Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
1. The following is a Final Office Action in response to applicant’s arguments filed on December 30, 2025Claims 1, 11 and 21 are amended
Claims 1-30 are pending
Response to Arguments
Applicant’s arguments filed on 12/30/2025 regarding 35 U.S.C. 112(b) rejection of claims 7-9, 17-19, and 27-29 have been fully considered and is persuasive. Therefore, the rejection is withdrawn.
Applicant’s arguments filed on 12/30/2025 regarding 35 U.S.C. 112(b) rejection of claims 1,3-6,11,13-16, 21, and 23-26 have been fully considered and is persuasive. Therefore, the rejection is withdrawn.
Applicant’s arguments filed on 12/30/2025 regarding 35 U.S.C. 112(b) rejection of claims 1, 11, and 21 have been fully considered and is persuasive. Therefore, the rejection is withdrawn.
Applicant’s arguments filed on 12/30/2025 regarding 35 U.S.C. 101 rejection of claims 1, 11, and 21 have been fully considered and is persuasive. Therefore, the rejection is withdrawn.
Applicant’s amendment to claims 1, 11 and 21 filed on 12/30/2025 regarding, “receiving an alert concerning the event; autonomously generating one or more of an investigation and a remediation plan using a generative Al-based panner subsystem, wherein the generative Al-based planner subsystem is configured to utilize one or more tools to process the alert.”, necessitated the new ground(s) of rejection presented in this Office action. Therefore, Applicant's arguments with respect to claims 1-30 have been considered but are moot in view of the new ground(s) of rejection.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
1.) Claims 1-4, 6, 11-14, 16, 21-24, and 26 are rejected under 35 U.S.C. 103 as being unpatentable over US 2020087929, Biever in view of US 20240406195, Sansom
In regards to claim 1, Biever teaches a computer-implemented method, executed on a computing device, comprising:identifying an event that concerns a network entity on a computer platform(US 2020087929, Biever, para. 0023, The computer network 105 allows for the detection and reduction of cybersecurity threats.);obtaining entity data for the network entity from a plurality of data sources, thus defining a plurality of network entity data portions(US 2020087929, Biever, figs. 6, 7 and para. 0031, The threat data aggregator 515, is executed by the electronic processor 500 and configured to combine (aggregate) cybersecurity threat data from a plurality of detection computers (a plurality of different types of detection software), cybersecurity threat data from a shared threat repository 150, and metadata from a plurality of devices included in the computer network 105.); and combining the plurality of network entity data portions to form consolidated network entity data for the network entity(US 2020087929, Biever, para. 0033, The threat data aggregator 515 combines the detected cybersecurity threat data, the cybersecurity threat data from the shared database 155, and metadata from a plurality of devices included in the first computer network 105. The threat data aggregator 515 sends the combined cybersecurity threat data to the threat analyzer 520.);receiving an alert concerning the event(US 2020087929, Biever, para. 0038, A second timer begins when the IPS software receives a notification of a cybersecurity threat (block 845). The second timer determines how long the IPS software wall implement a response to the cybersecurity threat (when the first timer ends, the IPS software block is removed) (block 850).); Biever does not teach autonomously generating one or more of an investigation and a remediation plan using a generative Al-based panner subsystem, wherein the generative Al-based planner subsystem is configured to utilize one or more tools to process the alert However, Samson teaches autonomously generating one or more of an investigation and a remediation plan using a generative Al-based panner subsystem(US 20240406195, Sansom, para. 0034 and 0141: [0034]- FIG. 15 illustrates a diagram of an embodiment of i) the cyber threat detection engine using Artificial Intelligence algorithms configured and trained to perform a first machine-learned task of detecting the cyber threat, ii) an autonomous response engine using Artificial Intelligence algorithms configured and trained to perform a second machine-learned task of taking one or more mitigation actions to mitigate the cyber threat,[0141]- According to one embodiment of the disclosure, the cyber threat analyst module 120 allows two levels of investigations of a cyber threat that may suggest a potential impending cyberattack. In a first level of investigation, the analyzer module 115 and AI model(s) 160 can rapidly detect and then the autonomous response engine 140 will autonomously respond to overt and obvious cyberattacks.), wherein the generative Al-based planner subsystem is configured to utilize one or more tools to process the alert(US 20240406195, Sansom, para. 0135, The AI model(s) 160 may be trained with machine learning on a normal pattern of life for entities in the network(s)/domain(s) under analysis, with machine learning on cyber threat hypotheses to form and investigate a cyber threat hypothesis on what are a possible set of cyber threats and their characteristics, symptoms, remediations, etc., and/or trained on possible cyber threats including their characteristics and symptoms, an interface to a restoration engine 190, an interface to a cyber-attack simulator 105, and other similar components.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Biever with the teaching of Sansom because a user would have been motivated to use artificial intelligence, taught by Sansom, in order to autonomously detect and mitigate malicious attacks in the system taught by Biever(Sansom, para. 0034)
In regards to claim 2, the combination of Biever and Samson teach the computer-implemented method of claim 1 wherein the network entity includes one or more of:a network device;a computing device(US 2020087929, Biever, para. 0023, In the example shown, the computer network 105 includes a plurality of computers including detection computers 200, 205, 210, response computers 215, 220, 225, and an analysis computer 230.);a network user;a service;a container;a pod; anda virtual machine.
