DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
Claims 1-2, 9-10 and 18-19 have been amended. Claims 1-23 are currently pending. Applicant’s amendments, with respect to claims 1, 9 and 18, overcome §102 rejections to the claims. The 102 rejections have been withdrawn.

Response to Arguments
With respect to claim 1, Applicant asserts that Chen ‘226 does not teach “determining an ancestry level of the ancestry command relative to the trigger command, and determining whether the ancestry level of the ancestry command is different from an expected ancestry level of the ancestry command for the trigger command”. Examiner respectfully disagrees.
Chen ‘226 describes how to detect a malicious process by using the graph model comprising vertices that represent system entities (ex.) processes, files and sockets) and edges that represent events between respective system entities, where an event sequence may be determined to be suspicious by walking on the graph based on a set of valid path patterns (See para 0008). After an attack has occurred, a graph structure is generated by tracking the attacker’s activities (i.e., the process path) (See para 0019). In detail, the graph model is represented as a directed graph G = (V,E,T), where T is a set of timestamps,             
                E
                ⊂
                V
                ×
                V
                ×
                T
            
         is the set of edges, and             
                V
                =
                F
                ⋃
                P
                ⋃
                U
                ⋃
                S
            
         is the set of vertices, where F is the set of files, P is the set of processes. For a specific edge             
                
                    
                        
                            
                                v
                            
                            
                                i
                            
                        
                        ,
                        
                            
                                v
                            
                            
                                j
                            
                        
                    
                
            
         in E,             
                T
                
                    
                        
                            
                                v
                            
                            
                                i
                            
                        
                        ,
                        
                            
                                v
                            
                            
                                j
                            
                        
                    
                
                 
            
         denotes the set of timestamps on the edge. It means that the graph G is generated by connecting a sequence of system 
An ancestry level of the ancestry command can be represented by a specific edge             
                
                    
                        
                            
                                v
                            
                            
                                i
                            
                        
                        ,
                        
                            
                                v
                            
                            
                                j
                            
                        
                    
                
            
         in E together with timestamps             
                T
                
                    
                        
                            
                                v
                            
                            
                                i
                            
                        
                        ,
                        
                            
                                v
                            
                            
                                j
                            
                        
                    
                
            
         for each ith and jth node, where the node is associated with an ancestry level on which a system entity such as a process (or ancestry command) is executed, which is represented by the edge             
                
                    
                        
                            
                                v
                            
                            
                                i
                            
                        
                        ,
                        
                            
                                v
                            
                            
                                j
                            
                        
                    
                
            
         (See para 0030). Note that the trigger command can be an edge             
                
                    
                        
                            
                                v
                            
                            
                                i
                            
                        
                        ,
                        
                            
                                v
                            
                            
                                j
                            
                        
                    
                
            
         that occurs lastly in terms of timestamps when an attack happens. Therefore, an ancestry level of the ancestry command (e.g., edge             
                
                    
                        
                            
                                v
                            
                            
                                i
                            
                        
                        ,
                        
                            
                                v
                            
                            
                                j
                            
                        
                    
                
            
