Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This Office Action is in response to the communication and claim amendment filed on 03/01/2021; claims 1-8, 12-16, and 19-20 have been amended; and claims 1, 12, and 19 are independent claims.  Claims 1-20 have been examined and are pending.  This Action is made FINAL.

Information Disclosure Statement
The information disclosure statements (IDSs) submitted on 12/10/2020 is being considered by the examiner.
Response to Arguments
The objection to the claims 1, 6, and 19 is withdrawn as the abstract has been amended.
The rejection of claim 6 under 35 U.S.C. § 112 second paragraph is withdrawn as the claim has been amended.
Applicants’ arguments with respect to the rejections of claims 1-5, 7-11, 12-14, 16-18, and 19-20 under 35 U.S.C. § 101 have been fully considered but they are not persuasive. The rejections of claims 1-5, 7-11, 12-14, 16-18, and 19-20 under 35 U.S.C. § 101 are maintained for the following reasons:
Regarding claim 1, claim 1 is rejected under 35 USC 101 because the claims are/is directed to an abstract idea without being integrated into a practical application nor being significantly more.
The claims reciting the limitations “receiving a plurality of information object …,” “build a first graph ..,”  “build a second graph ….” build a unified graph …,” “select, from a graphs database …,”  “determine malicious active based on the at least one preexisting graph.” are directed to an abstract idea as the claims recite mental process.   Accordingly, the claims recite an abstract idea.  This judicial exception is not integrated into a practical application.  It’s noted that the claims recite additional elements (i.e., processor/memory, computing devices).  However, said additional elements are recited at a high-level of generality (i.e., as a generic processor performing a generic computer function of determining /sending/receiving/collecting information about the computer system etc.,) such that it amounts no more than mere instructions to apply the exception using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea.  Therefore, the claims are not integrated into a practical application.
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea.   As mentioned above, although the claims recite additional elements, said elements taken individually or as a combination, do not result in the claim amounting to significantly more than the abstract idea because as the 
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using a processor to perform both the ranking and determining steps amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The claims are not patent eligible

Similarly

Regarding claim 12, claim 12 is rejected under 35 USC 101 because the claims are/is directed to an abstract idea without being integrated into a practical application nor being significantly more.
The claims reciting the limitations “collecting a plurality of information objects …,” “determining a plurality of relationships …,” “building at least a first intermediate graph and a second intermediate graph…” “building a final graph ….” “selecting, from a graph database …,” and “determining malicious activity based on the at least one preexisiting graph.” are directed to an abstract idea as the claims recite mental process.   Accordingly, the claims recite an abstract idea.  This judicial exception is not integrated (i.e., processor/memory, computing devices).  However, said additional elements are recited at a high-level of generality (a generic processor performing a generic computer function of determining /sending/receiving/collecting information about the computer system etc.,) such that it amounts no more than mere instructions to apply the exception using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea.  Therefore, the claims are not integrated into a practical application.
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea.   As mentioned above, although the claims recite additional elements, said elements taken individually or as a combination, do not result in the claim amounting to significantly more than the abstract idea because as the additional elements perform generic computer content distributing functions routinely used in information technology field.  Generic computer components recited as performing generic computer functions that are well understood, routine and conventional activities amount to no more than implementing the abstract idea with a computerized system.  Therefore, the claims is directed to non-statutory subject matter.
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using 
Regarding claims 13-14 and 16-18, claims 13-14 and 16-18 are also rejected under 35 U.S.C 101 as being directed to non-statutory subject matter for the same reasons addressed above as the claims are directed to abstract idea without being integrated into a practical application nor being significantly more.
Regarding claims 19-20, claims 19-20 is rejected under 35 USC 101 because the claims are/is directed to an abstract idea without being integrated into a practical application nor being significantly more.
The claims reciting the receiving a plurality of information object …,” “build a first graph ..,”  “build a second graph ….” build a unified graph …,” “select, from a graphs database …,”  “determine a characteristics of the computer system based on the unified graph” “removing all information objects …” and “determining at least one new relationship” are directed to an abstract idea as the claims recite mental process are directed to an abstract idea as the claims recite mental process.   Accordingly, the claims recite an abstract idea.  This judicial exception is not integrated into a practical application.  It’s noted that the claims recite additional elements (i.e., processor/memory, computing devices).  However, said additional elements are recited at a high-level of generality (a generic processor performing a generic computer function of determining /sending/receiving/collecting information about the computer system etc.,) such that it 
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea.   As mentioned above, although the claims recite additional elements, said elements taken individually or as a combination, do not result in the claim amounting to significantly more than the abstract idea because as the additional elements perform generic computer content distributing functions routinely used in information technology field.  Generic computer components recited as performing generic computer functions that are well understood, routine and conventional activities amount to no more than implementing the abstract idea with a computerized system.  Therefore, the claims is directed to non-statutory subject matter.
