DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 07/02/2019, 12/31/2019, 07/28/2020 and 08/20/2019 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claim(s) 15-20 is/are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.
The claims are directed towards transitory propagating signals, per se.  The United States Patent and Trademark Office (USPTO) is obliged to give claims their broadest reasonable interpretation consistent with the specification during proceedings before the USPTO.  See In re ZIetz, 893 F.2d 319 per se in view of the ordinary and customary meaning of computer-readable media, particularly when the specification is silent.  Furthermore, with respect to the instant Application, the interpretation of a “computer-readable media” as transitory propagating signals, per se, is also consistent with the Specification, paragraphs 0064-0065.  See MPEP 2111.01.  When the broadest reasonable interpretation of a claim covers a signal per se, the claim must be rejected under 35 U.S.C. § 101 as covering non-statutory subject matter.  See In re Nuijten, 500 F.3d 1346, 1356-57 (Fed. Cir. 2007) (transitory embodiments are not directed to statutory subject matter) and Interim Examination Instructions for Evaluating Subject Matter Eligibility Under 35 U.S.C. § 101, Aug. 24, 2009; p. 2.
A claim drawn to such a computer-readable media that covers both transitory and non-transitory embodiments may be amended to narrow the claim to cover only statutory embodiments to avoid a rejection under 35 U.S.C. § 101 by adding the limitation “non-transitory” to the claim.  Cf Animals - Patentability, 1077 Off. Gaz. Pat. Office 24 (April 21, 1987) (suggesting that applicants add the limitation “non-human” to a claim covering a multi-cellular organism to avoid a rejection under 35 U.S.C. § 101).  Such an amendment would typically not raise the issue of new matter, even when the specification is silent because the broadest reasonable interpretation relies on the ordinary and customary meaning that includes signals per se.  The limited situations in which such an amendment could raise issues of new matter occur, for example, when the specification does not support a non-transitory embodiment because a signal per se is the only viable embodiment such that the amended claim is impermissibly broadened beyond the supporting disclosure.  See, e.g., Gentry Gallery, Inc. v. Berkline Corp., 134F.3d 1473 (Fed. Cir. 1998).


Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 6-10, 13 and 15-18 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Apostolopoulos, US-20180219888-A1 (hereinafter “Apostolopoulos ‘888”).
Per claim 6 (independent):
Apostolopoulos ‘888 discloses: A method of determining that a plurality of events at a monitored computing device is associated with an incident indicating malicious activity, the method comprising: detecting, at the monitored computing device, the plurality of the events taking place at the monitored computing device during a time interval, individual events having respective event types (FIG. 1, [0059], “each client device 102 may host or execute one or more client applications 110 that are capable of interacting with one or more host devices 106 via one or more networks 104” [Emphasis added.]; [0060], “a client application 110 may include a monitoring component 112 … including monitoring network traffic sent and received from the client device and collecting other device and/or application-specific information” [Emphasis added.]; [0062], “performance data generated by the monitoring functionality is sent to the system 108 to facilitate analysis of the performance data by a developer of the client application or other users” [Emphasis added.]; [0094], “behavioral analysis (e.g., fraud detection or environmental monitoring) based on machine data … "machine data" can include timestamped event data,” [Emphasis added.] where data associated with network traffic, device and application, which are generated from interactions (detected events) between the client application 102 (one process) and the host device 106 are collected by the monitoring component 112 at the client device 102 (monitored computing device) for the data to be received at the system 108 for analysis. The behavioral analysis can be performed based on machine data, i.e., the collected data by the monitoring component 112, where the machine data related to various types of data (respective event types) about performance or operation of equipment is given as timestamped event (or times series) data.);
identifying patterns within the plurality of the events based at least in part on the patterns meeting a predetermined criterion; determining pattern scores associated with the patterns based at least in part on respective relative frequencies of the patterns (FIG. 18, [0203], “At step 1810, the process receives event data representing a plurality of events on a computer network. The event data are indicative of a plurality of entities and at least one anomaly involved in the events” [Emphasis added.]; [0204], “At step 1820, for each event, the process acquires an event-specific relationship graph … from the data intake and preparation stage”; [0206], “At step 1840 … For each event, the process identifies one or more computer network activities of a particular type based on the event-specific relationship graph. The identified computer network activities are associated with the same entity and occur during a predefined time period” [Emphasis added.]; [0208], “At step 1850, the process combines the event­specific relationship graphs for the received events with the anomaly data into a composite relationship graph. The composite relationship graph includes nodes that represent the entities involved in the events and nodes that represent the anomalies detected based on the event data” [Emphasis added.]; FIG. 17, [0201], “The graph library component 1750 can further break down the projections into a plurality of files. Each of the files stores network activities that have occurred in a particular time period.” [Emphasis added.]; [0217], “At step 1880, … confirms that the anomalies form a security threat by applying a security rule to the anomalies based on assigned categories of the anomalies” [Emphasis added.]; [0220], “a graph-based network security analytic framework” [Emphasis added.]; [0221], “the input can be data reflecting events that represent activities that are already flagged as anomalies … or … regular network activities … The entities associated with the activities can be grouped into smaller time units … For each time unit, all values corresponding to a number of features ( e.g., count of anomalies, anomaly types, entities involved, and timing) are gathered from the entities (and underlying events) in the time unit … computing a risk score for each day and according to the features in the unit  … The riskiest days can be selected, for example, by taking a threshold or by clustering the days” [Emphasis added.] where an event-specific relationship graph is acquired based on data representing a plurality of events indicative of entities and anomaly involved in the events. For each event, the computer network activities of a particular type in the event-specific relationship graph are identified while the activities occur during a predetermined time period. The event­specific relationship graphs for the received events are combined with the anomaly data into a composite relationship graph. The composite relationship graph can include a plurality of projections (See FIG. 17), where each projection indicates a particular category (pattern) of network activities. Note that the projection can be divided into a plurality of files according to a particular time period (predetermined criterion). Based on the graph-based network security analytic framework, events data can be grouped into smaller time period. Thus, for example, a risk score (pattern score) may be calculated for each day according to the features in the unit such as the count of anomalies, anomaly types, entities and timing (relative frequencies of the patterns).);
determining a composite score for the plurality of the events based at least in part on the pattern scores; and determining that the plurality of the events includes the incident indicating malicious activity based at least in part on the composite score being above a predetermined threshold score (FIG.19, [0224], “At step 1910, data related to events that have occurred in the network can be accessed by an analytic engine … An example of such data input can be a projection of a composite relationship graph, such as an anomaly projection 1730 (i.e., a subset of a composite relationship graph that includes edges representing a plurality of anomaly activities conducted by entities)” [Emphasis added.]; [0227], “At step 1920, the nodes in the anomaly graph are assigned to a number of groups … based on the timestamps of the underlying events of the nodes.”; [0228], “After step 1920 and before step 1930, a group interest score can be generated for each of the groups” [Emphasis added.]; FIG. 20, [0229], “At step 2010, a group interest score for a respective group can be generated based on a set of features from the respective group … The list of features are selected to reflect or capture how "interesting" or "risky" a set of anomalies is … (1) the count of the anomalies in the group, (2) the count of distinct anomaly types in the group, (3) the count of the distinct of machine learning models that raised anomalies in the group … (4) the sum of the scores of off-hours anomalies in the group … (6) the sum of the scores of rule-based anomalies in the group” [Emphasis added.]; [0233], “At step 2020, the number of groups can be ranked based on their group interest scores … the number of groups can be selected based on their group interest scores, and depending on the implementation, only a predetermined number of top ranked groups (i.e., the most interesting anomalousDays) are selected for further processing … a threshold can be implemented so as to select the groups that have scores exceeding the threshold” [Emphasis added.] where the nodes (entities) in the anomaly group, i.e., the anomaly projection 1730 including anomaly activities (events), are assigned to a number of groups for which a group interest score (composite score) can be generated based on a set of features including the count of the anomalies in the group from the respective group, the sum of the scores of off-hours anomalies in the group, associated with the risk scores (pattern scores). Thus, the group 