In regards to claim 3, the combination of Biever and Samson teach the computer-implemented method of claim 1 wherein the plurality of data sources includes one or more of:one or more content delivery network systems;one or more database activity monitoring systems(US 2020087929, Biever, para. 0031, The threat data aggregator 515, is executed by the electronic processor 500 and configured to combine (aggregate) cybersecurity threat data from a plurality of detection computers (a plurality of different types of detection software), cybersecurity threat data from a shared threat repository 150, and metadata from a plurality of devices included in the computer network 105.);one or more user behavior analytics systems;one or more mobile device management systems;one or more identity and access management systems;one or more domain name server systems;one or more antivirus systems;one or more operating systems;one or more data lakes;one or more data logs;one or more security-relevant software applications(US 2020087929, Biever, para. 0031, The threat data aggregator 515, is executed by the electronic processor 500 and configured to combine (aggregate) cybersecurity threat data from a plurality of detection computers (a plurality of different types of detection software));one or more security-relevant hardware systems;one or more security information and event management (SIEM) systems; and one or more resources external to the computing platform.
In regards to claim 4, the combination of Biever and Samson teach the computer-implemented method of claim 1 further comprising:processing the consolidated network entity data to generate analysis data that concerns the event and/or the network entity(US 2020087929, Biever, para. 0005, Each computer network associated with one of the plurality organizations includes a plurality of hardware and software that allows for detection of cybersecurity threats, analysis of detected cybersecurity threats, and responding to the detected cybersecurity threats.).
In regards to claim 6, the combination of Biever and Samson teach the computer-implemented method of claim 4 further comprising:effectuating a remedial action based, at least in part, upon the analysis data that concerns the event and/or the network entity(US 2020087929, Biever, para. 0036, When the response software 415, 620, 625 receives the signal regarding the cybersecurity threat (block 725), the response software 415, 620, 625 performs an action that limits the effects of the cybersecurity threat on the first computer network 105 and in some embodiments prevents the cybersecurity threat from affecting the first computer network 105).
In regards to claim 11, Biever teaches a computer program product residing on a computer readable medium having a plurality of instructions stored thereon which, when executed by a processor, cause the processor to perform operations comprising:identifying an event that concerns a network entity on a computer platform(US 2020087929, Biever, para. 0023, The computer network 105 allows for the detection and reduction of cybersecurity threats.);obtaining entity data for the network entity from a plurality of data sources, thus defining a plurality of network entity data portions(US 2020087929, Biever, figs. 6, 7 and para. 0031, The threat data aggregator 515, is executed by the electronic processor 500 and configured to combine (aggregate) cybersecurity threat data from a plurality of detection computers (a plurality of different types of detection software), cybersecurity threat data from a shared threat repository 150, and metadata from a plurality of devices included in the computer network 105.); andcombining the plurality of network entity data portions to form consolidated network entity data for the network entity(US 2020087929, Biever, para. 0033, The threat data aggregator 515 combines the detected cybersecurity threat data, the cybersecurity threat data from the shared database 155, and metadata from a plurality of devices included in the first computer network 105. The threat data aggregator 515 sends the combined cybersecurity threat data to the threat analyzer 520.);receiving an alert concerning the event(US 2020087929, Biever, para. 0038, A second timer begins when the IPS software receives a notification of a cybersecurity threat (block 845). The second timer determines how long the IPS software wall implement a response to the cybersecurity threat (when the first timer ends, the IPS software block is removed) (block 850).); Biever does not teach autonomously generating one or more of an investigation and a remediation plan using a generative AI-based panner subsystem, wherein the generative AI-based planner subsystem is configured to utilize one or more tools to process the alert However, Samson teaches autonomously generating one or more of an investigation and a remediation plan using a generative AI-based panner subsystem(US 20240406195, Sansom, para. 0034 and 