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using a processor to perform both the ranking and determining steps amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The claims are not patent eligible.
Applicants’ arguments in the instant amendment, filed on 03/01/2021, with respect to limitations listed below, have been fully considered but they are not persuasive.
a.	Applicants argue:  Ladnai fails to disclose, the required first graph including at least two of the plurality of computer system objects as vertices and at least one of the plurality of relationships as edges, and the required second graph including the at least two of the plurality of computer system objects. Ladnai fails to depict the required vertices and edges of the claimed first and second graphs. Ladnai is simply silent as to the specific first and second graphs required by claim 1 (Applicant Remarks/ Arguments, pages 18-19); Ladnai fails to disclose, the required relationship between the first graph and the second graph and the resulting unified graph; specifically wherein the unified graph includes all identical computer system objects shared between the first graph and the second graph. Ladnai is simply silent as to the specific unified graph required by claim 1 (Applicant Remarks/Arguments, pages 19-20).
The Examiner disagrees with the Applicants. The Examiner respectfully submits that Ladnai does disclose the aforementioned limitations as the following:
Ladnai discloses a graph-building tool configured to: receive information about the computer system for a plurality of computer system objects (Ladnai: par. 0004, A data recorder stores endpoint activity on an ongoing basis as sequences of events that causally relate computer objects such as processes and files.) and a plurality of relationships between the plurality of computer system objects (Ladnai: par. 0004, When a security event is detected, an event graph may be generated based on these causal relationships among the computing objects.), 
(Ladnai: par. 0004, When a security event is detected, an event graph may be generated based on these causal relationships among the computing objects, par. 0099, event graph includes event graph may represent information in the data log 322 in a graph where objects 312 are nodes and events 314 are edges connecting the nodes to one another based on causal or other relationships as generally contemplated herein, See also 0141, 0143). Note that, a security event [i.e. a first security event] is detect, an event graph [i.e. first graph] is generated based on these causal relationships among the computing objects, A vertex (or node) of a graph is one of the objects that are connected together. The connections between the vertices are called edges or links. Therefore, event graph does include the vertices and edges.
build a second graph including the at least two of the plurality of computer system objects (Ladnai: par. 0004, when a security event is detected, an event graph may be generated based on these causal relationships among the computing objects.). Note that, When a security event [i.e. a second security event] is detect, an event graph [i.e. second graph] is generated based on these causal relationships among the computing objects.
build a unified graph based on the first graph and the second graph, wherein the unified graph includes all identical computer system objects shared between the first graph and the second graph (Ladnai: par. 0122, …the event graph is filtered and condensed in a variety of manners to obtain a useful snapshot of events optimized for root cause analytics). Note that “…the event graph is filtered and condensed in a variety of manners [i.e. compress /shorten/summarize] to obtain a useful snapshot of events optimized for root computer system objects shared between the first graph and the second graph”.
It is clear that Ladnai does teach the aforementioned limitations.
b. 	Applicants argue: The Office Action has failed to provide evidence of evidence of the required selection of at least one preexisting graph similar to the final graph based on a degree of similarity threshold. Ladnai is simply silent as to the specific graph selection (Applicant Remarks/Arguments, pages 20-21)
The Examiner disagrees with the Applicants. The Examiner respectfully submits that Ladnai does disclose the aforementioned limitations as the following:
Ladnai discloses “build a final graph based on the at least first and second intermediate graphs” (Ladnai: par. 0122, …the event graph is filtered and condensed in a variety of manners [i.e. compress/shorten/summarize] to obtain a useful snapshot of events optimized for root cause analytics ), “wherein the final graph includes at least one vertex from the first intermediate graph and at least one vertex from the second intermediate graph and at least one edge connecting the at least one vertex from the first intermediate graph and at least one vertex from the second intermediate graph” (Ladnai: par. 0122, …the event graph is filtered and condensed in a variety of manners  to obtain a useful snapshot of events optimized for root cause analytics), 
select, from a graphs database, at least one preexisting graph similar to the final graph based on a degree of similarity threshold, the at least one preexisting graph that is indicative malicious activity (Ladnai: fig. 3, par. 0084, the data recorder may include a database or data store; par. 0157, evaluating the security state of the endpoint based on the event graph, such as by applying a malware detection rule to the event graph.  This may provide useful diagnostic information by comparing the current event graph to one or more graphs [i.e. selecting at least one preexisting graph similarity] for root causes that have been identified as described above, or by comparing the current event graph to other patterns of events that show a causal relationship among computing objects that is suggestive or indicative of malicious activity).
