DETAILED ACTION
This office action is in response to applicant’s amendment filed on 10/16/2020.  No claims have been added or canceled.  Claims 1, 8, and 15 have been amended.  Claims 1-21 are pending and are directed towards apparatus, method, and computer product for Iterative Constraint Solving in Abstract Graph Matching for Cyber Incident Reasoning.  Examiner acknowledges applicant’s amendment to specification and therefore withdraws the previous office action’s objections to the specification.  
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
1.	Applicant’s arguments filed 10/16/2020 have been fully considered.
	A) Applicant’s arguments, with respect to the 102 rejection of claim 1, that Coffman does not teach “derive a graph of constraint relations in the graph pattern” (pages 11-12 of the present response) have been fully considered but they are not persuasive.
	Regarding A) Coffman teaches deriving a graph of constraint relations in the graph pattern (Fig. 5B and para 75, line 3-12; initiates pattern matching 
B) Applicant’s arguments, with respect to the 102 rejection of claim 1, that Coffman does not teach “iteratively solving constraints in the graph pattern” and that there is “no graph of constraint relations” (both on pages 12 of the present response) have been fully considered but they are not persuasive.
Regarding B) the pattern matching algorithms for threat patterns in the form of detecting subgraph isomorphism in the graph 555 in the Coffman prior art corresponds to the iteratively solving constraints in the graph pattern in the claim.  Specifically, pattern matching algorithms for threat patterns in graph 555 in Coffman corresponds to the solving constraints in the graph pattern in the claim because the algorithms determine matches for the patterns in the threat patterns (which contains entities and interrelations between those entities) (see Fig. 5B, 
C) Applicant’s arguments, with respect to the 102 rejection of claim 1, that Coffman does not teach “finding one or more subgraphs of the activity graph that satisfy the graph pattern by iteratively solving constraints in the graph pattern at least in part using a traversal of the graph of constraint relations” (pages 13 of the present response) have been fully considered but they are not persuasive.
Regarding C) Coffman teaches finding one or more subgraphs of the activity graph that satisfy the graph pattern by iteratively solving constraints in the graph pattern at least in part using a traversal of the graph of constraint relations (Fig. 
D) Applicant’s arguments, with respect to claims 3, 10, and 17 that Coffman does not teach “iteratively solving constraints” and “propagating the result to connected constraints” (pages 13-14 of the present response) have been fully considered but they are not persuasive.
Regarding D) the algorithm iteratively merges partial matches if all the nodes they match are connected by an edge in the pattern graph 550 where the edge represents relationship (see para 20 and para 139 in the Coffman prior art).  Therefore, the iteratively merging partial matches if all the nodes they match are connected by an edge in the pattern graph 550 in Coffman prior art corresponds 
E) Applicant’s arguments, with respect to claims 5, 12, and 19 that Coffman does not teach “all propagation of results from evaluating of the single element constraints” and “outputting results of the matching algorithm” (pages 14 of the present response) have been fully considered but they are not persuasive.
Regarding E) the iteratively merging partial matches if all the nodes they match are connected by an edge or relationship in the pattern graph 550 until the entire pattern is matched in Coffman prior art corresponds to all propagation of results from evaluating of the single element constraints in the claim.  Specifically, the iterative merging process combine all the partial matches with an edge to create the match for the entire threat pattern (see Fig. 5B, para 77 and para 139 in the Coffman prior art).  Then if any of the complete matches are sufficiently similar to the threat pattern and pass the match quality threshold, the algorithm records these matches and provides them to the analyst to examine (see para 139 
Claim Rejections - 35 USC § 102
2.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
3.	The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


4.	Claims 1-21 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Coffman (US Pub. 2007/0209074) filed on Mar. 4, 2006.
	Regarding claim 1, Coffman teaches a method for storage-efficient graph pattern matching (para 12, line 1-10; enhanced graph matching system on a control server), comprising: 
providing a graph pattern that comprises a set of elements with constraints and connections among them (Fig. 5B and para 127, line 1-5; threat pattern 550 is 
5deriving a graph of constraint relations in the graph pattern (Fig. 5B and para 75, line 3-12; initiates pattern matching algorithms for threat patterns in the form of detecting subgraph isomorphism in the graph and Fig. 5B shows the shaded subgraph with interrelations based on the threat pattern);
providing an activity graph representing activity data captured in association with one of: a process, a host machine, and a network of machines (Fig. 5B and para 77, line 3-8; an activity graph 555 is generated utilizing data related to the network nodes (remote hosts and local hosts devices) and activity occurring at/between each host device detected across the network); and 
responsive to a query, finding one or more subgraphs of the activity graph that satisfy the graph pattern by iteratively solving constraints in the graph pattern at least in part using a traversal of the graph of constraint relations (Fig. 5B and para 75, line 1-12 and para 127, line 1-11; detection manager 356 queries pattern library 358 and initiates pattern matching algorithms for threat patterns in the form of detecting subgraph isomorphism in the graph 555 and Fig. 5B shows the shaded subgraphs with interrelations matching the threat pattern 550).
	Regarding claim 2, Coffman teaches method of claim 1.