Per claim 7 (dependent on claim 6):
Apostolopoulos ‘888 discloses the elements detailed in the rejection of claim 6 above, incorporated herein by reference.
Apostolopoulos ‘888 discloses: The method of claim 6, wherein the events of the plurality of the events are produced by at least one process or at least one thread. (FIG. 1, [0059], “each client device 102 may host or execute one or more client applications 110 that are capable of interacting with one or more host devices 106 via one or more networks 104” [Emphasis added.]; [0060], “a client application 110 may include a monitoring component 112 … including monitoring network traffic sent and received from the client device and collecting other device and/or application-specific information” [Emphasis added.]; [0062], “performance data generated by the monitoring functionality is sent to the system 108 to facilitate analysis of the performance data by a developer of the client application or other users” [Emphasis added.] where data associated with network traffic, device and application, which are generated from interactions (detected events) between the client application 102 (one process) and the host device 106 are collected by the monitoring component 112 at the client device 102 (monitored computing device) for the data to be received at the system 108 for analysis.).

Per claim 8 (dependent on claim 6):
Apostolopoulos ‘888 discloses the elements detailed in the rejection of claim 6 above, incorporated herein by reference.
Apostolopoulos ‘888 discloses: The method of claim 6, further comprising determining an event type associated with the incident based at least in part on a pattern of the patterns having relatively high contribution score ([0232], “a ranking can be first performed based on the values of the nodes. For example, for a node that has a value on a feature that has a ranking that is over 99%, the score for that node on that feature can be +2. Similarly, if a node has a value on a feature that has a ranking that exceeds 90%, then the score for that node on that feature can be + 1.” [Emphasis added.] where a (group interest) score (i.e., composite score) may have a higher or lower value (contribution score) in proportion to a ranking associated with a value on a feature (pattern) at a node.).