0141: [0034]- FIG. 15 illustrates a diagram of an embodiment of i) the cyber threat detection engine using Artificial Intelligence algorithms configured and trained to perform a first machine-learned task of detecting the cyber threat, ii) an autonomous response engine using Artificial Intelligence algorithms configured and trained to perform a second machine-learned task of taking one or more mitigation actions to mitigate the cyber threat,[0141]- According to one embodiment of the disclosure, the cyber threat analyst module 120 allows two levels of investigations of a cyber threat that may suggest a potential impending cyberattack. In a first level of investigation, the analyzer module 115 and AI model(s) 160 can rapidly detect and then the autonomous response engine 140 will autonomously respond to overt and obvious cyberattacks.), wherein the generative AI-based planner subsystem is configured to utilize one or more tools to process the alert(US 20240406195, Sansom, para. 0135, The AI model(s) 160 may be trained with machine learning on a normal pattern of life for entities in the network(s)/domain(s) under analysis, with machine learning on cyber threat hypotheses to form and investigate a cyber threat hypothesis on what are a possible set of cyber threats and their characteristics, symptoms, remediations, etc., and/or trained on possible cyber threats including their characteristics and symptoms, an interface to a restoration engine 190, an interface to a cyber-attack simulator 105, and other similar components.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Biever with the teaching of Sansom because a user would have been motivated to use artificial intelligence, taught by Sansom, in order to autonomously detect and mitigate malicious attacks in the system taught by Biever(Sansom, para. 0034)
In regards to claim 12, the combination of Biever and Samson teach the computer program product of claim 11 wherein the network entity includes one or more of:a network device;a computing device(US 2020087929, Biever, para. 0023, In the example shown, the computer network 105 includes a plurality of computers including detection computers 200, 205, 210, response computers 215, 220, 225, and an analysis computer 230.);a network user;a service;a container;a pod; anda virtual machine.
In regards to claim 13, the combination of Biever and Samson teach the computer program product of claim 11 wherein the plurality of data sources includes one or more of:one or more content delivery network systems;one or more database activity monitoring systems(US 2020087929, Biever, para. 0031, The threat data aggregator 515, is executed by the electronic processor 500 and configured to combine (aggregate) cybersecurity threat data from a plurality of detection computers (a plurality of different types of detection software), cybersecurity threat data from a shared threat repository 150, and metadata from a plurality of devices included in the computer network 105.);one or more user behavior analytics systems;one or more mobile device management systems;one or more identity and access management systems;one or more domain name server systems;one or more antivirus systems;one or more operating systems;one or more data lakes;one or more data logs;one or more security-relevant software applications(US 2020087929, Biever, para. 0031, The threat data aggregator 515, is executed by the electronic processor 500 and configured to combine (aggregate) cybersecurity threat data from a plurality of detection computers (a plurality of different types of detection software));one or more security-relevant hardware systems;one or more security information and event management (SIEM) systems; andone or more resources external to the computing platform.
In regards to claim 14, the combination of Biever and Samson teach the computer program product of claim 11 further comprising:processing the consolidated network entity data to generate analysis data that concerns the event and/or the network entity(US 2020087929, Biever, para. 0005, Each computer network associated with one of the plurality organizations includes a plurality of hardware and software that allows for detection of cybersecurity threats, analysis of detected cybersecurity threats, and responding to the detected cybersecurity threats. ).
In regards to claim 16, the combination of Biever and Samson teach the computer program product of claim 14 further comprising:effectuating a remedial action based, at least in part, upon the analysis data that concerns the event and/or the network entity(US 2020087929, Biever, para. 0036, When the response software 415, 620, 625 receives the signal regarding the cybersecurity threat (block 725), the response software 415, 620, 625 performs an action that limits the effects of the cybersecurity threat on the first computer network 105 and in some embodiments prevents the cybersecurity threat from affecting the first computer network 105).