	 Regarding claim 3, Coffman teaches method of claim 2.
	Coffman teaches iteratively solving constraints comprises satisfying a latest-solved constraint in the graph pattern to generate a result, and propagating the result to connected constraints in the graph of constraint relations (para 139, line 1-8; the initial partial matches match one node from the input threat pattern to one node in the pattern graph, the algorithm then iteratively merges partial matches with each other, and builds up a list of partial matches and combining them with other partial matches until a match for the entire threat pattern is found).
	Regarding claim 4, Coffman teaches method of claim 3.
	Coffman teaches propagating the result to 20connected constraints evaluates whether a previously-satisfied constraint remains valid and, when the previously-satisfied constraint is no longer valid, removes a subgraph of the activity graph represented by the previously-satisfied constraint (para 139, line 8-18; any two 
Regarding claim 5, Coffman teaches method of claim 4.
	Coffman teaches outputting the one or more subgraphs after all single element constraints have been evaluated, and all propagation of results from evaluation of the single element constraints have been performed (para 74, line 18-21 and para 139, line 16-22; the process of merging continues until the entire threat pattern is matched and, at this point, if any of the complete matches are sufficiently similar to the threat pattern and pass the match quality threshold, the algorithm records these matches and provides them to the analyst to examine).
	Regarding claim 6, Coffman teaches method of claim 1.
	Coffman teaches the one or more subgraphs of the activity graph represent a cyber incident (Fig. 5B and para 127, line 1-11; detect 2 matches of possible threat to the system comprising interrelations between entities).
	Regarding claim 7, Coffman teaches method of claim 6.
	Coffman teaches performing a post-detection operation to address the cyber incident (para 75, line 9-16; detection manager generates lists of threats 
	Regarding claim 8, Coffman teaches an apparatus for storage-efficient graph pattern matching (para 12, line 1-10; enhanced graph matching system on a control server), comprising: 
a processor (para 68, line 3-6; CPU 210); 
computer memory holding computer program instructions executed by the processor, the computer program instructions configured to (para 68, line 3-6; software code stored within memory 220 and executed by CPU 210):  
5provide a graph pattern that comprises a set of elements with constraints and connections among them (Fig. 5B and para 127, line 1-5; threat pattern 550 is modeled as graph comprising a set of entities and interrelations between those entities); 
derive a graph of constraint relations in the graph pattern (Fig. 5B and para 75, line 3-12; initiates pattern matching algorithms for threat patterns in the form of detecting subgraph isomorphism in the graph and Fig. 5B shows the shaded subgraph with interrelations based on the threat pattern); 
provide an activity graph representing activity data captured in association with one of: a process, a host machine, and a network of machines (Fig. 5B and 
10responsive to a query, find one or more subgraphs of the activity graph that satisfy the graph pattern by iteratively solving constraints in the graph pattern at least in part using a traversal of the graph of constraint relations (Fig. 5B and para 75, line 1-12 and para 127, line 1-11; detection manager 356 queries pattern library 358 and initiates pattern matching algorithms for threat patterns in the form of detecting subgraph isomorphism in the graph 555 and Fig. 5B shows the shaded subgraphs with interrelations matching the threat pattern 550).
Regarding claim 9, Coffman teaches apparatus of claim 8.
	Coffman teaches a constraint is one of: a single element defining an attribute of a node or edge in the graph pattern, and an element relation 15defining how one element relates to another element in the graph pattern (Fig. 5B and para 127, line 1-5; threat pattern 550 is modeled as graph comprising a set of entities and interrelations between those entities).
Regarding claim 10, Coffman teaches apparatus of claim 9.
	Coffman teaches iteratively solve constraints comprise computer program instructions configured to satisfy a latest-solved constraint in the graph pattern to 
Regarding claim 11, Coffman teaches apparatus of claim 10.
	Coffman teaches propagate the result to connected constraints evaluate whether a previously-satisfied constraint remains valid and, when the previously-satisfied constraint is no longer valid, are further configured to remove a subgraph of the activity graph represented 5by the previously-satisfied constraint (para 139, line 8-18; any two partial matches that differ by exactly one node may be combined if all the nodes are connected by an edge in the pattern graph and the new partial matches may be removed if they cannot pass the quality threshold match and the process of merging continues until the entire threat pattern is matched).
Regarding claim 12, Coffman teaches apparatus of claim 11.
	Coffman teaches output the one or more subgraphs after all single element constraints have been evaluated, and all propagation of results from evaluation of 
Regarding claim 13, Coffman teaches apparatus of claim 8.
	Coffman teaches the one or more subgraphs of the activity graph represent a cyber incident (Fig. 5B and para 127, line 1-11; detect 2 matches of possible threat to the system comprising interrelations between entities).
Regarding claim 14, Coffman teaches apparatus of claim 13.
	Coffman teaches performing a post-detection operation to address the cyber incident (para 75, line 9-16; detection manager generates lists of threats (alerts) in the activity graph and this information is transmitted to activity archive for storage).
Regarding claim 15, Coffman teaches a computer program product in a non-transitory computer readable medium for use in a data processing system for storage-efficient graph pattern matching, the computer program product holding computer program instructions that, when executed by the data processing system (para 12, line 1-10 and para 68, line 3-6; software code stored within 
5provide a graph pattern that comprises a set of elements with constraints and connections among them (Fig. 5B and para 127, line 1-5; threat pattern 550 is modeled as graph comprising a set of entities and interrelations between those entities); 
derive a graph of constraint relations in the graph pattern (Fig. 5B and para 75, line 3-12; initiates pattern matching algorithms for threat patterns in the form of detecting subgraph isomorphism in the graph and Fig. 5B shows the shaded subgraph with interrelations based on the threat pattern); 
provide an activity graph representing activity data captured in association with one of: a process, a host machine, and a network of machines (Fig. 5B and para 77, line 3-8; an activity graph 555 is generated utilizing data related to the network nodes (remote hosts and local hosts devices) and activity occurring at/between each host device detected across the network); and  
10 responsive to a query, find one or more subgraphs of the activity graph that satisfy the graph pattern by iteratively solving constraints in the graph pattern at least in part using a traversal of the graph of constraint relations (Fig. 5B and para 75, line 1-12 and para 127, line 1-11; detection manager 356 queries 
Regarding claim 16, Coffman teaches computer product of claim 15.
Coffman teaches a constraint is one of: a single element defining an attribute of a node or edge in the graph pattern, and an element relation defining how one element relates to another element in the graph pattern (Fig. 5B and para 127, line 1-5; threat pattern 550 is modeled as graph comprising a set of entities and interrelations between those entities).
Regarding claim 17, Coffman teaches computer product of claim 16.
	Coffman teaches iteratively solve constraints comprise computer program instructions configured to satisfy a latest-solved constraint in the graph pattern to generate a 20result, and further configured to propagate the result to connected constraints in the graph of constraint relations (para 139, line 1-8; the initial partial matches match one node from the input threat pattern to one node in the pattern graph, the algorithm then iteratively merges partial matches with each other, and builds up a list of partial matches and combining them with other partial matches until a match for the entire threat pattern is found).
Regarding claim 18, Coffman teaches computer product of claim 17.

