DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The text of those sections of Title 35 U.S. Code not included in this section can be found in the prior office action.
The prior office actions are incorporated herein by reference. In particular, the observations with respect to claim language, and response to previously presented arguments.	
Claims 1-4 and 6-9, now renumbered as claim 1-8, have been examined. 

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Claims 1, 8 and 9 have been amended as follows:
Claim 1 (Currently Amended): A specifying system comprising a configuration information storage device that stores information on a terminal in a network and a specifying device that specifies a state of the terminal, wherein 
the configuration information storage device stores connection information indicating a connection relation between terminals in the network, and the specifying device includes 
a memory; and 
processing circuitry coupled to the memory and configured to execute a process comprising: 
receiving detection information from a security device that detects hacking into the network or an activity of a terminal related to infection and state specifying a state of the terminal from information of the terminal and content of activity of the terminal, which indicates that the terminal is infected, included in the detection information, and 
specifying, when specifying that the terminal is in the state of being infected with malware, 
(i) a suspicion score of each of one or more other terminals in the network, before each of the one or more other terminals in the network perform the content of the activity included in the detection information, based on the connection information stored in the configuration information storage device, the suspicion score indicating a degree of suspicion of present infection of the one or more other terminals in the network based on whether each of the one or more other terminals transmits data toward the infected terminal and further based on a total number of devices that transmit data toward the infected terminal, and 
(ii) an infection risk score that indicates a degree of risk of future infection of each of the one or more other terminals on a basis of being located on a route downstream from the infected terminal, along which the infected terminal is determined as likely to be used for hacking or for infection of the terminal in the future based on the connection information stored in the configuration information storage device.

Claim 8 (Currently Amended): A specifying device comprising: 
a memory; and 
processing circuitry coupled to the memory and configured to execute a process comprising: 
receiving detection information related to detection from a security device that detects hacking into a network including a plurality of terminals or an activity of a terminal related to infection, and state specifying a state of the terminal from information of the terminal and content of activity of the terminal, which indicates that the terminal is infected, included in the detection information, and 
specifying, when specifying that the terminal is in the state of being infected with malware, 
(i) a suspicion score of each of one or more other terminals in the network, before each of the one or more other terminals in the network perform the content of the activity included in the detection information, based on connection information indicating a connection relation between the terminals in the network, the suspicion score indicating a degree of suspicion of present infection of the one or more other terminals in the network based on whether each of the one or more other terminals transmits data toward the infected terminal and further based on a total number of devices that transmit data toward the infected terminal, and 
(ii) an infection risk score that indicates a degree of risk of future infection of each of the one or more other terminals on a basis of being located on a route downstream from the infected terminal, along which the infected terminal is determined as likely to be used for hacking or for infection of the terminal in the future based on the connection information.

Claim 9 (Currently Amended): A specifying method executed by a specifying device, the method comprising: 
receiving detection information related to detection from a security device that detects hacking into a network including a plurality of terminals or an activity of a terminal related to infection, and state specifying a state of the terminal from information of the terminal and content of activity of the terminal, which indicates that the terminal is infected, included in the detection information, and 
specifying, when specifying that the terminal is in the state of being infected with malware, 
(i) a suspicion score of each of one or more other terminals in the network, before each of the one or more other terminals in the network perform the content of the activity included in the detection information, based on connection information indicating a connection relation between the terminals in the network, the suspicion score indicating a degree of suspicion of present infection of the one or more other terminals in the network based on whether each of the one or more other terminals transmits data toward the infected terminal and further based on a total number of devices that transmit data toward the infected terminal, and 
(ii) an infection risk score that indicates a degree of risk of future infection of each of the one or more other terminals on a basis of being located on a route downstream from the infected terminal, along which the infected terminal is determined as likely to be used for hacking or for infection of the terminal in the future based on the connection information.

Allowable Subject Matter
Claims 1-4 and 6-9 are allowed over prior art of record.

Response to Arguments
Applicant’s arguments, see Remarks filed on 08/07/2020, have been fully considered and are persuasive.  