Per claim 9 (dependent on claim 8):
Apostolopoulos ‘888 discloses the elements detailed in the rejection of claim 8 above, incorporated herein by reference.
Apostolopoulos ‘888 discloses: The method of claim 8, further comprising: tagging the incident with the event type; tagging the incident with a timestamp associated with the time interval (FIG. 3, [0074], “At block 302 … receives data from an input source, such as a data source 202 shown in FIG. 2.” [Emphasis added.]; [0075], “At block 304 … annotates each block generated from the raw data with one or more metadata fields … the metadata fields may include separate fields specifying each of a host, a source, and a source type related to the data block.” [Emphasis added.]; [0079],”At block 306, an indexer receives data blocks … parses the data to organize the data into events.” [Emphasis added.]; [0081], “At block 310, the indexer associates with each event one or more metadata fields including a field containing the timestamp (in some embodiments, a timestamp may be included in the metadata fields) determined for the event.” [Emphasis added.]; FIG. 18, [0206], “At step 1840 … For each event, the process identifies one or more computer network activities of a particular type based on the event-specific relationship graph. The identified computer network activities are associated with the same entity and occur during a predefined time period” [Emphasis added.] where data from input sources is parsed to get events for which metadata fields including a timestamp are associated with the events 

Per claim 10 (dependent on claim 9):
Apostolopoulos ‘888 discloses the elements detailed in the rejection of claim 9 above, incorporated herein by reference.
Apostolopoulos ‘888 discloses: The method of claim 9, further comprising generating a time series graph to present one or more incidents and information tagged with the one or more incidents ([0044], “An event comprises a portion of the machine-generated data … For example, events may be derived from "time series data," where the time series data comprises a sequence of data points” [Emphasis added.]; FIG. 17, [0201], “The graph library component 1750 can further break down the projections into a plurality of files. Each of the files stores network activities that have occurred in a particular time period.” [Emphasis added.]; FIG.19, [0224], “At step 1910, data related to events that have occurred in the network can be accessed by an analytic engine … An example of such data input can be a projection of a composite relationship graph, such as an anomaly projection 1730 (i.e., a subset of a composite relationship graph that includes edges representing a plurality of anomaly activities conducted by entities)” [Emphasis added.]; [0227], “At step 1920, the nodes in the anomaly graph are assigned to a number of groups … based on the timestamps of the underlying events of the nodes.” [Emphasis added.] where data related to events including a composite relationship graph (time series graph, See FIG.17) are assigned to nodes in the anomaly graph based on the timestamps of the underlying events (incidents) of the nodes for generating a number of groups that may represent a set of features (information).).

Per claim 13 (dependent on claim 6):

Apostolopoulos ‘888 discloses: The method of claim 6, wherein the incident is tagged with at least one or more of a behavior classification, a malware classification, or an adversary attribution (FIG. 17, [0201], “The graph library component 1750 can further break down the projections into a plurality of files. Each of the files stores network activities that have occurred in a particular time period.” [Emphasis added.]; FIG.19, [0224], “At step 1910, data related to events that have occurred in the network can be accessed by an analytic engine … An example of such data input can be a projection of a composite relationship graph, such as an anomaly projection 1730 (i.e., a subset of a composite relationship graph that includes edges representing a plurality of anomaly activities conducted by entities)” [Emphasis added.]; [0227], “At step 1920, the nodes in the anomaly graph are assigned to a number of groups … based on the timestamps of the underlying events of the nodes.” [Emphasis added.] where data related to events including a composite relationship graph (See FIG.17) are assigned to nodes in the anomaly graph based on the timestamps of the underlying events (incidents) of the nodes for generating a number of groups. Note that a certain group may represent a specific activity associated with the anomaly or features.).