In regards to claim 21, Biever teaches a computing system including a processor and memory configured to perform operations comprising:identifying an event that concerns a network entity on a computer platform(US 2020087929, Biever, para. 0023, The computer network 105 allows for the detection and reduction of cybersecurity threats.);obtaining entity data for the network entity from a plurality of data sources, thus defining a plurality of network entity data portions(US 2020087929, Biever, figs. 6, 7 and para. 0031, The threat data aggregator 515, is executed by the electronic processor 500 and configured to combine (aggregate) cybersecurity threat data from a plurality of detection computers (a plurality of different types of detection software), cybersecurity threat data from a shared threat repository 150, and metadata from a plurality of devices included in the computer network 105.); and combining the plurality of network entity data portions to form consolidated network entity data for the network entity(US 2020087929, Biever, para. 0033, The threat data aggregator 515 combines the detected cybersecurity threat data, the cybersecurity threat data from the shared database 155, and metadata from a plurality of devices included in the first computer network 105. The threat data aggregator 515 sends the combined cybersecurity threat data to the threat analyzer 520.);receiving an alert concerning the event(US 2020087929, Biever, para. 0038, A second timer begins when the IPS software receives a notification of a cybersecurity threat (block 845). The second timer determines how long the IPS software wall implement a response to the cybersecurity threat (when the first timer ends, the IPS software block is removed) (block 850).); Biever does not teach autonomously generating one or more of an investigation and a remediation plan using a generative AI-based panner subsystem, wherein the generative AI-based planner subsystem is configured to utilize one or more tools to process the alert However, Samson teaches autonomously generating one or more of an investigation and a remediation plan using a generative AI-based panner subsystem(US 20240406195, Sansom, para. 0034 and 0141: [0034]- FIG. 15 illustrates a diagram of an embodiment of i) the cyber threat detection engine using Artificial Intelligence algorithms configured and trained to perform a first machine-learned task of detecting the cyber threat, ii) an autonomous response engine using Artificial Intelligence algorithms configured and trained to perform a second machine-learned task of taking one or more mitigation actions to mitigate the cyber threat,[0141]- According to one embodiment of the disclosure, the cyber threat analyst module 120 allows two levels of investigations of a cyber threat that may suggest a potential impending cyberattack. In a first level of investigation, the analyzer module 115 and AI model(s) 160 can rapidly detect and then the autonomous response engine 140 will autonomously respond to overt and obvious cyberattacks.), wherein the generative AI-based planner subsystem is configured to utilize one or more tools to process the alert(US 20240406195, Sansom, para. 0135, The AI model(s) 160 may be trained with machine learning on a normal pattern of life for entities in the network(s)/domain(s) under analysis, with machine learning on cyber threat hypotheses to form and investigate a cyber threat hypothesis on what are a possible set of cyber threats and their characteristics, symptoms, remediations, etc., and/or trained on possible cyber threats including their characteristics and symptoms, an interface to a restoration engine 190, an interface to a cyber-attack simulator 105, and other similar components.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Biever with the teaching of Sansom because a user would have been motivated to use artificial intelligence, taught by Sansom, in order to autonomously detect and mitigate malicious attacks in the system taught by Biever(Sansom, para. 0034)
In regards to claim 22, the combination of Biever and Samson teach the computing system of claim 21 wherein the network entity includes one or more of:a network device;a computing device(US 2020087929, Biever, para. 0023, In the example shown, the computer network 105 includes a plurality of computers including detection computers 200, 205, 210, response computers 215, 220, 225, and an analysis computer 230.);a network user;a service;a container;a pod; anda virtual machine.
In regards to claim 23, the combination of Biever and Samson teach the computing system of claim 21 wherein the plurality of data sources includes one or more of:one or more content delivery network systems;one or more database activity monitoring systems(US 2020087929, Biever, para. 0031, The threat data aggregator 515, is executed by the electronic processor 500 and configured to combine (aggregate) cybersecurity threat data from a plurality of detection computers (a plurality of different types of detection software), cybersecurity threat data from a shared threat repository 150, and metadata from a plurality of devices included in the computer network 105.);one or more user behavior analytics systems;one or more mobile device management systems;one or more identity and access management systems;one or more domain name server systems;one or more antivirus systems;one or more operating systems;one or more data lakes;one or more data logs;one or more security-relevant software applications(US 2020087929, Biever, para. 0031, The threat data aggregator 515, is executed by the electronic processor 500 and configured to combine (aggregate) cybersecurity threat data from a plurality of detection computers (a plurality of different types of detection software));one or more security-relevant hardware systems;one or more security information and event management (SIEM) systems; and one or more resources external to the computing platform.
