SECURITY MONITORING DEVICE, SECURITY MONITORING METHOD, AND RECORDING MEDIUM

§101 §103

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This office Action is in response to Application 18972449 filed on 12/06/2024. Claims 1 and 10-11 are independent claims. Claims 1-11 have been examined and are pending in this application. This Office Action is made Non-Final. Information Disclosure Statement The information disclosure statement (IDS) submitted on 02/19/2025 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. Claim Interpretation The following is a quotation of 35 U.S.C. 112(f): (f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph: An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked. As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph: (A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; (B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and (C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitations are: “a receiver [] receives” recited in claim 1; “a similarity calculator [] calculates” recited in claims 1-5 and 7-8;“ a first determiner [] determines” recited in claim 1; “a second determiner [] determines” recited in claim 6; “an extractor [] extracts” recited in claim 7. Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. Claim Rejections – 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-11 are rejected under 35 U. S. C. 101 as being directed to non-statutory subject matter as being directed to an abstract idea without being integrated into a practical application or significantly more. Regarding claims 1 and 10-11, the claims are directed to an abstract idea as reciting the limitations “calculates a similarity between the first alert and the second alert;” “determines whether the first alert and the second alert are alerts generated by detecting a same threat.” The aforementioned step is “mental process” as broadly interpreted said step could be performed in the human mind. Therefore, the claims recite an abstract idea. Said abstract idea and/or judicial exception is not integrated into a practical application as the claims do not recite any other active steps that utilize determination result into a practical application. It’s noted that the claims recite the steps of “receives a first alert …” However, said step is not sufficiently to consider that the abstract idea is being interpreted into a practical application as the steps are recited at a high level of generality in gathering/storing information and amounts to mere data gathering/storing, which is a form of insignificant extra-solution activity. It’s also noted that the claims recite additional elements (i.e., the monitoring device, non-transitory computer-readable recording medium etc.,). However, said additional elements are recited at a high-level of generality (i.e., determining etc.,) such that it amounts no more than mere instructions to apply the exception or abstract idea using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. As mentioned above, although the claims recite additional elements, said elements taken individually or as a combination, do not result in the claim amounting to significantly more than the abstract idea because as the additional elements perform generic computer content distributing functions routinely used in information technology field. See AU 2021351215 and US 20230216865. As discussed above, the additional elements recited at a high-level of generality such that they amount no more than mere instructions to apply the exception using a generic computer component. Therefore, the claim is directed to non-statutory subject matter. Regarding dependent claims 2-9; claims 2-9 are rejected under 35 U.S.C. 101 as being directed to an abstract idea without being integrated into a practical application or significantly more for the same reason discussed above. The claims recite mental process. It’s noted that claims 2, 4-5, and 8 recite some operations such as “calculates the similarity between the first alert and the second alert …;” claim 3 recite some operations such as “calculating a similarity between a first word-of-interest group and a second word-of-interest group …;” claim 6 recite some operations such as “determines whether the first alert and the second alert are each an alert generated by detecting a same threat …;” claim 7 recite some operations such as “extracts candidate alerts … .” However, said step is not sufficiently to consider that the abstract idea is being interpreted into a practical application as the steps are recited at a high level of generality in gathering information and amounts to mere data gathering. As result claims 2-9 are also rejected under 35 U.S.C. 101 as being directed to an abstract idea without being integrated into a practical application or significantly more. Claim Rejections - 35 USC § 103 This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1, 3-7, and 10-11 are rejected under 35 U.S.C. 103 as being unpatentable over STEIMBERG et al. (“STEIMBERG,” AU 2021351215, filed on 09/22/2021) in view of Bhatia et al. (“Bhatia,” US 20230216865, filed on 01/04/2022). Regarding Claim 1; STEIMBERG discloses a security monitoring device, comprising: a receiver that receives a first alert generated by a first security product detecting a threat and a second alert generated by a second security product detecting a threat, the second security product being different from the first security product (page 1, par 13 – page 2, par 1; receive alerts of multiple different types, indicative of potentially malicious activity in the network, that are detected by multiple different protection appliances deployed in the network, to identify a first alert of a first type from a first protection appliance in the network and a second alert of a second type, different from the first type from a second protection appliance in the network); a similarity calculator that calculates a similarity between the first alert and the second alert (page 8, par 6; by identifying multiple cyber alert records 90 that have timestamps 104 within a specified time period, and identical source IPs 106, destination IPs 108, source ports 110 and destination ports; page 8, par 7; the first and the second cyber-alerts (i.e., as indicated by their corresponding cyber-alert records 90) comprise different respective alert sources 100 and different respective alert types; page 8, par 8; classify the first and the second cyber-alerts into a single the second cyber-alert is subsequent to the first cyber-alert, and wherein the first and the second cyber-alerts are within a specified time period (e.g., 12, 24 or 48 hours), as indicated by the timestamps in the cyber-alert records corresponding to a first and the second cyber-alerts). STEIMBERG discloses calculates a similarity between the first alert and the second alert as recited above, but do not explicitly disclose a first determiner that determines whether the first alert and the second alert are alerts generated by detecting a same threat, based on the similarity between the first alert and the second alert. However, in an analogous art, Bhatia discloses mitigation in threat disposition system/method that includes: a first determiner that determines whether the first alert and the second alert are alerts generated by detecting a same threat, based on the similarity between the first alert and the second alert (Bhatia: par 0031; in response to determining a similarity among alerts that are generated in real time by threat monitoring tool in response to one or more potential cyberthreats. ASD/DAE engine can determine, in real time, a similarity of two or more alerts. Similarity can be determined by ASD/DAE engine in real time based on a comparison of data structures created for and corresponding to each of the alerts generated by threat monitoring tool; par 0033; determined based on comparing pairs of feature vectors and determining an equality with respect to one or more parameters of each of the pairs. Two alerts are duplicative if a predetermined subset of features of the alerts' feature vectors match). Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Bhatia with the method/system of STEIMBERG to include a first determiner that determines whether the first alert and the second alert are alerts generated by detecting a same threat, based on the similarity between the first alert and the second alert. One would have been motivated to generate a group of alerts in response to determining a similarity among the alerts. The alerts are generated in real time by a threat monitoring tool in response to one or more potential threats to a networked computing system (Bhatia: abstract). Regarding Claim 3; The combination of STEIMBERG and Bhatia disclose the security monitoring device according to claim 1, STEIMBERG discloses wherein the first alert includes a first detection model description describing the threat detected by the first security product, the second alert includes a second detection model description describing the threat detected by the second security product (STEIMBERG: page 1, par 13 – page 2, par 1; receive alerts of multiple different types, indicative of potentially malicious activity in the network, that are detected by multiple different protection appliances deployed in the network, to identify a first alert of a first type from a first protection appliance in the network and a second alert of a second type, different from the first type from a second protection appliance in the network). Bhatia further discloses the similarity calculator calculates the similarity between the first alert and the second alert by extracting one or more words of interest included in the first detection model description and one or more words of interest included in the second detection model description using a predefined word-of-interest list, and by calculating a similarity between a first word-of-interest group and a second word-of-interest group, the first word-of-interest group being of one or more words of interest extracted from the first detection model description, the second word-of-interest group being of one or more words of interest extracted from the second detection model description (Bhatia: par 0031; in response to determining a similarity among alerts that are generated in real time by threat monitoring tool in response to one or more potential cyberthreats. ASD/DAE engine can determine, in real time, a similarity of two or more alerts. Similarity can be determined by ASD/DAE engine in real time based on a comparison of data structures created for and corresponding to each of the alerts generated by threat monitoring tool; par 0034; with respect to the five example alerts of matrix, the predetermined subset of features are illustratively remedy_customer_id, siem_rule_name, event_names [] event_names is a predefined external rule name. Sip_int is an internal source ip count indicating that the threat was initiated from one or more internal ips, where “ip” refers to Internet Protocol (IP) address [] based on the comparison of feature vectors of matrix, ASD/DAE engine determines the values of each the predetermined features of the feature vectors match and thus the corresponding five alerts are duplicative). The motivation is the same that of claim 1 above. Regarding Claim 4; The combination of STEIMBERG and Bhatia disclose the security monitoring device according to claim 1, STEIMBERG discloses wherein the first alert includes a first detection model description describing the threat detected by the first security product, the second alert includes a second detection model description describing the threat detected by the second security product (STEIMBERG: page 1, par 13 – page 2, par 1; receive alerts of multiple different types, indicative of potentially malicious activity in the network, that are detected by multiple different protection appliances deployed in the network, to identify