Per claim 15 (independent):
Apostolopoulos ‘888 discloses: One or more computer-readable media having computer executable instructions that, when executed by one or more processors, cause the one or more processors to perform operations comprising: receiving, from a monitored computing device, data associated with events detected at the monitored computing device during a time interval; determining malicious events from the events (FIG. 1, [0059], “each client device 102 may host or execute one or more client applications 110 that are capable of interacting with one or more host a monitoring component 112 … including monitoring network traffic sent and received from the client device and collecting other device and/or application-specific information” [Emphasis added.]; [0062], “performance data generated by the monitoring functionality is sent to the system 108 to facilitate analysis of the performance data by a developer of the client application or other users” [Emphasis added.]; [0094], “behavioral analysis (e.g., fraud detection or environmental monitoring) based on machine data … "machine data" can include performance data, diagnostic information and/or any of various other types of data indicative of performance or operation of equipment (e.g., an action such as upload, delete, or log-in) in a computing system … "machine data" as used herein includes timestamped event data,” [Emphasis added.] where data associated with network traffic, device and application, which are generated from interactions (detected events) between the client application 102 (one process) and the host device 106 are collected by the monitoring component 112 at the client device 102 (monitored computing device) for the data to be received at the system 108 for analysis. The behavioral analysis including fraud detection (detection of malicious events) can be performed based on machine data, i.e., the collected data by the monitoring component 112, where the machine data related to various types of data about performance or operation of equipment is given as timestamped event (or times series) data.);
determining patterns in the malicious events based at least in part on the patterns meeting a predetermined criterion; determining pattern scores associated with the patterns based at least in part on respective relative frequencies of occurrence of the patterns (FIG. 18, [0203], “At step 1810, the process receives event data representing a plurality of events on a computer network. The event data are indicative of a plurality of entities and at least one anomaly involved in the events” [Emphasis added.]; [0204], “At step 1820, for each event, the process acquires an event-specific relationship graph … from the data intake and preparation stage”; [0206], “At step 1840 … For each event, the process omputer network activities of a particular type based on the event-specific relationship graph. The identified computer network activities are associated with the same entity and occur during a predefined time period” [Emphasis added.]; [0208], “At step 1850, the process combines the event­specific relationship graphs for the received events with the anomaly data into a composite relationship graph. The composite relationship graph includes nodes that represent the entities involved in the events and nodes that represent the anomalies detected based on the event data” [Emphasis added.]; FIG. 17, [0201], “The graph library component 1750 can further break down the projections into a plurality of files. Each of the files stores network activities that have occurred in a particular time period.” [Emphasis added.]; [0217], “At step 1880, … confirms that the anomalies form a security threat by applying a security rule to the anomalies based on assigned categories of the anomalies” [Emphasis added.]; [0220], “a graph-based network security analytic framework” [Emphasis added.]; [0221], “the input can be data reflecting events that represent activities that are already flagged as anomalies … or … regular network activities … The entities associated with the activities can be grouped into smaller time units … For each time unit, all values corresponding to a number of features ( e.g., count of anomalies, anomaly types, entities involved, and timing) are gathered from the entities (and underlying events) in the time unit … computing a risk score for each day and according to the features in the unit  … The riskiest days can be selected, for example, by taking a threshold or by clustering the days” [Emphasis added.] where an event-specific relationship graph is acquired based on data representing a plurality of events indicative of entities and anomaly involved in the events. For each event, the computer network activities of a particular type in the event-specific relationship graph are identified while the activities occur during a predetermined time period. The event­specific relationship graphs for the received events are combined with the anomaly data into a composite relationship graph. The composite relationship graph can include a plurality of projections (See FIG. 17), where each projection indicates a particular category (pattern) of network activities. Note that the projection can be divided into a 
determining a composite score based at least in part on aggregating the pattern scores; determining an incident indicating malicious activity is detected based at least in part on determining that the composite score meets or exceeds a predetermined threshold score (FIG.19, [0224], “At step 1910, data related to events that have occurred in the network can be accessed by an analytic engine … An example of such data input can be a projection of a composite relationship graph, such as an anomaly projection 1730 (i.e., a subset of a composite relationship graph that includes edges representing a plurality of anomaly activities conducted by entities)” [Emphasis added.]; [0227], “At step 1920, the nodes in the anomaly graph are assigned to a number of groups … based on the timestamps of the underlying events of the nodes.”; [0228], “After step 1920 and before step 1930, a group interest score can be generated for each of the groups” [Emphasis added.]; FIG. 20, [0229], “At step 2010, a group interest score for a respective group can be generated based on a set of features from the respective group … The list of features are selected to reflect or capture how "interesting" or "risky" a set of anomalies is … (1) the count of the anomalies in the group, (2) the count of distinct anomaly types in the group, (3) the count of the distinct of machine learning models that raised anomalies in the group … (4) the sum of the scores of off-hours anomalies in the group … (6) the sum of the scores of rule-based anomalies in the group” [Emphasis added.]; [0233], “At step 2020, the number of groups can be ranked based on their group interest scores … the number of groups can be selected based on their group interest scores, and depending on the implementation, only a predetermined number of top ranked groups (i.e., the most interesting anomalousDays) are selected for further processing … a threshold can ;
determining additional information for the incident including at least one of behavior classification, malware classification, or an adversary attribution using the data associated with the events; and tagging the incident with the additional information (FIG. 17, [0201], “The graph library component 1750 can further break down the projections into a plurality of files. Each of the files stores network activities that have occurred in a particular time period.” [Emphasis added.]; FIG.19, [0224], “At step 1910, data related to events that have occurred in the network can be accessed by an analytic engine … An example of such data input can be a projection of a composite relationship graph, such as an anomaly projection 1730 (i.e., a subset of a composite relationship graph that includes edges representing a plurality of anomaly activities conducted by entities)” [Emphasis added.]; [0227], “At step 1920, the nodes in the anomaly graph are assigned to a number of groups … based on the timestamps of the underlying events of the nodes.” [Emphasis added.] where data related to events including a composite relationship graph (See FIG.17) are assigned to nodes in the anomaly graph based on the timestamps of the underlying events (incidents) of the nodes for generating a number of groups. Note that a certain group may represent a specific activity associated with the anomaly or features.).