In regards to claim 24, the combination of Biever and Samson teach the computing system of claim 21 further comprising:processing the consolidated network entity data to generate analysis data that concerns the event and/or the network entity(US 2020087929, Biever, para. 0005, Each computer network associated with one of the plurality organizations includes a plurality of hardware and software that allows for detection of cybersecurity threats, analysis of detected cybersecurity threats, and responding to the detected cybersecurity threats.).
In regards to claim 26, the combination of Biever and Samson teach the computing system of claim 24 further comprising:effectuating a remedial action based, at least in part, upon the analysis data that concerns the event and/or the network entity(US 2020087929, Biever, para. 0036, When the response software 415, 620, 625 receives the signal regarding the cybersecurity threat (block 725), the response software 415, 620, 625 performs an action that limits the effects of the cybersecurity threat on the first computer network 105 and in some embodiments prevents the cybersecurity threat from affecting the first computer network 105).
2.) Claims 5, 15 and 25 are rejected under 35 U.S.C. 103 as being unpatentable over US 2020087929, Biever in view of US 20240406195, Sansom and further in view of US 11636206, Kenyon In regards to claim 5, the combination of Biever and Samson teach the computer-implemented method of claim 4. The combination of Biever and Samson do not teach wherein processing the consolidated network entity data to generate analysis data that concerns the event and/or the network entity includes:determining a position and a history of any network user involved in the event However, Kenyon teaches wherein processing the consolidated network entity data to generate analysis data that concerns the event and/or the network entity includes:determining a position and a history of any network user involved in the event(US 11636206, Kenyon, col. 10, lines 13-19, The threat management facility 100 may control access to the enterprise facility 102 networks. A network access facility 124 may restrict access to certain applications, networks, files, printers, servers, databases, and so on. In addition, the network access facility 124 may restrict user access under certain conditions, such as the user's location, usage history, ). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of the combination of Biever and Samson with the teaching of Kenyon because a user would have been motivated to defer remediation efforts for a period of time in order to update the data from a threat management system, taught by Biever, to subsequently address any initial malware detections(Kenyon, col. 1, lines 29-39)
In regards to claim 15, the combination of Biever and Samson teach the computer program product of claim 14. The combination of Biever and Samson do not teach wherein processing the consolidated network entity data to generate analysis data that concerns the event and/or the network entity includes:determining a position and a history of any network user involved in the event However, Kenyon teaches wherein processing the consolidated network entity data to generate analysis data that concerns the event and/or the network entity includes:determining a position and a history of any network user involved in the event(US 11636206, Kenyon, col. 10, lines 13-19, The threat management facility 100 may control access to the enterprise facility 102 networks. A network access facility 124 may restrict access to certain applications, networks, files, printers, servers, databases, and so on. In addition, the network access facility 124 may restrict user access under certain conditions, such as the user's location, usage history, ). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of the combination of Biever and Samson with the teaching of Kenyon because a user would have been motivated to defer remediation efforts for a period of time in order to update the data from a threat management system, taught by Biever, to subsequently address any initial malware detections(Kenyon, col. 1, lines 29-39)
In regards to claim 25, the combination of Biever and Samson teach the computing system of claim 24. The combination of Biever and Samson do not teach wherein processing the consolidated network entity data to generate analysis data that concerns the event and/or the network entity includes:determining a position and a history of any network user involved in the event However, Kenyon teaches wherein processing the consolidated network entity data to generate analysis data that concerns the event and/or the network entity includes:determining a position and a history of any network user involved in the event(US 11636206, Kenyon, col. 10, lines 13-19, The threat management facility 100 may control access to the enterprise facility 102 networks. A network access facility 124 may restrict access to certain applications, networks, files, printers, servers, databases, and so on. In addition, the network access facility 124 may restrict user access under certain conditions, such as the user's location, usage history, ). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of the combination of Biever and Samson with the teaching of Kenyon because a user would have been motivated to defer remediation efforts for a period of time in order to update the data from a threat management system, taught by Biever, to subsequently address any initial malware detections(Kenyon, col. 1, lines 29-39)
3.) Claims 7, 17 and 27 are rejected under 35 U.S.C. 103 as being unpatentable over US 2020087929, Biever in view of US 20240406195, Sansom and further in view of US 20100125900, Dennerline