a first alert of a first type from a first protection appliance in the network and a second alert of a second type, different from the first type from a second protection appliance in the network). Bhatia further discloses the similarity calculator calculates the similarity between the first alert and the second alert based on a vector of the first detection model description and a vector of the second detection model description, each of the vectors indicating matching degrees of threat classification categories and being calculated using an attack classification model trained using threat intelligence information indicating both classification information indicating one or more threat classification categories and a content of the one or more threat classification categories (Bhatia: par 0018; the machine learning model can continue learning over time as new alerts are classified; par 0031; in response to determining a similarity among alerts that are generated in real time by threat monitoring tool in response to one or more potential cyberthreats. ASD/DAE engine can determine, in real time, a similarity of two or more alerts. Similarity can be determined by ASD/DAE engine in real time based on a comparison of data structures created for and corresponding to each of the alerts generated by threat monitoring tool; par 0034; with respect to the five example alerts of matrix, the predetermined subset of features are illustratively remedy_customer_id, siem_rule_name, event_names [] event_names is a predefined external rule name. Sip_int is an internal source ip count indicating that the threat was initiated from one or more internal ips, where “ip” refers to Internet Protocol (IP) address [] based on the comparison of feature vectors of matrix, ASD/DAE engine determines the values of each the predetermined features of the feature vectors match and thus the corresponding five alerts are duplicative). The motivation is the same that of claim 1 above. Regarding Claim 5; The combination of STEIMBERG and Bhatia disclose the security monitoring device according to claim 1, STEIMBERG discloses wherein the first alert includes a first detection model description describing the threat detected by the first security product, the second alert includes a second detection model description describing the threat detected by the second security product (STEIMBERG: page 1, par 13 – page 2, par 1; receive alerts of multiple different types, indicative of potentially malicious activity in the network, that are detected by multiple different protection appliances deployed in the network, to identify a first alert of a first type from a first protection appliance in the network and a second alert of a second type, different from the first type from a second protection appliance in the network). Bhatia further discloses the similarity calculator calculates the similarity between the first alert and the second alert by calculating a similarity between the first detection model description and the second detection model description using a feature extracted from first detection information and a feature extracted from second detection information, the first detection information indicating previous attack detection results in the first security product, the second detection information indicating previous attack detection results in the second security product (Bhatia: par 0031; in response to determining a similarity among alerts that are generated in real time by threat monitoring tool in response to one or more potential cyberthreats. ASD/DAE engine can determine, in real time, a similarity of two or more alerts. Similarity can be determined by ASD/DAE engine in real time based on a comparison of data structures created for and corresponding to each of the alerts generated by threat monitoring tool; par 0039; determining whether a newly generated alert spike is part of an existing alert spike subgroup. ASD/DAE engine can add a newly generated alert to an existing alert spike subgroup in response to determining, in real time, a similarity between a newly generated alert and a previously generated alert contained in the existing alert spike subgroup. As a condition of adding the newly generated alert, ASD/DAE engine determines whether the newly generated alert and one or more alerts contained in the existing alert spike subgroup were generated). The motivation is the same that of claim 1 above. Regarding Claim 6; The combination of STEIMBERG and Bhatia disclose the security monitoring device according to claim 1, further comprising: Bhatia discloses a second determiner that determines whether the first alert and the second alert are each an alert generated by detecting a same threat (Bhatia: par 0031; in response to determining a similarity among alerts that are generated in real time by threat monitoring tool in response to one or more potential cyberthreats. ASD/DAE engine can determine, in real time, a similarity of two or more alerts. Similarity can be determined by ASD/DAE engine in real time based on a comparison of data structures created for and corresponding to each of the alerts generated by threat monitoring tool; par 0033; determined based on comparing pairs of feature vectors and determining an equality with respect to one or more parameters of each of the pairs. Two alerts are duplicative if a predetermined subset of features of the alerts' feature vectors match). The motivation is the same that of claim 1 above. STEIMBERG further discloses based on product information on the first security product and product information on the second security product (STEIMBERG: page 1, par 13 – page 2, par 1; receive alerts of multiple different types, indicative of potentially malicious activity in the network, that are detected by multiple different protection appliances deployed in the network, to identify a first alert of a first type from a first protection appliance in the network and a second alert of a