It is clear that Ladnai does teach the aforementioned limitations.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-5, 7-11, 12-14, 16-18, and 19-20 are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter.
Regarding claim 1, claim 1 is rejected under 35 USC 101 because the claims are/is directed to an abstract idea without being integrated into a practical application nor being significantly more.
The claims reciting the limitations “receiving a plurality of information object …,” “build a first graph ..,”  “build a second graph ….” build a unified graph …,” “select, from a graphs database …,”  “determine malicious active based on the at least one preexisting graph.” are directed to an abstract idea as the claims recite mental  Accordingly, the claims recite an abstract idea.  This judicial exception is not integrated into a practical application.  It’s noted that the claims recite additional elements (i.e., processor/memory, computing devices).  However, said additional elements are recited at a high-level of generality (a generic processor performing a generic computer function of determining /sending/receiving/collecting information about the computer system  etc.,) such that it amounts no more than mere instructions to apply the exception using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea.  Therefore, the claims are not integrated into a practical application.
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea.   As mentioned above, although the claims recite additional elements, said elements taken individually or as a combination, do not result in the claim amounting to significantly more than the abstract idea because as the additional elements perform generic computer content distributing functions routinely used in information technology field.  Generic computer components recited as performing generic computer functions that are well understood, routine and conventional activities amount to no more than implementing the abstract idea with a computerized system.  Therefore, the claims is directed to non-statutory subject matter.
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to 

Similarly

Regarding claim 12, claim 12 is rejected under 35 USC 101 because the claims are/is directed to an abstract idea without being integrated into a practical application nor being significantly more.
The claims reciting the limitations “collecting a plurality of information objects …,” “determining a plurality of relationships …,” “building at least a first intermediate graph and a second intermediate graph…” “building a final graph ….” “selecting, from a graph database …,” and “determining malicious activity based on the at least one preexisiting graph.” are directed to an abstract idea as the claims recite mental process.   Accordingly, the claims recite an abstract idea.  This judicial exception is not integrated into a practical application.  It’s noted that the claims recite additional elements (i.e., processor/memory, computing devices).  However, said additional elements are recited at a high-level of generality (a generic processor performing a generic computer function of determining /sending/receiving/collecting information about the computer system etc.,) such that it amounts no more than mere instructions to apply the exception using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits 
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea.   As mentioned above, although the claims recite additional elements, said elements taken individually or as a combination, do not result in the claim amounting to significantly more than the abstract idea because as the additional elements perform generic computer content distributing functions routinely used in information technology field.  Generic computer components recited as performing generic computer functions that are well understood, routine and conventional activities amount to no more than implementing the abstract idea with a computerized system.  Therefore, the claims is directed to non-statutory subject matter.
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using a processor to perform both the ranking and determining steps amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The claims are not patent eligible
Regarding claims 13-14 and 16-18, claims 13-14 and 16-18 are also rejected under 35 U.S.C 101 as being directed to non-statutory subject matter for the same reasons 
Regarding claims 19-20, claims 19-20 is rejected under 35 USC 101 because the claims are/is directed to an abstract idea without being integrated into a practical application nor being significantly more.
The claims reciting the receiving a plurality of information object …,” “build a first graph ..,”  “build a second graph ….” build a unified graph …,” “select, from a graphs database …,”  “determine a characteristics of the computer system based on the unified graph” “removing all information objects …” and “determining at least one new relationship” are directed to an abstract idea as the claims recite mental process are directed to an abstract idea as the claims recite mental process.   Accordingly, the claims recite an abstract idea.  This judicial exception is not integrated into a practical application.  It’s noted that the claims recite additional elements (i.e., processor/memory, computing devices).  However, said additional elements are recited at a high-level of generality (a generic processor performing a generic computer function of determining /sending/receiving/collecting information about the computer system etc.,) such that it amounts no more than mere instructions to apply the exception using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea.  Therefore, the claims are not integrated into a practical application.
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to 
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using a processor to perform both the ranking and determining steps amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The claims are not patent eligible.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or 
Claims 19-20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated Ladnai et al. (“Ladnai,” US 2017/0300690, published Oct. 19, 2017).