Examiner's Statement of Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: 
Independent claims 1, 8 and 9 are allowed in view of the examiner’s amendment and for reasons presented by the applicant in the Remarks. Claims 2-4 and 6-7 depend on claim 1 and are therefore, allowed by virtue of their dependency.
Prior art of record Saha teaches: A near-bipartite graph is used to represent HTTP flows between clients and servers. The clients and servers correspond to nodes in the graph and the links represent their inter-connectivity. Certain HTTP flows, clients and servers are initially classified as malicious based on detection information received from an intrusion detection system (IDS). Each server and client is assigned a server-to-client (SC) propagation parameter and a client-to-server (CS) propagation parameter based the initial malicious classification of a flow between the client and server of a client/server pair. Using the score propagation parameters, an iterative score propagation is performed to generate final scores of endpoints. An endpoint is detected as malicious in response to its final score exceeding a pre-determined threshold. In this fashion, a previously unidentified malicious endpoint is detected. Prior art of record Zoldi teaches: Risk is propagated from known detected malicious domains across the network using the Bayesian belief propagation algorithm to inform and score internal computers by their interconnectedness to risk. The network is "seeded" with some ground truth risk levels (known positive and negative domains) and riskiness propagated until equilibrium is reached. A global consortium view of the data provides elevated performance as compromises detected in one organization, with a set of domains manually confirmed to be malicious, yields information which can be propagated to other organizations to score their internal computers for riskiness if they connected to high risk domains.
However, Saha and Zoldi fail to teach: “specifying, a suspicion score of each of one or more other terminals in the network, before each of the one or more other terminals in the network perform the content of the activity included in the detection information, based on connection information indicating a connection relation between the terminals in the network, the suspicion score indicating a degree of suspicion of present infection of the one or more other terminals in the network based on whether each of the one or more other terminals transmits data toward the infected terminal and further based on a total number of devices that transmit data toward the infected terminal”, i.e., the prior arts fail to teach calculating the suspicion score of a device based on whether the device transmits data towards the infected device and the total number of devices that transmit data towards the infected device. 
None of the prior art of record, either taken by itself or in any combination, would have anticipated or made obvious the invention of the present application at or before the time it was filed.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
US 8341745 to Chau et al: The probability of a computer file being malware is inferred by iteratively propagating domain knowledge among computer files, related clients, and/or related source domains. A graph is generated to include machine nodes representing clients, file nodes representing files residing on the clients, and optionally domain nodes representing source domains hosting the files. The graph also includes edges connecting the machine nodes with the related file nodes, and optionally edges connecting the domain nodes with the related file nodes. Priors and edge potentials are set for the nodes and the edges based on related domain knowledge. The domain knowledge is iteratively propagated and aggregated among the connected nodes through exchanging messages among the connected nodes. The iteration process ends when a stopping criterion is met. The classification and associated marginal probability for each file node are calculated based on the priors, the received messages, and the edge potentials associated with the edges through which the messages were received.
US 10164995 to Fang et al: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for performing semi-supervised learning on partially labeled nodes on a bipartite graph. One described method can determine a useful score of malware infection risk from partial known facts for entities modeled as nodes on a bipartite graph, where network traffic is measured between inside-the-enterprise entities and outside-the-enterprise entities. This and other methods can be implemented in a large-scale massively parallel processing database. Methods of scaling the partial label input and of presenting the results are also described.
Probabilistic Threat Propagation for Network Security by Carter et al: In this paper, we present a method for detecting malicious and infected nodes on both monitored networks and the external Internet. We leverage prior community detection and graphical modeling work by propagating threat probabilities across network nodes, given an initial set of known malicious nodes. We enhance prior work by employing constraints that remove the adverse effect of cyclic propagation that is a byproduct of current methods. We demonstrate the effectiveness of probabilistic threat propagation on the tasks of detecting botnets and malicious web destinations.
Detecting malicious clients in ISP networks using HTTP connectivity graph and flow information by Liu et al: This paper considers an approach to identify previously undetected malicious clients in Internet Service Provider (ISP) networks by combining flow classification with a graph-based score propagation method. Our approach represents all HTTP communications between clients and servers as a weighted, near-bipartite graph, where the nodes correspond to the IP addresses of clients and servers while the links are their interconnections, weighted according to the output of a flow-based classifier. We employ a two-phase alternating score propagation algorithm on the graph to identify suspicious clients in a monitored network.
	
	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHURI R HERZOG whose telephone number is (571)270-3359.  The examiner can normally be reached on 8:30AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


MADHURI R. HERZOG
Primary Examiner
Art Unit 2438



/MADHURI R HERZOG/Primary Examiner, Art Unit 2438