DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
1. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
                                          Response to Arguments
2. According to applicant's arguments filed on 12/09/2020; independent claims 2, 11 and 20 have been amended hereby acknowledged.

3. Applicant argues that the prior art of record does not discloses the amended feature of independent claim 2 which recites, “determining a degree of separation between (i) the node at the network in which the occurrence of the malicious event has been detected, and (ii) a different node at the network, based at least on whether the node and the different node have engaged in direct or indirect data communication; and assigning, to the different node at the network, a particular risk score that is commensurate with whether the different node is infected with malicious code based at least on the determined degree of separation.”.

4. Examiner would like to point out that applicant’s arguments with respect to claim 2 have been fully considered but they are not persuasive. 
Muddu reference teaches the above claimed limitations in Para: 0175, 0406 and Para: 0414-0415 (see, the rejection below).

                                                          Double Patenting
5.    The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection 

A timely filed terminal disclaimer in compliance with 37 CFR 1.321 (c) or 1.321 (d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP §§ 706.02(1) (1) - 706.02(1) (3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).

The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based e-Terminal Disclaimer may be filled out completely online using web-screens. An e-Terminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about e-Terminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-l.jsp.
 of U.S. Patent No 10,530,796. Although the conflicting claims are not identical, they are not patentably distinct from each other because the instant application and the granted patent both claim the same invention. For e.g. both the instant application and the patent claims, “detection of malicious threats through analysis of one or more time series graphs”.

Claims 2, 3, 5, 6, 11,12,14,15 and 20-21 of this instant application: 16/724,655.
Claims 1, 8 and 15 of Patent No: 10,530,796.
2.   A method for detecting malicious computer network events using graph database analysis, the method comprising:

receiving log data that includes parameters describing activity in a network; generating, based on the parameters, an event graph comprising information about network activity involving a node in the network;

storing the event graph in a graph database of the network in response to generating the event graph based on the parameters;

processing the event graph using a graphics processing unit (“GPU”) that is coupled to the graph database to accelerate graphical analysis of information representing event graphs stored in the graph database: database; and

detecting an occurrence of a malicious event that involves the node at the network in response to processing the information about the network activity using the GPU coupled to the graph database;

determining a degree of separation between (i) the node at the network in which the occurrence of the malicious event has been detected, and (ii) a different node at the network, based at least on whether the node and the different node have 

assigning, to the different node at the network, a particular risk score that is commensurate with whether the different node is infected with malicious code based at least on the determined degree of separation.

3.  The method of claim 2, wherein the network activity involves multiple distinct nodes in the network and processing the event graph comprises: determining a risk level of the network activity involving the multiple distinct nodes in response to processing the information about the network activity using the GPU coupled to the graph database.


5.  The method of claim 4, comprising: 
generating a node structure based on the respective risk scores for each node of the multiple distinct nodes; and
 based on the node structure, identifying one or more types of ordered-connections that exist between two or more nodes of the multiple distinct nodes.

6.  The method of claim 5, wherein detecting the occurrence of the malicious event comprises:
detecting the occurrence of the malicious event based on: a particular type of ordered-connection that exists between two distinct nodes of the multiple distinct nodes; and the respective risk score for each of the two nodes.

receiving, by a graph analytics module of a data analysis device, log data that includes parameters associated with a computer network event in a computing network; extracting, by a stream analytics engine of the data analysis device, parameters from the log data, wherein one or more parameters are extracted in real-time; generating, by the data analysis device, a network event graph based on parameters extracted from the log data, the network event graph comprising data that describes communications between a plurality of nodes in the computing network; 

storing the network event graph in a graphics processing unit ("GPU") accelerated graph database of the data analysis device; processing a query against the GPU accelerated graph database to obtain risk information from the network event graph about connections that exist between two or more of the nodes; 
identifying, using the GPU accelerated graph database and based on queries directed to the network event graph, a type of ordered-connection that exists 

detecting, using the GPU accelerated graph database and based on the type of ordered-connection, that the other node is a secondary node having a first-order connection to the primary node that indicates the secondary node is affected by a malicious event associated with the computing network; and generating a node structure that (i) includes data describing the malicious event and (ii) depicts risk information about types of ordered-connections that exist between the primary node and two or more other nodes in the computing network.


one or more processing devices; one or more non-transitory machine-readable storage devices storing instructions that are executable by the one or more processing devices to cause performance of operations comprising:

receiving log data that includes parameters describing activity in a network; generating, based 

storing the event graph in a graph database of the network in response to generating the event graph based on the parameters;

processing the event graph using a graphics processing unit (“GPU”) that is coupled to the graph database to accelerate graphical analysis of information representing event graphs stored in the graph database; and

detecting an occurrence of a malicious event that involves the node at the network in response to processing the information about the network activity using the GPU coupled to the graph database;

determining a degree of separation between (i) the node at the network in which the occurrence of the malicious event has been detected, and (ii) a different node at the network, based at least on whether the node and the different node have engaged in direct or indirect data communication; and assigning, to the different node at the network, a particular risk score that is commensurate with whether the different node is infected with malicious code based at least on the determined degree of separation.