Regarding claim 19, Ladnai teaches a system for determining a characteristic of a computer system, the system comprising: 
a computing platform including computing hardware of at least one processor and memory (Ladnai: par. 0008) operably coupled to the at least one processor; and 
instructions (Ladnai: par. 0008) that, when executed on the computing platform, cause the computing platform to implement: 
a graph-building tool configured to: 
receive information about the computer system for a plurality of computer system objects (Ladnai: par. 0004, A data recorder stores endpoint activity on an ongoing basis as sequences of events that causally relate computer objects such as processes and files.) and a plurality of relationships between the plurality of computer system objects (Ladnai: par. 0004, When a security event is detected, an event graph may be generated based on these causal relationships among the computing objects.), 
build a first graph including at least two of the plurality of computer system objects as vertices and at least one of the plurality of relationships as edges (Ladnai: par. 0004, When a security event is detected, an event graph may be generated based on these causal relationships among the computing objects; par. 0099, event graph includes event graph may represent information in the data log 322 in a graph where objects 312 are nodes and events 314 are edges connecting the nodes to one another based on causal or other relationships as generally contemplated herein, See also 0141, 0143), 
build a second graph including the at least two of the plurality of computer system objects (Ladnai: par. 0004, When a security event is detected, an event graph may be generated based on these causal relationships among the computing objects), 
build a unified graph based on the first graph and the second graph, wherein the unified graph includes all identical computer system objects shared between the first graph and the second graph (Ladnai: par. 0122, …the event graph is filtered and condensed in a variety of manners to obtain a useful snapshot of events optimized for root cause analytics), and
analysis tool configured to:
determine a characteristic of the computer system based on the unified graph (Ladnai: par. 0157, evaluating the security state of the endpoint based on the event graph, such as by applying a malware detection rule to the event graph.  This may provide useful diagnostic information by comparing the current event graph to one or more graphs for root causes that have been identified as described above, or by comparing the current event graph to other patterns of events that show a causal relationship among computing objects that is suggestive or indicative of malicious activity)
Regarding claim 20, Ladnai teaches the system of claim 19. Ladnai further teaches, wherein the graph-building tool is configured to build an optimized graph based on the unified graph by: 
removing all computer system objects and relationships unrelated to the identical information objects shared between the first graph and the second graph (Ladnai: par. 0122, A variety of filtering techniques may be usefully employed.  For example, certain types of objects or events may be removed from an event graph for specific trigger events, or certain groups of events may be condensed into a single event, such as all normal activity that occurs when a user logs into an endpoint.  Similarly, computing objects that are too remote, either within the event graph or timewise, may be pruned and removed, particularly if they have a known, low diagnostic significance.  Thus, the event graph may be filtered and condensed in a variety of manners to obtain a useful snapshot of events optimized for root cause analytics); and 
determining at least one new relationship between computer system objects that was not present in the first graph or the second graph (Ladnai: par. 0122, A variety of filtering techniques may be usefully employed.  For example, certain types of objects or events may be removed from an event graph for specific trigger events, or certain groups of events may be condensed into a single event, such as all normal activity that occurs when a user logs into an endpoint.  Similarly, computing objects that are too remote, either within the event graph or timewise, may be pruned and removed, particularly if they have a known, low diagnostic significance.  Thus, the event graph may be filtered and condensed in a variety of manners to obtain a useful snapshot of events optimized for root cause analytics).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person.
Claims 1-2, 7-9, 12, 16, and 17 are rejected under 35 U.S.C. 102(a)(2) as being unpatentable over Ladnai et al. (“Ladnai,” US 2017/0300690, published Oct. 19, 2017) in view of Quinlan et al. (“Quinlan,” US 2017/0337375, filed Aug. 8, 2017).