         ) needs to be determined before detecting a malicious process which necessitates a calculation of an anomaly score. Based on the scores, a deviation between the suspicious sequences and the normal sequences are measured to report those sequences that have a higher-than-threshold deviation (see para 0027), i.e., determining how much the ancestry level of the ancestry command (of the suspicious sequences) is different than an expected ancestry level of the ancestry command (of the normal sequences).
Applicant’s remaining arguments are based on Applicant's arguments against claim 1.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-4, 9-12 and 18-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over MASHEVSKY et al., US-20110083180-A1 (hereinafter “MASHEVSKY ‘180”; provided by IDS dated 07/12/2019) in view of Chen et al., US-20160330226-A1 (hereinafter “Chen ‘226”; provided by IDS dated 07/12/2019).
Per claim 1 (independent):
MASHEVSKY ‘180 discloses: A security service system for identifying a suspicious activity, the security service comprising: one or more processors; and memory coupled to the one or more processors, the memory including a plurality of modules communicatively coupled to each other and executable by the one or more processors, the plurality of modules comprising: a data module configured to store known patterns, the known patterns including known suspicious activity patterns and known indicators of attack (IoAs) ([0003], “The present invention is related to anti-malware technology, and more particularly, to detection of unknown malware threats based on real-time automatic event and analysis of behavioral patterns of objects” [Emphasis added.]; FIG. 1, [0042], “the incoming information regarding various events and file metadata, reported by the users, is filtered using the information stored in WL and BL knowledge databases (step 101). The filtering algorithm checks both WL and BL for the presence of any data regarding the incoming event information and object information, and filters out the known event information and object information.” [Emphasis added.] where the known event and object information are stored in the WL and BL knowledge databases.); 
a monitoring module configured to receive monitored data in a process running on a monitored computing device ([0012], “for detection of previously unknown malware, the method comprising: (a) receiving event information and file metadata from a remote computer” [Emphasis added.]); 
an identification module configured to identify one or more suspicious activity patterns based on a comparison between the received monitored data and the known patterns ([0012], “(b) identifying whether the event information or the file metadata is indicative of the known malware, indicative of the unknown malware, or indicative of malware absence”; [0042], “the incoming information regarding various events and file metadata, reported by the users, is filtered using the information stored in WL and BL knowledge databases (step 101).” [Emphasis added.]);
identify a trigger command in the process running on the monitored computing device, and identify an ancestry command associated with the trigger command (FIG. 2, [0046], “user invokes a browser and downloads an executable file Tubecodec934.exe … Upon execution, Tubecodec934.exe downloads several other files … In this case, Tubecodec934.exe. is a "parent" to five files: Svch0st.exe, Ntkrnl.dll, Calc.exe, 1.exe and Hosts.vbs, which are the "children" files of Tube­codec934.exe. The system proceeds to perform real time risk analysis and risk assessment, which includes construction of a "parent-child" hierarchy based on the invocation sequence of the files … performing the analysis of these files in order to assess a level of danger associated with these files. In order to detect the unknown threats represented by "parents" and "children", the system builds a graph representation analogous to the one shown in FIG. 2” [Emphasis added.] where once an user downloads the parent “Tubecodec934.exe” which is to run on the system, which calls a series of commands (or files). If a trigger command is detected based on the database, the system would backtrack by building a graph presentation until it reaches a parent process.).
a determination module configured to: determine an ancestry level of the ancestry command relative to the trigger command, and determine whether the ancestry level of the ancestry command is different from an expected ancestry level of the ancestry command for the trigger command ([0008], “a graph comprising vertices that represent system entities and edges that represent events between respective system entities. Each edge has one or more timestamps corresponding respective events between two system entities” [Emphasis added.]; [0019], “provide complete evidence of an attacker's activity trace (i.e., the process path) after an attack has occurred” [Emphasis added.]; [0030], “The graph model is represented as a directed graph G=(V, E, T), where T is a set of timestamps,                         
                            E
                            ⊂
                            V
                            ×
                            V
                            ×
                            T
                        
                     is the set of edges, and                         
                            V
                            =
                            F
                            ⋃
                            P
                            ⋃
                            U
                            ⋃
                            S
                        
                     is the set of vertices, where F is the set of files … P is the set of processes … For a specific edge (v,, vj) in E, T(v,, vj) denotes the set of timestamps on the edge” [Emphasis added.]; FIG. 4, [0036], “A candidate path is determined to be suspicious by block 408 if, in the path, the involved entities behave differently from their normal roles … From G, an NxN square transition matrix A is calculated as:

    PNG
    media_image1.png
    89
    291
    media_image1.png
    Greyscale

A[i][j] denotes the probability that the information flows from vi to vJ in G” [Emphasis added.]; [0042], “the anomaly score for the path is calculated as:

    PNG
    media_image2.png
    111
    271
    media_image2.png
    Greyscale

” [Emphasis added.]; [0027], “block 408 calculates an anomaly score of each candidate process to evaluate how abnormal the process is … there may be multiple different sequence patterns of different lengths … Block 410 measures the deviation between the suspicious sequences and the normal sequences, reporting those sequences that have a higher-than-threshold deviation ” [Emphasis added.] where a specific edge                         
                            
