associated detection events included within the first plurality of detection events includes: identifying two or more detection events included within the first plurality of detection events that have common artifacts and log entries (Threat mitigation process 10 may process 1050 plurality of security-relevant information sets 258 using artificial learning/machine learning to identify one or more commonalities amongst plurality of security-relevant information sets 258. Murphy, [0184]); and grouping the two or more associated detection events to define a security incident includes: grouping the one or more artifacts and log entries associated with each of the two or more associated detection events to form an artifact/log entry set for the security incident (Threat mitigation process 10 may combine 1054 plurality of security-relevant information sets 258 to form aggregated security-relevant information set 260 for computing platform 60 based, at least in part, upon the one or more commonalities identified. Murphy, [0185]). Claims 6-11, 14-21, and 24-30 have limitations similar to those treated in the above rejection, and are met by the references as discussed above, and are rejected for the same reasons of anticipation as used above. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLEG KORSAK whose telephone number is (571)270-1938. The examiner can normally be reached on 5:00 AM- 4:00 PM. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rupal Dharia can be reached on (571) 272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /OLEG KORSAK/ Primary Examiner, Art Unit 2492