Regarding claim 1, Ladnai teaches a system for detecting malicious activity in a computer system, the system comprising: 
a computing platform including computing hardware of at least one processor and memory operably coupled to the at least one processor (Ladnai: par. 0008); and 
instructions that (Ladnai: par. 0008), when executed on the computing platform, cause the computing platform to implement: 
a gathering tool configured to:
collect information about the computer system for a plurality of computer system objects about the computer system (Ladnai: par. 0004, A data recorder stores endpoint activity on an ongoing basis as sequences of events that causally relate computer objects such as processes and files.), and
determine a plurality of relationships between the plurality of computer system objects (Ladnai: par. 0004, When a security event is detected, an event graph may be generated based on these causal relationships among the computing objects), 
a graph-building tool configured to:
build at least a first intermediate graph ((Ladnai: par. 0004, When a security event is detected, an event graph may be generated based on these causal relationships among the computing objects) and a second intermediate graph (Ladnai: par. 0004, When a security event is detected (Ladnai: par. 0004, When a security event is detected, an event graph may be generated based on these causal relationships among the computing objects) and a second intermediate graph (Ladnai: par. 0004, When a security event is detected, an event graph may be generated based on these causal relationships among the computing objects) based on the plurality of computer system objects and the plurality of relationships (Ladnai: par. 0004, When a security event is detected, an event graph may be generated based on these causal relationships among the computing objects), wherein the first and second intermediate graphs are formed with the plurality of computer system objects as vertices and the plurality of relationships as edges (Ladnai: par. 0004; par. 0099, event graph includes event graph may represent information in the data log 322 in a graph where objects 312 are nodes and events 314 are edges connecting the nodes to one another based on causal or other relationships as generally contemplated herein, See also 0141, 0143), and 
build a final graph based on the at least first and second intermediate graphs (Ladnai: par. 0122, …the event graph is filtered and condensed in a variety of manners to obtain a useful snapshot of events optimized for root cause analytics ), wherein the final graph includes at least one vertex from the first intermediate graph and at least one vertex from the second intermediate graph and at least one edge connecting the at least one vertex from the first intermediate graph and at least one vertex from the second intermediate graph (Ladnai: par. 0122, …the event graph is filtered and condensed in a variety of manners to obtain a useful snapshot of events optimized for root cause analytics), 
a search tool configured to:
select, from a graphs database, at least one preexisting graph similar to the final graph based on a degree of similarity threshold, the at least one preexisting graph that is indicative malicious activity (Ladnai: fig. 3, par. 0084, the data recorder may include a database or data store; par. 0157, evaluating the security state of the endpoint based on the event graph, such as by applying a malware detection rule to the event graph.  This may provide useful diagnostic information by comparing the current event graph to one or more graphs for root causes that have been identified as described above, or by comparing the current event graph to other patterns of events that show a causal relationship among computing objects that is suggestive or indicative of malicious activity),
an analysis tool configured to determine malicious activity based on the at least one preexisting graph (Ladnai: par. 0157, evaluating the security state of the endpoint based on the event graph, such as by applying a malware detection rule to the event graph.  This may provide useful diagnostic information by comparing the current event graph to one or more graphs for root causes that have been identified as described above, or by comparing the current event graph to other patterns of events that show a causal relationship among computing objects that is suggestive or indicative of malicious activity).
Ladnai discloses at least one the preexisting graph that is indicative malicious activity but does explicitly disclose assigned a malicious activity ratio.
However, in an analogous art, Quinlan teaches identifying malware based on relationship between a downloader file and a downloaded file, wherein assigning different malware scores for different files (Quinlan: par. 0015, assigning a low malware score to File X and assigning a high malware score to File Y).
Therefore, it would have been obvious to one of ordinary skill in the before the effective filing date of the claimed invention to combine the teaching of Quinlan with the method and system of Ladnai, wherein the at least one preexisting graph assigned a malicious activity ratio to provide users with means for performing an action to counteract the malware, such as blocking the file, preventing the file from being sent to a client device, sending a message to alert a system administrator that the file is malware, if the security device determines that the file is malware (Quinlan : par. 0013).
Regarding claim 2, the combination of Ladnai and Quinlan teaches the system of claim 1. Ladnai further discloses wherein the plurality of computer system objects are at least one of a file (Ladnai: par. 0004, A data recorder stores endpoint activity on an ongoing basis as sequences of events that causally relate computer objects such as processes and files.), a network packet, a website, a page of random access memory (Ladnai: par. 0004, A data recorder stores endpoint activity on an ongoing basis as sequences of events that causally relate computer objects such as processes and files.), an operating system object, an operating system event, an entry in an operating system log, an entry in an application log, an entry in a master file table (MFT), or an entry in an operating system registry. 
Regarding claim 7, the combination of Ladnai and Quinlan teaches the system of claim 1. Ladnai further discloses wherein the graph-building tool is further configured to optimize the final graph by at least reducing a relationship between computer system objects, eliminating computer system objects having a predefined object characteristic, eliminating relationships having a predefined relationship characteristic, eliminating duplicated relationships, or minimizing a number of intersections between relationship lines (Ladnai: par. 0122, A variety of filtering techniques may be usefully employed.  For example, certain types of objects or events may be removed from an event graph for specific trigger events, or certain groups of events may be condensed into a single event, such as all normal activity that occurs when a user logs into an endpoint.  Similarly, computing objects that are too remote, either within the event graph or timewise, may be pruned and removed, particularly if they have a known, low diagnostic significance.  Thus, the event graph may be filtered and condensed in a variety of manners to obtain a useful snapshot of events optimized for root cause analytics). 