                                
                                    
                                        
                                            v
                                        
                                        
                                            i
                                        
                                    
                                    ,
                                    
                                        
                                            v
                                        
                                        
                                            j
                                        
                                    
                                
                            
                        
                     of E tagged with timestamps                         
                            T
                            
                                
                                    
                                        
                                            v
                                        
                                        
                                            i
                                        
                                    
                                    ,
                                    
                                        
                                            v
                                        
                                        
                                            j
                                        
                                    
                                
                            
                        
                     for each ith and jth node represents activities to be traced between system entities (i.e. processes or files) in the graph model G. The node i, j is associated with an ancestry level on which a system entity such as a process (or ancestry command) is executed, which is presented by the edge                         
                            
                                
                                    
                                        
                                            v
                                        
                                        
                                            i
                                        
                                    
                                    ,
                                    
                                        
                                            v
                                        
                                        
                                            j
                                        
                                    
                                
                            
                        
                    . Since the edge is marked with the timestamps, an edge                         
                            
                                
                                    
                                        
                                            v
                                        
                                        
                                            i
                                        
                                    
                                    ,
                                    
                                        
                                            v
                                        
                                        
                                            j
                                        
                                    
                                
                            
                        
                     that occurs lastly in terms of the timestamps when an attack happens can be the trigger command. Thus, the matrix A is calculated from the graph model G in order to obtain an anomaly score. Based on the scores, a deviation between the suspicious sequences and the normal sequences are measured to report those sequences that have a higher-than-threshold deviation, i.e., determining how much the ancestry level of the ancestry command (of the suspicious sequences) is different than an expected ancestry level of the ancestry command (of the normal sequences).). 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified MASHEVSKY ‘180 with the comparison of anomaly scores to the one of normal sequences by measuring the deviation between them based on a threshold via the graph model as taught by Chen ‘226 because it would eliminate score bias from the path length, reduce the search space, the computational cost and furthermore be able to detect new attacks without training data [0018]-[0019].

Per claim 2 (dependent on claim 1):
MASHEVSKY ‘180 in view of Chen ‘226 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference.
MASHEVSKY ‘180 discloses: the data module is further configured to store information associated with the trigger command, the ancestry command, and the ancestry level of the ancestry command as a new suspicious activity pattern ([0044], “Based on the analysis of the DS-graph, the , the BL is updated with the information on this previously unknown threat in step 105A. However, if the event information or object information are determined to be benign, the system updates the WL accordingly in step 105B” [Emphasis added]).

Per claim 3 (dependent on claim 2):
MASHEVSKY ‘180 in view of Chen ‘226 discloses the elements detailed in the rejection of claim 2 above, incorporated herein by reference.
MASHEVSKY ‘180 discloses: A security service system of claim 2, wherein: the trigger command is a trigger command of a plurality of preselected trigger commands, and the ancestry command is an ancestry command of a plurality of preselected ancestry commands associated with the trigger command ([0047], “Once the graph is built, the system calculates for every "parent" a so-called X-factor. The X-factor defines the level of danger of a given "parent" and is based on the data about its "children". The X-factor shows to what type of programs a given object tends: for example, to the file managers or to a Trojan-dropper, to browsers and legitimate downloads or to a Trojan-downloader” [Emphasis added.]; [0053], “The parameter "Danger" is calculated based on the so-called decision tree of weight coefficients, the majority of which dynamically changes depending on the accumulated information in the knowledge database.” [Emphasis added.] where the parameter Danger is calculated based on the decision tree of weight coefficients, relying upon the information in the knowledge database that includes a list of (preselected) source of software (commands), or the type of the software. Furthermore, the X-factor describes that a type of a trigger command at each object can be chosen among a plurality of trigger commands.).