Regarding claim 19, Coffman teaches computer product of claim 18.
	Coffman teaches output the one or more subgraphs after all single element constraints have been evaluated, and all propagation of results from evaluation of the single element constraints have been performed (para 74, line 18-21 and para 139, line 16-22; the process of merging continues until the entire threat pattern is matched and, at this point, if any of the complete matches are sufficiently similar to the threat pattern and pass the match quality threshold, the algorithm records these matches and provides them to the analyst to examine).
Regarding claim 20, Coffman teaches computer product of claim 15.

Regarding claim 21, Coffman teaches computer product of claim 20.
	Coffman teaches perform a post-detection operation to address the cyber incident (para 75, line 9-16; detection manager generates lists of threats (alerts) in the activity graph and this information is transmitted to activity archive for storage).
Conclusion
5.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following are relevant prior arts: Choudhury et al. (US Pub. 2018/0329958) discloses querying graph, which includes vertices and edges, to perform subgraph matching; Maruhashi (US Pub. 2017/0154445) discloses subgraphs extracted from source graphs and include a plurality of elements each describing a connection between nodes; Cao et al. (US Pub. 2017/0308620) discloses receive a pattern query for a graph and determine a set of access constraints corresponding to the pattern query; Fan et al. (US Pub. 2017/0228448) discloses identifying graph pattern where the graph including a plurality of designated nodes and a plurality of association edges between the .
6.	THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
7.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to NHAN H NGUYEN whose telephone number is (571)272-6443.  The examiner can normally be reached on Monday-Friday 8:30am - 4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on 571-272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service 


/Zachary A. Davis/Primary Examiner, Art Unit 2492                                                                                                                                                                                                        



/NHAN HUU NGUYEN/Examiner, Art Unit 2492