second type, different from the first type from a second protection appliance in the network); Regarding Claim 7; The combination of STEIMBERG and Bhatia disclose the security monitoring device according to claim 1, further comprising: STEIMBERG discloses an extractor that extracts candidate alerts from among alerts received by the receiver, based on a predetermined condition (STEIMBERG: page 1, par 13 – page 2, par 1; receive alerts of multiple different types, indicative of potentially malicious activity in the network, that are detected by multiple different protection appliances deployed in the network, to identify a first alert of a first type from a first protection appliance in the network and a second alert of a second type, different from the first type from a second protection appliance in the network; page 8, par 6; by identifying multiple cyber alert records 90 that have timestamps 104 within a specified time period, and identical source IPs 106, destination IPs 108, source ports 110 and destination ports; page 8, par 7; wherein the first and the second cyber-alerts are within a specified time period (e.g., 12, 24 or 48 hours), as indicated by the timestamps in the cyber-alert records corresponding to a first and the second cyber-alerts). Bhatia further discloses wherein the similarity calculator calculates the similarity between the first alert and the second alert which are included in the candidate alerts extracted (Bhatia: par 0031; in response to determining a similarity among alerts that are generated in real time by threat monitoring tool in response to one or more potential cyberthreats. ASD/DAE engine can determine, in real time, a similarity of two or more alerts. Similarity can be determined by ASD/DAE engine in real time based on a comparison of data structures created for and corresponding to each of the alerts generated by threat monitoring tool; par 0039; determining whether a newly generated alert spike is part of an existing alert spike subgroup. ASD/DAE engine can add a newly generated alert to an existing alert spike subgroup in response to determining, in real time, a similarity between a newly generated alert and a previously generated alert contained in the existing alert spike subgroup. As a condition of adding the newly generated alert, ASD/DAE engine determines whether the newly generated alert and one or more alerts contained in the existing alert spike subgroup were generated). Regarding Claim 10; This Claim recites a method that perform the same steps as device of Claim 1, and has limitations that are similar to Claim 1, thus are rejected with the same rationale applied against claim 1. Regarding Claim 11; This Claim recites a non-transitory computer-readable recording medium that perform the same steps as device of Claim 1, and has limitations that are similar to Claim 1, thus are rejected with the same rationale applied against claim 1. Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over STEIMBERG et al. (AU 2021351215) in view of Bhatia et al. (US 20230216865), and further in view of Mortensen et al. (“Mortensen,” US 20210028975, published on 01/28/2021). Regarding Claim 2; The combination of STEIMBERG and Bhatia disclose the security monitoring device according to claim 1, STEIMBERG discloses wherein the first alert includes a first detection model description describing the threat detected by the first security product, the second alert includes a second detection model description describing the threat detected by the second security product (STEIMBERG: page 1, par 13 – page 2, par 1; receive alerts of multiple different types, indicative of potentially malicious activity in the network, that are detected by multiple different protection appliances deployed in the network, to identify a first alert of a first type from a first protection appliance in the network and a second alert of a second type, different from the first type from a second protection appliance in the network). Bhatia further discloses the similarity calculator calculates the similarity between the first alert and the second alert based on a term frequency (TF)–inverse document frequency (IDF) vector of the first detection model description and a TF-IDF vector of the second detection model description, each of the TF-IDF vectors being calculated using IDF values of words included in document information indicating a document on security (Bhatia: par 0031; in response to determining a similarity among alerts that are generated in real time by threat monitoring tool in response to one or more potential cyberthreats. ASD/DAE engine can determine, in real time, a similarity of two or more alerts. Similarity can be determined by ASD/DAE engine in real time based on a comparison of data structures created for and corresponding to each of the alerts generated by threat monitoring tool; par 0033; determined based on comparing pairs of feature vectors and determining an equality with respect to one or more parameters of each of the pairs. Two alerts are duplicative if a predetermined subset of features of the alerts' feature vectors match; par 0044; for example, as described above, the data structure of each alert can be a feature vector. If the values of one or more preselected features (e.g., columns of the feature vectors in matrix 300 (FIG. 3)) of two or more alerts' respective feature vectors match, then the alerts are deemed similar). The motivation is the same that of claim 1 above. The combination of STEIMBERG and Bhatia disclose vector as recited above, but do not explicitly disclose a term frequency (TF)–inverse document frequency (IDF) vector. However, in an analogous art, Mortensen discloses network issue tracking system/method that includes: a term frequency (TF)–inverse document frequency (IDF) vector (Mortensen: par 0105; alert normalizer apply Term Frequency-Inverse Document Frequency (TF-IDF) techniques to alerts. In turn, alert classifier apply unsupervised machine learning to the normalized alert text over time, to extract out the common traits/attributes of the alerts over time). Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Mortensen with the method/system of STEIMBERG and Bhatia to include a term frequency (TF)–inverse document frequency (IDF) vector. One would have been motivated to use a neural network to identify a difference between the clustered telemetry and telemetry from one or more devices for which the issue was resolved. Claims 8 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over STEIMBERG et al. (AU 2021351215) in view of Bhatia et al. (US 20230216865), and further in view of SHARIFI et al. (“SHARIFI,” CN 119301424 A, filed on 05/31/2022). Regarding Claim 8; The combination of STEIMBERG and Bhatia disclose the security monitoring device according to claim 1, STEIMBERG discloses wherein the first alert includes a first detection model description describing the threat detected by the first security product, the second alert includes a second detection model description describing the threat detected by the second security product (STEIMBERG: page 1, par 13 – page 2, par 1; receive alerts of multiple different types, indicative of potentially malicious activity in the network, that are detected by multiple different protection appliances deployed in the network, to identify a first alert of a first type from a first protection appliance in the network and a second alert of a second type, different from the first type from a second protection appliance in the network). Bhatia further discloses the similarity calculator calculates the similarity between the first alert and the second alert by inputting the first detection model description and the second detection model description into a model trained using two detection model descriptions and a similarity between the two detection model descriptions, and by obtaining a similarity between the first detection model description and the second detection model description which is outputted from the model (Bhatia: par 0018; the machine learning model can continue learning over time as new alerts are classified; par 0031; in response to determining a similarity among alerts that are generated in real time by threat monitoring tool in response to one or more potential cyberthreats. ASD/DAE engine can determine, in real time, a similarity of two or more alerts. Similarity can be determined by ASD/DAE engine in real time based on a comparison of data structures created for and corresponding to each of the alerts generated by threat monitoring tool; par 0034; with respect to the five example alerts of matrix, the predetermined subset of features are illustratively remedy_customer_id, siem_rule_name, event_names [] event_names is a predefined external rule name. Sip_int is an internal source ip count indicating that the threat was initiated from one or more internal ips, where “ip” refers to Internet Protocol (IP) address [] based on the comparison of feature vectors of matrix, ASD/DAE engine determines the values of each the predetermined features of the feature vectors match and thus the corresponding five alerts are duplicative). The motivation is the same that of claim 1 above. The combination of STEIMBERG and Bhatia disclose calculates the similarity between the first alert and the second alert by inputting the first detection model description and the second detection model description into a model trained using two detection model descriptions and a similarity between the two detection model descriptions, and by obtaining a similarity between the first detection model description and the second detection model description which is outputted from the model as recited above, but do not explicitly disclose a large language model. However, in an analogous art, SHARIFI discloses request and receive reminder system/method that includes: a large language model (SHARIFI: page 7, par 2; a similarity module 109b configured to support the techniques of the present disclosure for generating alerts; page 7, par 3; machine learning (ML) may be employed by the language processing module 109a to train the NLP model 109a3 and/or the similarity model [] in these aspects, the NLP model 109a3 may be or include a machine learning model (e.g., a large language model (LLM)) that is trained by the ML module 109c using one or more text training data sets. In order to output one or more training alerts and one or more training trigger conditions). Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of SHARIFI with the method/system of STEIMBERG and Bhatia to include a large language model. One would have been motivated to detecting a trigger condition during a subsequent navigation session; and providing a reminder in response to detecting a trigger condition. Regarding Claim 9; The combination of STEIMBERG, Bhatia and SHARIFI disclose the security monitoring device according to claim 8, SHARIFI discloses wherein Fine-tuning in machine learning is applied to the large language model (SHARIFI: page 7, par 2; a similarity module 109b configured to support the techniques of the present disclosure for generating alerts; page 7, par 3; machine learning (ML) may be employed by the language processing module 109a to train the NLP model 109a3 and/or the similarity model [] in these aspects, the NLP model 109a3 may be or include a machine learning model (e.g., a large language model (LLM)) that is trained by the ML module 109c using one or more text training data sets. In order to output one or more training alerts and one or more training trigger conditions). The motivation is the same that of claim 8 above. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHAO WANG whose telephone number is (313)446-6644. The examiner can normally be reached on Monday-Friday 7:30-4:30PM EST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /C.W./Examiner, Art Unit 2439 /LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439