Regarding claim 8, the combination of Ladnai and Quinlan teaches the system of claim 1, Ladnai does not explicitly disclose wherein the graphs database is populated with graphs based on the plurality of computer system objects and known malicious activity (Ladnai: fig. 3, par. 0084, the data recorder may include a database or data store; par. 0157, evaluating the security state of the endpoint based on the event graph, such as by applying a malware detection rule to the event graph.  This may provide useful diagnostic information by comparing the current event graph to one or more graphs for root causes that have been identified as described above, or by comparing the current event graph to other patterns of events that show a causal relationship among computing objects (i.e. a degree of similarity threshold) that is suggestive or indicative of malicious activity).  
Regarding claim 9, the combination of Ladnai and Quinlan teaches the system of claim 1. Ladnai further discloses, wherein the analysis tool is configured to determine malicious activity by analyzing the malicious activity ratio of the at least one preexisting graph and the similarity of the at least one preexisting graph to the final graph (Ladnai: fig. 3, par. 0084, the data recorder may include a database or data store; par. 0157, evaluating the security state of the endpoint based on the event graph, such as by applying a malware detection rule to the event graph.  This may provide useful diagnostic information by comparing the current event graph to one or more graphs for root causes that have been identified as described above, or by comparing the current event graph to other patterns of events that show a causal relationship among computing objects that is suggestive or indicative of malicious activity).
Regarding claim 12
Regarding claim 16, claim 16 is similar in scope to claim 7, and is therefore rejected under similar rationale.
Regarding claim 17, claim 17 is similar in scope to claim 9, and is therefore rejected under similar rationale.
Claims 3 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Ladnai et al. (“Ladnai,” US 2017/0300690, published Oct. 19, 2017) in view of Quinlan et al. (“Quinlan,” SU 2017/0337375, filed Aug. 8, 2017), further in view of Cohen et al. (“Cohen,” US 2017/0132498, published May 11, 2017).
Regarding claim 3, the combination of Ladnai and Quinlan teaches the system of claim 1. Ladnai further discloses wherein the gathering tool is further configured to determine at least one of plurality of relationships between two plurality of computer system objects that a first of the two of the plurality of computer system objects has a logical (Ladnai: par. 0010, performs the steps of instrumenting the endpoint to monitor a number of causal relationships among a number of computing objects at a plurality of logical locations within a computing environment on the endpoint, selecting a set of logical locations from the plurality of logical locations, recording a sequence of events causally relating the number of computing objects at the set of logical locations,..), or functional relationship to a second of the two of the plurality of computer system objects. 
Ladnai does not explicitly disclose determining a degree of reliability of a relationship between two of the plurality of computer system objects as a numerical value characterizing the probability.
(Cohen: par. 0030, determine which structured text (e.g., <flower, red) likely describes that part of the image such as objects, attributes, and relationships there between through calculation of probabilities (i.e., the confidence values) that the structured text describes a same concept as image features in the image).
Therefore, it would have been obvious to one of ordinary skill in the before the effective filing date of the claimed invention to combine the teaching of Cohen with the method and system of Ladnai and Quinlan, wherein determining degree of reliability of a relationship between two of the plurality of computer system objects as a numerical value characterizing the probability to provide users with means for achieving high precision semantic image search to learn and use a model to automatically compute a descriptive summarization of an input image without user intervention (Cohen: abstract, pars. 0003, 0004, 0046).
Regarding claim 13, claim 13 is similar in scope to claim 3, and is therefore rejected under similar rationale.
Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Ladnai et al. (“Ladnai,” US 2017/0300690, published Oct. 19, 2017) in view of Quinlan et al. (“Quinlan,” SU 2017/0337375, filed Aug. 8, 2017), further in view of Cohen et al. (“Cohen,” US 2017/0132498, published May 11, 2017), and  Borup et al. (“Borup,”.
Regarding claim 4, the combination of Ladnai, Quinlan, and Cohen teaches the system of claim 3. Ladnai further discloses wherein the gathering tool is further configured to send the information about the computer system for the plurality of computer system objects and the plurality of relationships to the graph-building tool but does not explicitly disclose when the degree of reliability exceeds a reliability threshold value. 
However, in an analogous art, Borup discloses system to prevent export of sensitive data, wherein sending the file to the destination only when probability exceeds a threshold (Borup: par. 0007, probability exceeds a threshold).