Per claim 4 (dependent on claim 2):
MASHEVSKY ‘180 in view of Chen ‘226 discloses the elements detailed in the rejection of claim 2 above, incorporated herein by reference.
MASHEVSKY ‘180 discloses: A security service system of claim 3, wherein the plurality of preselected ancestry commands is associated with the trigger command for (FIG. 2, [0046], “user invokes a browser and downloads an executable file Tubecodec934.exe … Upon execution, Tubecodec934.exe downloads several other files … In this case, Tubecodec934.exe. is a "parent" to five files: Svch0st.exe, Ntkrnl.dll, Calc.exe, 1.exe and Hosts.vbs, which are the "children" files of Tube­codec934.exe. The system proceeds to perform real time risk analysis and risk assessment, which includes construction of a "parent-child" hierarchy based on the invocation sequence of the files … performing the analysis of these files in order to assess a level of danger associated with these files. In order to detect the unknown threats represented by "parents" and "children", the system builds a graph representation analogous to the one shown in FIG. 2” [Emphasis added.] where there are a number of preselected parents (commands) starting from the children file “Protect.sys” (trigger command) to the parent “Tubecodec934.exe” (oldest ancestry command).Thus, a level of danger is assessed based on this information.).
MASHEVSKY ‘180 does not disclose but Chen ‘226 discloses: the expected ancestry level is measured based on the event sequences and associated patterns (FIG. 4, [0025], “A blueprint graph is used as input. The blueprint graph is a heterogeneous graph constructed from a historical dataset of communications in a network, with nodes of the blueprint graph representing physical devices on an enterprise network and edges reflecting the normal communication patterns among the nodes. Block 402 performs graph modeling” [Emphasis added.]; [0026], “Block 406 then scans the graph to determine candidate event sequences that is consistent with the patterns. A "pattern" refers to an ordered set of system entity types, while a "sequence" refers to an ordered set of specific system entities.” [Emphasis an anomaly score of each candidate process to evaluate how abnormal the process is. As there may be multiple different sequence patterns of different length … Block 410 measures the deviation between the suspicious sequences and the normal sequences, reporting those sequences that have a higher-than-threshold deviation” [Emphasis added.] where the anomaly score (ancestry level) of each event sequence is measured by using the set of system entities (e.g., processes, files, etc.) and patterns, which may be multiple different sequence patterns of different length.).

Per claim 9 (independent):
The limitations of the claim(s) correspond(s) to features of claim 1 and the claim(s) is/are rejected for the reasons detailed with respect to claim 1.

Per claim 10 (dependent on claim 9):
MASHEVSKY ‘180 in view of Chen ‘226 discloses the elements detailed in the rejection of claim 9 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 2 and the claim(s) is/are rejected for the reasons detailed with respect to claim 2.

Per claim 11 (dependent on claim 10):
MASHEVSKY ‘180 in view of Chen ‘226 discloses the elements detailed in the rejection of claim 10 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 3 and the claim(s) is/are rejected for the reasons detailed with respect to claim 3.

Per claim 12 (dependent on claim 11):
MASHEVSKY ‘180 in view of Chen ‘226 discloses the elements detailed in the rejection of claim 11 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 4 and the claim(s) is/are rejected for the reasons detailed with respect to claim 4.

Per claim 18 (independent):
The limitations of the claim(s) correspond(s) to features of claim 1 and the claim(s) is/are rejected for the reasons detailed with respect to claim 1.

Per claim 19 (dependent on claim 18):
MASHEVSKY ‘180 in view of Chen ‘226 discloses the elements detailed in the rejection of claim 18 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 2 and the claim(s) is/are rejected for the reasons detailed with respect to claim 2.

Per claim 20 (dependent on claim 19):
MASHEVSKY ‘180 in view of Chen ‘226 discloses the elements detailed in the rejection of claim 19 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 3 and the claim(s) is/are rejected for the reasons detailed with respect to claim 3.