In regards to claim 7, the combination of Biever and Samson teach the computer-implemented method of claim 6. The combination of Biever and Samson do not teach wherein effectuating a remedial action based, at least in part, upon the analysis data that concerns the event and/or the network entity includes:allowing the event to continue if the event is deemed to be a low threat level However, Dennerline teaches wherein effectuating a remedial action based, at least in part, upon the analysis data that concerns the event and/or the network entity includes:allowing the event to continue if the event is deemed to be a low threat level (US 20100125900, Dennerline, para. 0055, Based on their threat-score, selected packets are either dropped (high threat), or fast forwarded (low threat) in order to ensure continued inspection for unknown and newly arriving connections.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of the combination of Biever and Samson with the teaching of Dennerline because a user would have been motivated to perform a cost-benefit analysis for network intrusion, taught by Dennerline, in order to determine if forwarding the data information in the system taught by Biever is warranted(Dennerline, para. 0006)
In regards to claim 17, the combination of Biever and Samson teach the computer program product of claim 16. The combination of Biever and Samson do not teach wherein effectuating a remedial action based, at least in part, upon the analysis data that concerns the event and/or the network entity includes:allowing the event to continue if the event is deemed to be a low threat level However, Dennerline teaches wherein effectuating a remedial action based, at least in part, upon the analysis data that concerns the event and/or the network entity includes:allowing the event to continue if the event is deemed to be a low threat level(US 20100125900, Dennerline, para. 0055, Based on their threat-score, selected packets are either dropped (high threat), or fast forwarded (low threat) in order to ensure continued inspection for unknown and newly arriving connections.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of the combination of Biever and Samson with the teaching of Dennerline because a user would have been motivated to perform a cost-benefit analysis for network intrusion, taught by Dennerline, in order to determine if forwarding the data information in the system taught by Biever is warranted(Dennerline, para. 0006)
In regards to claim 27, the combination of Biever and Samson teach the computing system of claim 26. The combination of Biever and Samson do not teach wherein effectuating a remedial action based, at least in part, upon the analysis data that concerns the event and/or the network entity includes:allowing the event to continue if the event is deemed to be a low threat level However, Dennerline teaches wherein effectuating a remedial action based, at least in part, upon the analysis data that concerns the event and/or the network entity includes:allowing the event to continue if the event is deemed to be a low threat level (US 20100125900, Dennerline, para. 0055, Based on their threat-score, selected packets are either dropped (high threat), or fast forwarded (low threat) in order to ensure continued inspection for unknown and newly arriving connections.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of the combination of Biever and Samson with the teaching of Dennerline because a user would have been motivated to perform a cost-benefit analysis for network intrusion, taught by Dennerline, in order to determine if forwarding the data information in the system taught by Biever is warranted (Dennerline, para. 0006)
4.) Claims 8-10, 18-20 and 28-30 are rejected under 35 U.S.C. 103 as being unpatentable over US 2020087929, Biever in view of US 20240406195, Sansom and further in view of US 20220277076, Murphy
In regards to claim 8, the combination of Biever and Samson teach the computer-implemented method of claim 6. The combination of Biever and Samson do not teach wherein effectuating a remedial action based, at least in part, upon the analysis data that concerns the event and/or the network entity includes:generating an event report for further review if the event is deemed to be a moderate threat level However, Murphy teaches wherein effectuating a remedial action based, at least in part, upon the analysis data that concerns the event and/or the network entity includes:generating an event report for further review if the event is deemed to be a moderate threat level (US 20220277076, Murphy, para. 0163, Further and when executing 912 a remedial action plan, threat mitigation process 10 may generate 916 a security event report (e.g., security event report 254) based, at least in part, upon the artifacts (e.g., artifacts 250) gathered 904; and provide 918 the security event report (e.g., security event report 254) to an analyst (e.g., analyst 256) for further review when e.g., threat mitigation process 10 assigns 908 a “moderate” threat level to the above-described security event ). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of the combination of Biever and Samson with the teaching of Murphy because a user would have been motivated to employ machine learning to identify patterns/trends in the data information taught by Biever in order to supplement the threat analyzer analysis for determining cybersecurity threats(Murphy, para. 0005)