Therefore, it would have been obvious to one of ordinary skill in the before the effective filing date of the claimed invention to combine the teaching of Borup with the method and system of Ladnai, Quinlan, and Cohen, wherein the information about the computer system for the plurality of computer system objects and the plurality of relationships to the graph-building tool when the degree of reliability exceeds a reliability threshold value to provide users with means for the router system prevents export of sensitive data (Borup: par. 0005).
Claims 5-6 and 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Ladnai et al. (“Ladnai,” US 2017/0300690, published Oct. 19, 2017) in view of Quinlan et al. (“Quinlan,” SU 2017/0337375, filed Aug. 8, 2017), further in view of Levy (“Levy,” US 2019/0215329, filed Jan. 8, 2018).
Regarding claim 5, the combination of Ladnai and Quinlan teaches the system of claim 1. Ladnai and Quinlan do not explicitly disclose wherein the plurality of computer 
Ladnai discloses wherein the plurality of computer system objects but does not explicitly disclose selected using a trained choice model, wherein the trained choice model being previously trained by a training sample having a known maliciousness the trained choice model being previously trained by a training sample having a known maliciousness.
However, in an analogous art, Levy discloses malware detection using machine learning, wherein the trained choice model being previously trained by a training sample having a known maliciousness the trained choice model being previously trained by a training sample having a known maliciousness (Levy: par. 0023, the model 130 may be trained using machine learning techniques and a training set based on known samples of malicious code so that the model 130 learns to recognize other code with similar static or behavioral features or attributes as malicious or otherwise unwanted).
Therefore, it would have been obvious to one of ordinary skill in the before the effective filing date of the claimed invention to combine the teaching of Levy with the method and system of Ladnai and Quinlan, wherein selected using a trained choice model, wherein the trained choice model being previously trained by a training sample having a known maliciousness the trained choice model being previously trained by a training sample having a known maliciousness to provide users with means for the third memory can be used to improve performance by providing even higher speed memory physically adjacent to the processor for registers.  The latter filter can usefully reduce the amount of processing required within the machine learning engine by avoiding additional  (Levy: pars. 0002, 0004, 0029, 0044).
Regarding claim 6, the combination of Ladnai and Quinlan teaches the system of claim 5.  Ladnai and Quinlan do not explicitly disclose wherein the instructions executed on the computing platform cause the computing platform to further implement: 
a re-training tool configured to retrain the trained choice model malicious activity by:
 reducing the plurality of computer system objects for which information is collected by the gathering tool from a first instance of the gathering tool to a second instance of the gathering, and 
reducing a resource consumption for the graph-building tool from the first instance of the gathering tool to the second instance of the gathering tool.
However, in an analogous art, Levy discloses malware detection using machine learning, wherein a re-training tool configured to retrain the trained choice model based on the determination of malicious activity by:
reducing the plurality of computer system objects for which information is collected by the gathering tool from a first instance of the gathering tool to a second instance of the gathering tool (Levy: par. 0044, This latter filter 316 may usefully reduce the amount of processing required within the machine learning engine 304 by avoiding additional training of the machine learning engine 304 with samples that can already be detected with the current detection model 302)., and 
(Levy: par. 0044, This latter filter 316 may usefully reduce the amount of processing required within the machine learning engine 304 by avoiding additional training of the machine learning engine 304 with samples that can already be detected with the current detection model 302). 
Therefore, it would have been obvious to one of ordinary skill in the before the effective filing date of the claimed invention to combine the teaching of Levy with the method and system of Ladnai, Quinlan, Cohen, and Borup, wherein a re-training tool configured to retrain the trained choice model based on the determination of malicious activity by:
reducing the plurality of computer system objects for which information is collected by the gathering tool from a first instance of the gathering tool to a second instance of the gathering tool, and 
reducing a resource consumption for the graph-building tool from the first instance of the gathering tool to the second instance of the gathering tool to provide users with means for the third memory can be used to improve performance by providing even higher speed memory physically adjacent to the processor for registers.  The latter filter can usefully reduce the amount of processing required within the machine learning engine by avoiding additional training of the machine learning engine with samples that can already be detected with the current detection model (Levy: pars. 0002, 0004, 0029, 0044)
Regarding claim 14, claim 14 is similar in scope to claim 5, and is therefore rejected under similar rationale.
Regarding claim 15, the combination of Ladnai and Quinlan teaches the method of claim 14. Ladnai does not explicitly disclose: retraining the trained choice model based on the determination of malicious activity by reducing the plurality of computer system for which information is objects collected and reducing a resource consumption.