Claim(s) 5-6, 8, 13-14, 16-17, 21 and 23 is/are rejected under 35 U.S.C. 103 as being unpatentable over MASHEVSKY ‘180 in view of Chen ‘226 and Li et al., US-20160105454-A1 (hereinafter “Li ‘454”; provided by IDS dated 07/12/2019).
Per claim 5 (dependent on claim 4):
MASHEVSKY ‘180 in view of Chen ‘226 discloses the elements detailed in the rejection of claim 4 above, incorporated herein by reference.
MASHEVSKY ‘180 in view of Chen ‘226 does not disclose but Li ‘454 discloses: A security service system of claim 4, wherein the plurality of the preselected ancestry commands is different from a plurality of preselected ancestry commands for a second ancestry level that is associated with the trigger command and that is different from the expected ancestry level (FIG. 3C, [0047], “dependency explosion resulting from a "Unix domain socket, multiple senders" source in a graph 350 (e.g., DGraph) … a Unix domain socket (UDS) 305 (e.g., Cups.sock) may cause a dependency explosion if multiple processes 301, 303 send a message through the UDS 305 to other processes (e.g., Common Unix Printing System Daemon (cupsd) 307). For example, in FIG. 3C, a dependency explosion occurs due to a UDS 305 shared by multiple processes 301, 303. The result is a dependency between cupsd 307 (Common Unix Printing System Daemon) and all other applications which ever printed a document such as Ip 301 (e.g., a printing tool) and a word processor 303. As a result, if an attacker performs a privilege escalation 311 on cupsd and/or system libraries 309, and the attack is backtracked using conventional backtracking, the resulting backtracking graph includes the actions of all applications which ever printed a file, which causes increased overhead and/or system slowdown.” [Emphasis added.]; FIG. 5, [0063], “The reference model generated in block 508 may be used to derive a relevancy score for each edge. A specific threshold th may be used as the cutoff point for distinguishing relevancy, and the threshold may be pre-defined or defined during system operation. Any edge with a score below th may considered irrelevant to the attack” [Emphasis added.] where if the “cupsd” 307 (trigger command) initiates an attack, under 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified MASHEVSKY ‘180 in view of Chen ‘226 with the dependency graph for backtracking toward an origin of an attack as taught by Li ‘454 because it would effectively detect and/or prune away resources unrelated to attacks to generate an accurate and concise backtracking graph by using a relevancy score for each edge [0007]-[0009].

Per claim 6 (dependent on claim 2):
MASHEVSKY ‘180 in view of Chen ‘226 discloses the elements detailed in the rejection of claim 2 above, incorporated herein by reference.
MASHEVSKY ‘180 in view of Chen ‘226 does not disclose but Li ‘454 discloses: A security service system of claim 2, wherein: the plurality of modules further comprises an administrative status module configured to determine an administrative status of a user associated with the process running on the monitored computing device (FIG. 5, [0056], “to achieve ubiquitous auditing ( e.g., auditing for all types of events for all hosts), a monitoring agent may be implemented and deployed to all participating hosts ( e.g., systems) in an enterprise for monitoring hosts to detect and/or gather event data for all hosts in block 502” [Emphasis added.]; [0059], “the monitoring agent may detect the same binary files for non-root users by a signature based approach. This signature may be generated for all binary files, and a process may be identified by its loaded binary file, process identifier (PID) and/or start time of the process” [Emphasis added.] where the monitoring agent (process) deployed on the monitoring hosts are to detect and/or gather event data in a way to differentiate between non-root users and root-users (administrative status).).