Per claim 16 (dependent on claim 15):

Apostolopoulos ‘888 discloses: The one or more computer-readable media as recited in claim 15, wherein determining the patterns includes determining a pattern of the patterns based at least in part on a malicious event of the malicious events is detected across multiple monitored computing devices during the time interval (FIG. 1,[0057], “a host application 114 comprising a web server may generate one or more web server logs in which details of interactions between the web server and any number of client devices 102 is recorded” [Emphasis added.]; [0059], “each client device 102 may host or execute one or more client applications 110 that are capable of interacting with one or more host devices 106 via one or more networks 104” [Emphasis added.]; [0060], “a client application 110 may include a monitoring component 112 … including monitoring network traffic sent and received from the client device and collecting other device and/or application-specific information” [Emphasis added.]; [0062], “performance data generated by the monitoring functionality is sent to the system 108 to facilitate analysis of the performance data by a developer of the client application or other users” [Emphasis added.]; [0094], “behavioral analysis (e.g., fraud detection or environmental monitoring) based on machine data … "machine data" can include performance data, diagnostic information and/or any of various other types of data indicative of performance or operation of equipment (e.g., an action such as upload, delete, or log-in) in a computing system … "machine data" as used herein includes timestamped event data,” [Emphasis added.] where data associated with network traffic, device and application, which are generated from interactions (detected events) between the client application 102 (one process) and the host device 106 are collected by the monitoring component 112 at the client device 102 (monitored computing device) for the data to be received at the system 108 for analysis. The behavioral analysis can be performed based on machine data, i.e., the collected data by the monitoring component 112, where the machine data related to various types of data (respective event types) about 

Per claim 17 (dependent on claim 15):
Apostolopoulos ‘888 discloses the elements detailed in the rejection of claim 15 above, incorporated herein by reference.
Apostolopoulos ‘888 discloses: The one or more computer-readable media as recited in claim 15, wherein the operations further comprise: ranking incidents based on associated composite scores; and determining one or more incidents to present based at least in part on the ranking ([0233], “At step 2020, the number of groups can be ranked based on their group interest scores … the number of groups can be selected based on their group interest scores, and depending on the implementation, only a predetermined number of top ranked groups (i.e., the most interesting anomalousDays) are selected for further processing … a threshold can be implemented so as to select the groups that have scores exceeding the threshold” [Emphasis added.]).