In regards to claim 9, the combination of Biever and Samson teach the computer-implemented method of claim 6. The combination of Biever and Samson do not teach wherein effectuating a remedial action based, at least in part, upon the analysis data that concerns the event and/or the network entity includes:autonomously executing a threat mitigation plan if the event is deemed to be a severe threat level However, Murphy teaches wherein effectuating a remedial action based, at least in part, upon the analysis data that concerns the event and/or the network entity includes:autonomously executing a threat mitigation plan if the event is deemed to be a severe threat level (US 20220277076, Murphy, para. 0164, Further and when executing 912 a remedial action plan, threat mitigation process 10 may autonomously execute 920 a threat mitigation plan (shutting down the stream and closing the port) when e.g., threat mitigation process 10 assigns 908 a “severe” threat level to the above-described security event). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of the combination of Biever and Samson with the teaching of Murphy because a user would have been motivated to employ machine learning to identify patterns/trends in the data information taught by Biever in order to supplement the threat analyzer analysis for determining cybersecurity threats(Murphy, para. 0005)
In regards to claim 10, the combination of Biever and Samson teach the computer-implemented method of claim 4. the combination of Biever and Samson do not teach further comprising:revising the consolidated network entity data based, at least in part, upon the analysis data However, Murphy teaches further comprising:revising the consolidated network entity data based, at least in part, upon the analysis data (US 20220277076, Murphy, para. 0120, Referring also to FIG. 9, threat mitigation process 10 may be configured to make recommendations concerning security relevant subsystems that are missing from computing platform 60. As discussed above, threat mitigation process 10 may obtain 500 consolidated platform information for computing platform 60 to identify one or more deployed security-relevant subsystems 226 (e.g., CDN (i.e., Content Delivery Network) systems;… This consolidated platform information may be obtained from an independent information source (e.g., such as SIEM system 230 that may provide system-defined consolidated platform information 236) and/or may be obtained from a client information source (e.g., such as questionnaires 240 that may provide client-defined consolidated platform information 238)). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of the combination of Biever and Samson with the teaching of Murphy because a user would have been motivated to employ machine learning to identify patterns/trends in the data information taught by Biever in order to supplement the threat analyzer analysis for determining cybersecurity threats(Murphy, para. 0005)
In regards to claim 18, the combination of Biever and Samson teach the computer program product of claim 16. The combination of Biever and Samson do not teach wherein effectuating a remedial action based, at least in part, upon the analysis data that concerns the event and/or the network entity includes:generating an event report for further review if the event is deemed to be a moderate threat level However, Murphy teaches wherein effectuating a remedial action based, at least in part, upon the analysis data that concerns the event and/or the network entity includes:generating an event report for further review if the event is deemed to be a moderate threat level (US 20220277076, Murphy, para. 0163, Further and when executing 912 a remedial action plan, threat mitigation process 10 may generate 916 a security event report (e.g., security event report 254) based, at least in part, upon the artifacts (e.g., artifacts 250) gathered 904; and provide 918 the security event report (e.g., security event report 254) to an analyst (e.g., analyst 256) for further review when e.g., threat mitigation process 10 assigns 908 a “moderate” threat level to the above-described security event ). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of the combination of Biever and Samson with the teaching of Murphy because a user would have been motivated to employ machine learning to identify patterns/trends in the data information taught by Biever in order to supplement the threat analyzer analysis for determining cybersecurity threats(Murphy, para. 0005)
In regards to claim 19, the combination of Biever and Samson teach the computer program product of claim 16. The combination of Biever and Samson do not teach wherein effectuating a remedial action based, at least in part, upon the analysis data that concerns the event and/or the network entity includes:autonomously executing a threat mitigation plan if the event is deemed to be a severe threat level However, Murphy teaches wherein effectuating a remedial action based, at least in part, upon the analysis data that concerns the event and/or the network entity includes:autonomously executing a threat mitigation plan if the event is deemed to be a severe threat level (US 20220277076, Murphy, para. 0164, Further and when executing 912 a remedial action plan, threat mitigation process 10 may autonomously execute 920 a threat mitigation plan (shutting down the stream and closing the port) when e.g., threat mitigation process 10 assigns 908 a “severe” threat level to the above-described security event). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of the combination of Biever and Samson with the teaching of Murphy because a user would have been motivated to employ machine learning to identify patterns/trends in the data information taught by Biever in order to supplement the threat analyzer analysis for determining cybersecurity threats(Murphy, para. 0005)