Per claim 8 (dependent on claim 2):
MASHEVSKY ‘180 in view of Chen ‘226 discloses the elements detailed in the rejection of claim 2 above, incorporated herein by reference.
MASHEVSKY ‘180 in view of Chen ‘226 does not disclose but Li ‘454 discloses: A security service system of claim 2, wherein the plurality of modules further comprises an analysis module configured to: determine a plurality of process trees in a plurality of connections within a specific environment to which the monitored computing device belongs (FIG. 3C, [0047], “dependency explosion resulting from a "Unix domain socket, multiple senders" source in a graph 350 (e.g., DGraph) … a Unix domain socket (UDS) 305 (e.g., Cups.sock) may cause a dependency explosion if multiple processes 301, 303 send a message through the UDS 305 to other processes (e.g., Common Unix Printing System Daemon (cupsd) 307). For example, in FIG. 3C, a dependency explosion occurs due to a UDS 305 shared by multiple processes 301, 303. The result is a dependency between cupsd 307 (Common Unix Printing System Daemon) and all other applications which ever printed a document such as Ip 301 (e.g., a printing tool) and a word processor 303. As a result, if an attacker performs a privilege escalation 311 on cupsd and/or system libraries 309, and the attack is backtracked using conventional backtracking, the resulting backtracking graph includes the actions of all applications which ever printed a file, which causes increased overhead and/or system slowdown.” [Emphasis added.] where if the “cupsd” 307 (trigger command) initiates an attack, under the settings where a dependency explosion occurs, there would be different chains of processes (process trees) that causes the attack. In particular, a different attack path (ancestry level) may be chosen in terms of backtracking graph.); identify a process tree of the plurality of process trees having a number of command lines less than a threshold number as a suspicious activity; statistically analyze the process tree of the plurality of process trees for frequency of the new suspicious activity pattern; and identify the process tree as a suspicious activity if the frequency is lower than a threshold frequency ([0008], “A relevancy score for each edge of the DGraphs is determined. Irrelevant events from the DGraphs are pruned to generate a condensed backtracking graph. An origin is located by backtracking from an attack detection point in the condensed backtracking graph” [Emphasis added.]; [0062], “A reference model builder may be employed in block 508 to automatically identify attack relevant events … the following observations and assumptions for identifying attack relevant events: (1) at any particular moment in time, the majority of hosts in an enterprise are unlikely to be compromised by an attacker. (2) events which occur frequently amongst all hosts in the enterprise are not likely relevant to an attack; and (3) an attack usually generates some rare events,” [Emphasis added.]; [0081], “the backtracking method using the condensed backtracking graph to locate an attack origin is performed in block 512. The method (hereinafter k-hop back­tracking) according to one embodiment is described in Method 1 below:”; [0082], “the input to the algorithm is the DGraph (created by the monitoring agent), the source edge (the detection point found (e.g., by an administrator)), a value for k, and a maximum frequency threshold … For each edge encountered during the depth limited search, if it is considered as relevant (based on the relevancy score, r) then the event ev is traversed upon during backtracking and added to the resulting backtracking graph. An edge is considered relevant if its corresponding frequency in the reference model is less than the specified threshold (th).” [Emphasis added.] where an edge would be considered relevant if its corresponding frequency in the reference model is less than the specified threshold (th). In other words, the corresponding event ev may be traversed (i.e. backtracked) if the frequency in the reference model < th since they are not pruned (i.e. resources are highly related to attacks as [0062] explained above.). Para 0062 teaches that as the number of frequency when events (which may be caused by suspicious activity) occur gets smaller, the probability that attacks happen gets higher. Based on this assumption, a decision has been made for an edge to be included in a condensed backtracking list.).

Per claim 13 (dependent on claim 12):
MASHEVSKY ‘180 in view of Chen ‘226 discloses the elements detailed in the rejection of claim 12 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 5 and the claim(s) is/are rejected for the reasons detailed with respect to claim 5.

Per claim 14 (dependent on claim 10):
MASHEVSKY ‘180 in view of Chen ‘226 discloses the elements detailed in the rejection of claim 10 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 6 and the claim(s) is/are rejected for the reasons detailed with respect to claim 6.

Per claim 16 (dependent on claim 10):
MASHEVSKY ‘180 in view of Chen ‘226 discloses the elements detailed in the rejection of claim 10 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 8 and the claim(s) is/are rejected for the reasons detailed with respect to claim 8.

Per claim 17 (dependent on claim 16):
MASHEVSKY ‘180 in view of Chen ‘226 and Li ‘454 discloses the elements detailed in the rejection of claim 16 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 8 and the claim(s) is/are rejected for the reasons detailed with respect to claim 8.

Per claim 21 (dependent on claim 19):
MASHEVSKY ‘180 in view of Chen ‘226 discloses the elements detailed in the rejection of claim 19 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 5 and the claim(s) is/are rejected for the reasons detailed with respect to claim 5.