Per claim 18 (dependent on claim 17):
Apostolopoulos ‘888 discloses the elements detailed in the rejection of claim 17 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 10 and the claim(s) is/are rejected for the reasons detailed with respect to claim 10.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-4 is/are rejected under 35 U.S.C. 103 as being unpatentable over Apostolopoulos ‘888 in view of Gordeychik et al., US-20190104140-A1 (hereinafter “Gordeychik ‘140”).
Per claim 1 (independent):
Apostolopoulos ‘888 discloses: A system comprising: one or more processors; and programming instructions configured to be executed by the one or more processors to perform operations comprising: receiving, from a monitored computing device, data associated with events detected at the monitored computing device, wherein the events are produced by at least one process or at least one thread, individual events of the events having respective event types (FIG. 1, [0059], “each client device 102 may host or execute one or more client applications 110 that are capable of interacting with one or more host devices 106 via one or more networks 104” [Emphasis added.]; [0060], “a client application 110 may include a monitoring component 112 … including monitoring network traffic sent and received from the client device and collecting other device and/or application-specific information” [Emphasis added.]; [0062], “performance data generated by the monitoring functionality is sent to the system 108 to facilitate analysis of the performance data by a developer of the client application or other users” [Emphasis added.]; [0094], “behavioral analysis (e.g., fraud detection or environmental monitoring) based on machine data … "machine data" can include performance data, diagnostic information and/or any of various other types of data indicative of performance or operation of equipment (e.g., an action such as upload, delete, or log-in) in a computing timestamped event data,” [Emphasis added.] where data associated with network traffic, device and application, which are generated from interactions (detected events) between the client application 102 (one process) and the host device 106 are collected by the monitoring component 112 at the client device 102 (monitored computing device) for the data to be received at the system 108 for analysis. The behavioral analysis can be performed based on machine data, i.e., the collected data by the monitoring component 112, where the machine data related to various types of data (respective event types) about performance or operation of equipment is given as timestamped event (or times series) data.);
determining a plurality of the events from the data for a time interval; identifying patterns within the plurality of the events based at least in part on the patterns meeting a first predetermined criterion; determining pattern scores associated with the patterns based at least in part on respective relative frequencies of occurrence of the patterns (FIG. 18, [0203], “At step 1810, the process receives event data representing a plurality of events on a computer network. The event data are indicative of a plurality of entities and at least one anomaly involved in the events” [Emphasis added.]; [0204], “At step 1820, for each event, the process acquires an event-specific relationship graph … from the data intake and preparation stage”; [0206], “At step 1840 … For each event, the process identifies one or more computer network activities of a particular type based on the event-specific relationship graph. The identified computer network activities are associated with the same entity and occur during a predefined time period” [Emphasis added.]; [0208], “At step 1850, the process combines the event­specific relationship graphs for the received events with the anomaly data into a composite relationship graph. The composite relationship graph includes nodes that represent the entities involved in the events and nodes that represent the anomalies detected based on the event data” [Emphasis added.]; FIG. 17, [0201], “The graph library component 1750 can further break down the projections into a plurality of files. Each of the files stores network activities that have occurred in a particular time period.” [Emphasis added.]; [0217], “At step 1880, … confirms that the anomalies form a security threat by applying a security rule to the anomalies based on assigned categories of the anomalies” [Emphasis added.]; [0220], “a graph-based network security analytic framework” [Emphasis added.]; [0221], “the input can be data reflecting events that represent activities that are already flagged as anomalies … or … regular network activities … The entities associated with the activities can be grouped into smaller time units … For each time unit, all values corresponding to a number of features ( e.g., count of anomalies, anomaly types, entities involved, and timing) are gathered from the entities (and underlying events) in the time unit … computing a risk score for each day and according to the features in the unit  … The riskiest days can be selected, for example, by taking a threshold or by clustering the days” [Emphasis added.] where an event-specific relationship graph is acquired based on data representing a plurality of events indicative of entities and anomaly involved in the events. For each event, the computer network activities of a particular type in the event-specific relationship graph are identified while the activities occur during a predetermined time period. The event­specific relationship graphs for the received events are combined with the anomaly data into a composite relationship graph. The composite relationship graph can include a plurality of projections (See FIG. 17), where each projection indicates a particular category (pattern) of network activities. Note that the projection can be divided into a plurality of files according to a particular time period (predetermined criterion). Based on the graph-based network security analytic framework, events data can be grouped into smaller time period. Thus, for example, a risk score (pattern score) may be calculated for each day according to the features in the unit such as the count of anomalies, anomaly types, entities and timing (relative frequencies of occurrence of the patterns).);
determining a composite score  for the plurality of the events based at least in part on the pattern scores; determining that the plurality of the events is associated with an incident indicating malicious activity based at least in part on the composite score; and tagging the incident with [additional data]; [and separately discloses the incident with] an event type of the event types based at least in part of a pattern of the patterns meeting a second predetermined criterion (FIG.19, [0224], “At step 1910, data related to events that have occurred in the network can be accessed by an analytic engine … An example of such data input can be a projection of a composite relationship graph, such as an anomaly projection 1730 (i.e., a subset of a composite relationship graph that includes edges representing a plurality of anomaly activities conducted by entities)” [Emphasis added.]; [0227], “At step 1920, the nodes in the anomaly graph are assigned to a number of groups … based on the timestamps of the underlying events of the nodes.”; [0228], “After step 1920 and before step 1930, a group interest score can be generated for each of the groups” [Emphasis added.]; FIG. 20, [0229], “At step 2010, a group interest score for a respective group can be generated based on a set of features from the respective group … The list of features are selected to reflect or capture how "interesting" or "risky" a set of anomalies is … (1) the count of the anomalies in the group, (2) the count of distinct anomaly types in the group, (3) the count of the distinct of machine learning models that raised anomalies in the group … (4) the sum of the scores of off-hours anomalies in the group … (6) the sum of the scores of rule-based anomalies in the group” [Emphasis added.]; [0233], “At step 2020, the number of groups can be ranked based on their group interest scores … the number of groups can be selected based on their group interest scores, and depending on the implementation, only a predetermined number of top ranked groups (i.e., the most interesting anomalousDays) are selected for further processing … a threshold can be implemented so as to select the groups that have scores exceeding the threshold” [Emphasis added.] where the nodes (entities) in the anomaly group, i.e., the anomaly projection 1730 including anomaly activities (events), are assigned to a number of groups for which a group interest score (composite score) can be generated based on a set of features including the count of the anomalies in the group from the respective group, the sum of the scores of off-hours anomalies in the group, associated with the risk scores (pattern scores). Thus, the group interest score indicates how interesting/risky 
Apostolopoulos ‘888 does not disclose but Gordeychik ‘140 discloses: tagging the incident with an event type of the event types based at least in part of a pattern of the patterns  ([0089], “the threat database 111 contains identifiers and information on objects which are signs of threats. Each object in the threat database 111 is labeled with a corresponding tag. For example, malicious objects may correspond to the tag "malicious object". If an object was used in a specific targeted attack, it will be assigned a corresponding tag.” [Emphasis added.]; FIG. 4, [0108], “The detection module 110 extracts the object 401 from the security notification 402 received and does a search for the object 401 in the threat database 111 (Level 1). If the search result is affirmative, the detection module 110 adds a tag 410 corresponding to this object 401 in the threat database 111” [Emphasis added.] where if the detection module 110 find a match for a search of the object 401 against the threat database 111, the detection module 110 adds the tag 410 to the threat database 111 (See also FIG. 6a).).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Apostolopoulos ‘888 with adding a tag matched for an object in a threat database by a detection module as taught by Gordeychik ‘140 because it would enhance a detection of computer attacks executed without the use of malicious software by determining a computer attack has occurred when the object, a first tag, a second tag are found in a database of computer attacks [0006][0009].

Per claim 2 (dependent on claim 1):
Apostolopoulos ‘888 in view of Gordeychik ‘140 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference.
The system of claim 1, wherein the operations further include: ranking incidents according to composite scores associated with the incidents; and surfacing one or more incidents to present based at least in part on the ranking ([0233], “At step 2020, the number of groups can be ranked based on their group interest scores … the number of groups can be selected based on their group interest scores, and depending on the implementation, only a predetermined number of top ranked groups (i.e., the most interesting anomalousDays) are selected for further processing … a threshold can be implemented so as to select the groups that have scores exceeding the threshold” [Emphasis added.]).