In regards to claim 20, the combination of Biever and Samson teach the computer program product of claim 14. The combination of Biever and Samson do not teach further comprising:revising the consolidated network entity data based, at least in part, upon the analysis data However, Murphy teaches further comprising:revising the consolidated network entity data based, at least in part, upon the analysis data(US 20220277076, Murphy, para. 0120, Referring also to FIG. 9, threat mitigation process 10 may be configured to make recommendations concerning security relevant subsystems that are missing from computing platform 60. As discussed above, threat mitigation process 10 may obtain 500 consolidated platform information for computing platform 60 to identify one or more deployed security-relevant subsystems 226 (e.g., CDN (i.e., Content Delivery Network) systems;… This consolidated platform information may be obtained from an independent information source (e.g., such as SIEM system 230 that may provide system-defined consolidated platform information 236) and/or may be obtained from a client information source (e.g., such as questionnaires 240 that may provide client-defined consolidated platform information 238)). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of the combination of Biever and Samson with the teaching of Murphy because a user would have been motivated to employ machine learning to identify patterns/trends in the data information taught by Biever in order to supplement the threat analyzer analysis for determining cybersecurity threats(Murphy, para. 0005)
In regards to claim 28, the combination of Biever and Samson teach the computing system of claim 26. The combination of Biever and Samson do not teach wherein effectuating a remedial action based, at least in part, upon the analysis data that concerns the event and/or the network entity includes:generating an event report for further review if the event is deemed to be a moderate threat level However, Murphy teaches wherein effectuating a remedial action based, at least in part, upon the analysis data that concerns the event and/or the network entity includes:generating an event report for further review if the event is deemed to be a moderate threat level (US 20220277076, Murphy, para. 0163, Further and when executing 912 a remedial action plan, threat mitigation process 10 may generate 916 a security event report (e.g., security event report 254) based, at least in part, upon the artifacts (e.g., artifacts 250) gathered 904; and provide 918 the security event report (e.g., security event report 254) to an analyst (e.g., analyst 256) for further review when e.g., threat mitigation process 10 assigns 908 a “moderate” threat level to the above-described security event ). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of the combination of Biever and Samson with the teaching of Murphy because a user would have been motivated to employ machine learning to identify patterns/trends in the data information taught by Biever in order to supplement the threat analyzer analysis for determining cybersecurity threats(Murphy, para. 0005)
In regards to claim 29, the combination of Biever and Samson teach the computing system of claim 26. The combination of Biever and Samson do not teach wherein effectuating a remedial action based, at least in part, upon the analysis data that concerns the event and/or the network entity includes:autonomously executing a threat mitigation plan if the event is deemed to be a severe threat level However, Murphy teaches wherein effectuating a remedial action based, at least in part, upon the analysis data that concerns the event and/or the network entity includes:autonomously executing a threat mitigation plan if the event is deemed to be a severe threat level (US 20220277076, Murphy, para. 0164, Further and when executing 912 a remedial action plan, threat mitigation process 10 may autonomously execute 920 a threat mitigation plan (shutting down the stream and closing the port) when e.g., threat mitigation process 10 assigns 908 a “severe” threat level to the above-described security event). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of the combination of Biever and Samson with the teaching of Murphy because a user would have been motivated to employ machine learning to identify patterns/trends in the data information taught by Biever in order to supplement the threat analyzer analysis for determining cybersecurity threats(Murphy, para. 0005)
In regards to claim 30, the combination of Biever and Samson teach the computing system of claim 24. The combination of Biever and Samson do not teach further comprising:revising the consolidated network entity data based, at least in part, upon the analysis data However, Murphy teaches further comprising:revising the consolidated network entity data based, at least in part, upon the analysis data(US 20220277076, Murphy, para. 0120, Referring also to FIG. 9, threat mitigation process 10 may be configured to make recommendations concerning security relevant subsystems that are missing from computing platform 60. As discussed above, threat mitigation process 10 may obtain 500 consolidated platform information for computing platform 60 to identify one or more deployed security-relevant subsystems 226 (e.g., CDN (i.e., Content Delivery Network) systems;… This consolidated platform information may be obtained from an independent information source (e.g., such as SIEM system 230 that may provide system-defined consolidated platform information 236) and/or may be obtained from a client information source (e.g., such as questionnaires 240 that may provide client-defined consolidated platform information 238)). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of the combination of Biever and Samson with the teaching of Murphy because a user would have been motivated to employ machine learning to identify patterns/trends in the data information taught by Biever in order to supplement the threat analyzer analysis for determining cybersecurity threats(Murphy, para. 0005)
CONCLUSION
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GREGORY LANE whose telephone number is (571)270-7469. The examiner can normally be reached on 571 270 7469 from 8:00 AM to 6:00 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Taghi Arani, can be reached on 571 272 3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/GREGORY A LANE/ Examiner, Art Unit 2438
/TAGHI T ARANI/Supervisory Patent Examiner, Art Unit 2438