Per claim 23 (dependent on claim 19):
MASHEVSKY ‘180 in view of Chen ‘226 discloses the elements detailed in the rejection of claim 19 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 8 and the claim(s) is/are rejected for the reasons detailed with respect to claim 8.

Claim(s) 7, 15 and 22 is/are rejected under 35 U.S.C. 103 as being unpatentable over MASHEVSKY ‘180 in view of Chen ‘226 and Li ‘454  as applied to claim 6, 14 and 19 above, and further in view of Hagiwara et al., US-20150264062-A1 (hereinafter “Hagiwara ‘062”).
Per claim 7 (dependent on claim 6):
MASHEVSKY ‘180 in view of Chen ‘226 and Li ‘454 discloses the elements detailed in the rejection of claim 6 above, incorporated herein by reference.
MASHEVSKY ‘180 discloses: A security service system of claim 6, wherein the identification module is further configured to identify the one or more suspicious activity patterns based, in part, on a weight factor associated with  (FIG. 3,4,5, [0055], “an executable file … has been downloaded by a user … the system will build a decision tree from a multitude of criteria … For example, a criterion from the group of tests that checks the host name and determines the presence of masking, will be assigned the maximum weight of 100 since the name of the host 
MASHEVSKY ‘180 in view of Chen ‘226 and Li ‘454 does not disclose but Hagiwara ‘062 discloses: a weight factor associated with the administrative status of the user (FIG. 11, [0140], “client devices 10a, 10b, 10c, and 10d are connected to the network 100. The client device 10a includes a folder 1101 that is accessible, for example, using SMB or the like. The path name of the folder 1101 is, for example, \\ClientA  … The client devices 10b and 10c are permitted to access this folder and perform a file operation, such as opening or copying of this file. Under such presumption, when the client devices 10b and 10c operated a file of the folder 1101 by performing a process (Viewer.exe), the virus detecting unit 203 has detected a virus … Note that the following description will be given assuming that "Client A" is an example of identification information of the client device 10a, "Client B" is an example of identification information of the client device 10b, and "Client C" is an example of identification information of the client device 10c.” [Emphasis added.]; FIG. 12, [0144], “(iii) The virus intrusion route searching unit 202 acquires the path name of a file included in the found record. The virus intrusion route searching unit 202 recognizes that the file is a file shared in a network because the acquired path name includes \\, and further specifies that the virus intruded into the client device 10b via the client device 10a because the path name includes "Client A", which is the identification information of the client device 10a.” [Emphasis added.]; FIG. 23, [0215], “In step S2303, the virus intrusion route searching unit 202 determines whether or not weighting is executed … On the other hand, if weighting is executed, the procedure advances to step S2304” [Emphasis added.]; [0216], “In step S2304, the virus intrusion route searching unit 202 performs narrowing-down to one execution result that is related to the virus intrusion route, by executing weighting with respect to the plurality of execution results.” [Emphasis added.] where if there are plurality of virus infection routes, the weighting is applied to 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified MASHEVSKY ‘180 in view of Chen ‘226 and Li ‘454 with the weigh factor associated with the identification information of the client device as taught by Hagiwara ‘062 because it would efficiently determine a specific virus infection route among a multitude of search targets via the weighting process that includes an ownership of a file.

Per claim 15 (dependent on claim 14):
MASHEVSKY ‘180 in view of Chen ‘226 and Li ‘454 discloses the elements detailed in the rejection of claim 14 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 7 and the claim(s) is/are rejected for the reasons detailed with respect to claim 7.