Per claim 3 (dependent on claim 2):
Apostolopoulos ‘888 in view of Gordeychik ‘140 discloses the elements detailed in the rejection of claim 2 above, incorporated herein by reference.
Apostolopoulos ‘888 discloses: The system of claim 2, wherein the operations further include: tagging the incident with a timestamp associated with the time interval as metadata (FIG. 3, [0074], “At block 302 … receives data from an input source, such as a data source 202 shown in FIG. 2.” [Emphasis added.]; [0075], “At block 304 … annotates each block generated from the raw data with one or more metadata fields.” [Emphasis added.]; [0079],”At block 306, an indexer receives data blocks … parses the data to organize the data into events.” [Emphasis added.]; [0081], “At block 310, the indexer associates with each event one or more metadata fields including a field containing the timestamp (in some embodiments, a timestamp may be included in the metadata fields) determined for the event.” [Emphasis added.] where data from input sources is parsed to get events for which metadata fields including a timestamp are associated with the events through an annotation (tagging) process.); 
generating a time series graph to present the one or more incidents and one or more composite scores associated with the one or more incidents ([0044], “An event comprises a portion of events may be derived from "time series data," where the time series data comprises a sequence of data points” [Emphasis added.]; FIG. 17, [0201], “The graph library component 1750 can further break down the projections into a plurality of files. Each of the files stores network activities that have occurred in a particular time period.” [Emphasis added.]; FIG.19, [0224], “At step 1910, data related to events that have occurred in the network can be accessed by an analytic engine … An example of such data input can be a projection of a composite relationship graph, such as an anomaly projection 1730 (i.e., a subset of a composite relationship graph that includes edges representing a plurality of anomaly activities conducted by entities)” [Emphasis added.]; [0227], “At step 1920, the nodes in the anomaly graph are assigned to a number of groups … based on the timestamps of the underlying events of the nodes.”; [0228], “After step 1920 and before step 1930, a group interest score can be generated for each of the groups” [Emphasis added.] where data related to events including a composite relationship graph (time series graph, See FIG.17) are assigned to nodes in the anomaly graph based on the timestamps of the underlying events (incidents) of the nodes for generating a number of groups on which a group interest score (composite score) is generated.).

Per claim 4 (dependent on claim 1):
Apostolopoulos ‘888 in view of Gordeychik ‘140 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference.
Apostolopoulos ‘888 discloses: The system of claim 1, wherein determining the plurality of the events from the data includes determining that the event types are associated with targeted activity (FIG. 17, FIG. 18, [0203], “At step 1810, the process receives event data representing a plurality of events on a computer network. The event data are indicative of a plurality of entities and at least one anomaly involved in the events” [Emphasis added.]; [0204], “At step 1820, for each event, the process acquires an event-specific relationship graph … from the data intake and preparation stage”; [0206], “At For each event, the process identifies one or more computer network activities of a particular type based on the event-specific relationship graph.” [Emphasis added.]; [0208], “At step 1850, the process combines the event­specific relationship graphs for the received events with the anomaly data into a composite relationship graph. The composite relationship graph includes nodes that represent the entities involved in the events and nodes that represent the anomalies detected based on the event data” [Emphasis added.] where data representing a plurality of events indicative of entities and anomaly involved in the events are identified to create an event-specific relationship graph with which the anomaly data is combined into a composite relationship graph including a plurality of projections (targeted activity) as in FIG. 17.).

Claim(s) 5 is/are rejected under 35 U.S.C. 103 as being unpatentable over Apostolopoulos ‘888 in view of Gordeychik ‘140 as applied to claim 1 above, and further in view of Brown et al.,US-20170163669-A1 (hereinafter “Brown ‘669”).
Per claim 5 (dependent on claim 1):
Apostolopoulos ‘888 in view of Gordeychik ‘140 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference.
Apostolopoulos ‘888 in view of Gordeychik ‘140 does not disclose but Brown ‘669 discloses: The system of claim 1, wherein the operations further include: determining a distribution of event types of the events within the patterns; and determining that the patterns are associated with targeted activity based at least in part on the distribution of event types within the patterns (FIG. 20, [0088], “FIG. 20 shows a flow-control diagram of the routine "calculate event-type probability distribution" called in block 1912 of FIG. 19 … the event type counter is incremented (i.e., EF1 =EF1+1) …  In block 2010, each time an event type is counted in blocks 2007-2009, total number of event types counter NET is incremented … In block 2013, a probability is calculated for each of the event types” [Emphasis added.]; a measure of the difference between the previous and recent event-type probability distributions … In decision block 2107, when the JSD value is greater than a threshold, Th, … an alert is generated on an administration computer system console” [Emphasis added.] where event-type probability distributions are determined for each event type as in FIG. 20. Thus, a difference between the previous and recent event-type probability distributions (patterns) is calculated through a threshold based on the JSD to detect anomalies (targeted activity).).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Apostolopoulos ‘888 in view of Gordeychik ‘140 with the calculation of event-type probability distribution for detecting anomalies by comparing a JDS value with a threshold as taught by Brown ‘669 because it would mitigate a significant computation challenge by comparing previous behavior of the computer system with current behavior of the computer system rather than searching relevant event messages within an enormous volume of event messages [0060-0061].

