	US 7,159,237 C1 (12,852nd)
	Method and system for dynamic network intrusion monitoring, detection and response
Bruce Schneier, Minneapolis, MN (US); Andrew H. Gross, San Jose, CA (US); and Jonathan D. Callas, San Jose, CA (US)
Filed by Bruce Schneier, Minneapolis, MN (US); Andrew H. Gross, San Jose, CA (US); and Jonathan D. Callas, San Jose, CA (US)
Assigned to BT AMERICAS INC., Irving, TX (US)
Reexamination Request No. 90/019,422, Feb. 16, 2024.
Reexamination Certificate for Patent 7,159,237, issued Jan. 2, 2007, Appl. No. 09/766,343, Jan. 19, 2001.
Claims priority of provisional application 60/190,326, filed on Mar. 16, 2000.
Ex Parte Reexamination Certificate issued on Feb. 24, 2025.
Int. Cl. G06F 7/04 (2006.01); G06F 11/00 (2006.01); G06F 15/16 (2006.01); G06F 15/173 (2006.01); G06F 21/55 (2013.01); H04K 1/00 (2006.01); H04L 9/40 (2022.01)

CPC G06F 21/552 (2013.01) [H04L 63/1416 (2013.01); H04L 63/20 (2013.01)]

AS A RESULT OF REEXAMINATION, IT HAS BEEN DETERMINED THAT:

The patentability of claims 1-42 is confirmed.

1. A method of operating a probe as part of a security monitoring system for a computer network, comprising:

a) collecting status data from at least one monitored component of said network;

b) analyzing status data to identify potentially security-related events represented in the status data, wherein the analysis includes filtering followed by an analysis of post-filtering residue, wherein the post-filtering residue is data neither discarded nor selected by filtering;

c) transmitting information about said identified events to an analyst associated with said security monitoring system;

d) receiving feedback at the probe based on empirically-derived information reflecting operation of said security monitoring system; and

e) dynamically modifying an analysis capability of said probe during operation thereof based on said received feedback.