Per claim 22 (dependent on claim 19):
MASHEVSKY ‘180 in view of Chen ‘226 discloses the elements detailed in the rejection of claim 19 above, incorporated herein by reference.
MASHEVSKY ‘180 discloses: Non-transitory computer-readable media of claim 19, wherein the operations further comprise: wherein identifying the one or more suspicious activity patterns is based, in part, on (FIG. 3,4,5, [0055], “an executable file … has been downloaded by a user … the system will build a decision tree from a a criterion from the group of tests that checks the host name and determines the presence of masking, will be assigned the maximum weight of 100 since the name of the host incorpo­rates the host from the white list, soho.com.” [Emphasis added.] where a multitude of criteria may be applied to generate a multiple of decision trees by applying weights to each command as FIG. 3, FIG. 4 and FIG. 5 in order to detect the previously unknown malware.).
MASHEVSKY ‘180  in view of Chen ‘226 does not disclose but Li ‘454 discloses: determining an administrative status of a user associated with the process running on the monitored computing device, (FIG. 5, [0056], “to achieve ubiquitous auditing ( e.g., auditing for all types of events for all hosts), a monitoring agent may be implemented and deployed to all participating hosts ( e.g., systems) in an enterprise for monitoring hosts to detect and/or gather event data for all hosts in block 502” [Emphasis added.]; [0059], “the monitoring agent may detect the same binary files for non-root users by a signature based approach. This signature may be generated for all binary files, and a process may be identified by its loaded binary file, process identifier (PID) and/or start time of the process” [Emphasis added.] where the monitoring agent (process) deployed on the monitoring hosts are to detect and/or gather event data in a way to differentiate between non-root users and root-users (administrative status).).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified MASHEVSKY ‘180 in view of Chen ‘226 with the ownership of the process for backtracking toward an origin of an attack as taught by Li ‘454 because it would effectively detect and/or prune away resources unrelated to attacks to generate an accurate and concise backtracking graph by using a relevancy score for each edge [0007]-[0009].
MASHEVSKY ‘180 in view of Chen ‘226 and Li ‘454 does not disclose but Hagiwara ‘062 discloses: the administrative status having a weight factor (FIG. 11, [0140], “client devices 10a, 10b, 10c, and 10d are connected to the network 100. The client device 10a includes a folder 1101 that is accessible, for using SMB or the like. The path name of the folder 1101 is, for example, \\ClientA  … The client devices 10b and 10c are permitted to access this folder and perform a file operation, such as opening or copying of this file. Under such presumption, when the client devices 10b and 10c operated a file of the folder 1101 by performing a process (Viewer.exe), the virus detecting unit 203 has detected a virus … Note that the following description will be given assuming that "Client A" is an example of identification information of the client device 10a, "Client B" is an example of identification information of the client device 10b, and "Client C" is an example of identification information of the client device 10c.” [Emphasis added.]; FIG. 12, [0144], “(iii) The virus intrusion route searching unit 202 acquires the path name of a file included in the found record. The virus intrusion route searching unit 202 recognizes that the file is a file shared in a network because the acquired path name includes \\, and further specifies that the virus intruded into the client device 10b via the client device 10a because the path name includes "Client A", which is the identification information of the client device 10a.” [Emphasis added.]; FIG. 23, [0215], “In step S2303, the virus intrusion route searching unit 202 determines whether or not weighting is executed … On the other hand, if weighting is executed, the procedure advances to step S2304” [Emphasis added.]; [0216], “In step S2304, the virus intrusion route searching unit 202 performs narrowing-down to one execution result that is related to the virus intrusion route, by executing weighting with respect to the plurality of execution results.” [Emphasis added.] where if there are plurality of virus infection routes, the weighting is applied to narrow down results as S2304 in FIG. 23. In particular, after a multiple of factors given as FIG. 12 are weighted, each record are compared with one another for the narrowing down. Furthermore, the “PC NAME” at the column 1200 of FIG. 12 shows that which device (such as ClientA, ClientB or ClientC) the executed file such as Malware.pdf belongs to.).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified MASHEVSKY ‘180 in view of Chen ‘226 and Li ‘454 with the weigh factor associated with the identification information of the client device as taught by .

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SANGSEOK PARK whose telephone number is (571)272-4332.  The examiner can normally be reached on Monday-Thursday 7:30-5:30 and Alternate Fridays 8:30-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on (571) 272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.





/SANGSEOK PARK/Examiner, Art Unit 2494                                                                                                                                                                                                        
/Kevin Bechtel/Primary Examiner, Art Unit 2491