Claim(s) 11-12 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Apostolopoulos ‘880 in view of Brown ‘669.
Per claim 11 (dependent on claim 6):
Apostolopoulos ‘888 discloses the elements detailed in the rejection of claim 6 above, incorporated herein by reference.
Apostolopoulos ‘888 does not disclose but Brown ‘669 discloses: The method of claim 6, further comprising: determining a total count of based at least in part on a count of the patterns identified within the plurality of the events; and determining a pattern count associated with a pattern of the patterns based at least in part on the number of detections for the pattern within the plurality of the events (FIG. 20, [0088], “FIG. 20 shows a flow-control diagram of the routine "calculate event-type probability distribution" called in block 1912 of FIG. 19 … the event type counter is incremented (i.e., EF1 =EF1+1) …  In block 2010, each time an event type is counted in blocks 2007-2009, total number of event types counter NET is incremented … In block 2013, a probability is calculated for each of the event types” [Emphasis added.] where event-type probability distributions (patterns) are calculated for each event type. For each event message, an event type counter (pattern count) increments if the event type is detected (number of detections). Then, the total number (total count) of the event types counter NET is determined.).

Per claim 12 (dependent on claim 11):
Apostolopoulos ‘888 in view of Brown ‘669 discloses the elements detailed in the rejection of claim 11 above, incorporated herein by reference.
Apostolopoulos ‘888 does not disclose but Brown ‘669 discloses: The method of claim 11, further comprising: determining a pattern score of the pattern scores is based at least in part on a ratio of the pattern count with respect to the total count (FIG. 20, [0088], “FIG. 20 shows a flow-control diagram of the routine "calculate event-type probability distribution" called in block 1912 of FIG. 19 … the event type counter is incremented (i.e., EF1 =EF1+1) …  In block 2010, each time an event type is counted in blocks 2007-2009, total number of event types counter NET is incremented … In block 2013, a probability is calculated for each of the event types” [Emphasis added.] where in block 2012, for each event type s, a probability (pattern score) is computed by dividing the event type s counter (pattern count) with the total number of event types counter NET (total count).).

Per claim 20 (dependent on claim 15):
Apostolopoulos ‘888 discloses the elements detailed in the rejection of claim 15 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 5 and the claim(s) is/are rejected for the reasons detailed with respect to claim 5.

Claim(s) 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Apostolopoulos ‘880 in view of Kouznetsov, US-6973577-B1 (hereinafter “Kouznetsov ‘577").
Per claim 14 (dependent on claim 6):
Apostolopoulos ‘888 discloses the elements detailed in the rejection of claim 6 above, incorporated herein by reference.
Apostolopoulos ‘888 does not disclose but Kouznetsov ‘577 discloses: The method of claim 6, further comprising: determining that a distribution of event types within the pattern is found in a catalog of distributions associated with malicious events; and in response, determining that the plurality of the events is associated with malicious events ([Col. 5], ll. 43-45, “Specific sequences of the monitored events are organized into histograms which identify behavior characteristic of computer viruses.” [Emphasis added.]; [Col. 5], ll. 55-58, “Here, the number of new data bytes n written is the key: a pattern of the same number of bytes n repeatedly written into different application program files at the end of the files indicates potentially viral activity” [Emphasis added.]; [Col. 6], ll. 25-29, “Still other sequences characteristic of computer virus behaviors are described in M. Ludwig, "The Giant Black Book of Computer Viruses," Part I, pp. 27-271, Am. Eagle Pub., Inc. (2d ed. 1998), the disclosure of which is incorporated herein by reference.” where the sequences of monitored events are distributed into the histograms according to behavioral characteristics (event types) and if the patters of the sequence of events (distribution of event types) which corresponds to specific malwares are found in the catalog 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Apostolopoulos ‘888 with a distribution of monitored sequences into histograms for comparing against the giant black book of computer viruses to indicate viral activities as taught by Kouznetsov ‘577 because it would improve a detection of computer viruses by dynamically analyzing monitored events with updatable catalogues instead of performing a static check [Col. 1], l.57-[Col.2],l.41.

Allowable Subject Matter
Claim(s) 19 is/are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims and if amended to traverse the 101 rejection.
The claims contain the following underlined features which, when combined with other features of the claim, prior art of record failed to anticipate or render obvious at the time of instant invention was filed:
Per claim 19 (dependent on claim 15):
The one or more computer-readable media as recited in claim 15, wherein the operations further comprise:
determining a start time for the incident based at least in part on determining that a first composite score meets or exceeds the predetermined threshold score at a first time of events; and
determining an end time for the incident based at least in part on determining that a second composite score is below the predetermined threshold score at a second time of events, wherein the second time of events is after the first time of events.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SANGSEOK PARK whose telephone number is (571)272-4332.  The examiner can normally be reached on Monday-Thursday 7:30-5:30 and Alternate Fridays 8:30-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on (571) 272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/SANGSEOK PARK/Examiner, Art Unit 2494                                                                                                                                                                                         
/Kevin Bechtel/Primary Examiner, Art Unit 2491