However, in an analogous art, Levy discloses malware detection using machine learning, wherein retraining the trained choice model based on the determination of malicious activity by reducing the plurality of information objects collected (Levy: par. 0044, This latter filter 316 may usefully reduce the amount of processing required within the machine learning engine 304 by avoiding additional training of the machine learning engine 304 with samples that can already be detected with the current detection model 302) and reducing a resource consumption (Levy: par. 0044, This latter filter 316 may usefully reduce the amount of processing required within the machine learning engine 304 by avoiding additional training of the machine learning engine 304 with samples that can already be detected with the current detection model 302).
Therefore, it would have been obvious to one of ordinary skill in the before the effective filing date of the claimed invention to combine the teaching of Levy with the method and system of Ladnai and Quinlan, wherein retraining the trained choice model based on the determination of malicious activity by reducing the plurality of computer system for which information is objects collected and reducing a resource consumption to provide users with means for the third memory can be used to improve performance by providing even higher speed memory physically adjacent to the processor for registers.   (Levy: pars. 0002, 0004, 0029, 0044).
Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Ladnai et al. (“Ladnai,” US 2017/0300690, published Oct. 19, 2017) in view of Quinlan et al. (“Quinlan,” SU 2017/0337375, filed Aug. 8, 2017), further in view of Ruvio et al. (“Ruvio,” US 2019/0036946, filed Sep. 18, 2016).
Regarding claim 10, the combination of Ladnai and Quinlan discloses the system of claim 9. Ladnia does not explicitly discloses, wherein the malicious activity ratio is calculated according to: 
                              
    PNG
    media_image1.png
    99
    345
    media_image1.png
    Greyscale

wherein w is the malicious activity ratio of the computer system under analysis; 
wj is the malicious activity ratio of a graph j selected from the graphs database; 
c{i,j} is the degree of similarity between a graph i and the graph j selected from the graphs database; 
N is the number of built graphs for the computer system under analysis; and 
M is the number of graphs selected from the graphs database. 
However, in an analogous art, Ruvio discloses systems and methods for detection of malicious activity in vehicle data communication network, wherein the malicious (Ruvio: par. 0129, The malicious activity may be identified based on a probability of the presence of malicious activity according to a probability requirement, for example, a threshold, a range, and/or a function.  For example, malicious activity may be identified when the analysis identifies the presence of malicious activity with a probability of over 70%).
Therefore, it would have been obvious to one of ordinary skill in the before the effective filing date of the claimed invention to combine the teaching of Ruvio with the method and system of Ladnai and Quinlan to provide users with means for the method enables improving malicious activity experience rate and processor performance rate and reducing memory consumption rate and degradation defects in network performance and network bandwidth and storing code instructions in a data storage device so as to improve vehicle performance, thus maintaining a sanitized network (Ruvio: par. 0047).
Claims 11 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Ladnai et al. (“Ladnai,” US 2017/0300690, published Oct. 19, 2017) in view of Quinlan et al. (“Quinlan,” SU 2017/0337375, filed Aug. 8, 2017), further in view of Inoue (“Inoue,” US 2017/0300593, published Oct. 19, 2017).
Regarding claim 11, the combination of Ladnai and Quinlan discloses the system of claim 1. Ladnai does not explicitly disclose wherein the first and second intermediate graphs are formed according to a graph diameter less than a specified diameter.
 (Inoue: par. 0033,  The Smax determining section 430 may determine Smax so as to be less than the diameter of the graph.  In general, a larger Smax results in a more accurate estimation by the apparatus 400, while a smaller Smax reduces computation time and memory usage.  If Smax is too small relative to the diameter of the graph, the estimation may not work.).
Therefore, it would have been obvious to one of ordinary skill in the before the effective filing date of the claimed invention to combine the teaching of Ionue with the method and system of Ladnai and Quinlan, wherein the first and second intermediate graphs are formed according to a graph diameter less than a specified diameter to provide users with means for optimizing the graph to improve performance of the system, while avoiding a time-consuming calculation of objective function by own by applying or discarding the modification based on the estimated change (Inoue: abstract,  pars. 0003, 0025).
Regarding claim 18, claim 18 is similar in scope to claim 11, and is therefore rejected under similar rationale.



Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Canh Le whose telephone number is 571-270-1380. The examiner can normally be reached on Monday to Friday 6:00AM to 3:30PM other Friday off.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  

Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/Canh Le/
Examiner, Art Unit 2439

March 30th 2021 



/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439