12. The system of claim 11, wherein the network activity involves multiple distinct nodes in the network and processing the event graph comprises: determining a risk level of the network activity involving the multiple distinct nodes in response to processing the information about the network activity using the GPU coupled to the graph database.

14. The system of claim 13, the operations comprise: generating a node structure based on the respective risk scores for each node of the multiple distinct nodes; and



15. The system of claim 14, wherein detecting the occurrence of the malicious event comprises:
detecting the occurrence of the malicious event based on: a particular type of ordered-connection that exists between two distinct nodes of the multiple distinct nodes; and the respective risk score for each of the two nodes.




generating, by the data analysis device, a network event graph based on the parameters extracted from the log data, the network event graph comprising data that describes communications between a plurality of nodes in the computing network; 

storing the network event graph in a graphics processing unit ("GPU") accelerated graph database of the data analysis device; processing a query against the GPU accelerated graph database to obtain risk information from the network event graph about connections that exist between two or more of the nodes; 

identifying, using the GPU accelerated graph database and based on queries directed to the network event graph, a type of ordered-connection that exists between a primary node and another node in the computing network; detecting, using the GPU accelerated graph database and based on the type of ordered-connection, that the other node is a secondary node having a first-order connection to the primary node that indicates the secondary node is affected by a malicious event associated with the computing network; 

and generating a node structure that (i) includes data describing the malicious event and (ii) depicts risk information about types of ordered-connections that exist between the primary node and two or more other nodes in the computing network.

20.  A non-transitory machine-readable storage device storing instructions that are executable by a processing device to cause performance of operations comprising:

receiving log data that includes parameters describing activity in a network; generating, based on the parameters, an event graph comprising information about network activity involving a node in the network;

storing the event graph in a graph database of the network in response to generating the event graph based on the parameters;

processing the event graph using a graphics processing unit (“GPU”) that is coupled to the graph database to accelerate graphical analysis of information representing event graphs stored in the graph database; and

detecting an occurrence of a malicious event that involves the node at the network in response to processing the information about the network activity using the GPU coupled to the graph database;

determining a degree of separation between (i) the node at the network in which the occurrence of the malicious event has been detected, and (ii) a different node at the network, based at least on whether the node and the different node have engaged in direct or indirect data communication; 

21.The machine-readable storage device of claim 20, wherein the network activity involves multiple distinct nodes in the network and processing the event graph comprises:

determining a risk level of the network activity involving the multiple distinct nodes in response to processing the information about the network activity using the GPU coupled to the graph database.


receiving, by a graph analytics module of a data analysis device, log data that includes parameters associated with a computer network event in a computing network; extracting, by a stream analytics engine of the data analysis device, parameters from the log data, wherein one or more parameters are extracted in real-time; 

generating, by the data analysis device, a network event graph based on the parameters extracted from the log data, the network event graph comprising data that describes communications between a plurality of nodes in the computing network; storing the network event graph in a graphics processing unit ("GPU") accelerated graph database of the data analysis device; 

processing a query against the GPU accelerated graph database to obtain risk information from the network event graph about connections that exist between two or more of the nodes; identifying, using the GPU accelerated graph database and based on queries directed to the network 

detecting, using the GPU accelerated graph database and based on the type of ordered-connection, that the other node is a secondary node having a first-order connection to the primary node that indicates the secondary node is affected by a malicious event associated with the computing network; and generating a node structure that (i) includes data describing the malicious event and (ii) depicts risk information about types of ordered-connections that exist between the primary node and two or more other nodes in the computing network.



Claim Rejections - 35 USC § 102
7. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


8. Claim(s) 2-21 are rejected under 35 U.S.C. 102(a) (1) as being anticipated by Muddu (US Pub.No.2017/0063886).

9.    Regarding claims 2,11 and 20 Muddu teaches a method, a system and a non-transitory machine-readable storage device for storing instruction that performs operations: for detecting malicious computer network events using graph database analysis, the method comprising: receiving log data that includes parameters describing activity in a network (Fig.6 and Para: 0182 teaches the security platform 300 can detect anomalies and threats by determining behavior baselines of various entities that are part of, or that interact with, a network, such as 

generating, based on the parameters, an event graph comprising information about network activity involving a node in the network; storing the event graph in a graph database of the network in response to generating the event graph based on the parameters (Figs.63-64 and Para: 0568 teaches a machine learning model that detects lateral movement in a computer network. The computer network includes entities, such as devices and network devices. The machine learning model 6300 analyzes event data 6310. The event data 6310 can be, e.g., timestamped machine data. The event data include information regarding the computer network activities of the users and network devices. For example, the event data includes a projection of the security graph [event graph herein]. The particular projection of the security graph (also referred to as “login projection" or” login graph") records the information that relates to login events [network activity] in which the users log into the network devices in the computer network);


Para: 0178-0179 teaches store the anomalies (e.g., including event data representing an anomalous event and any associated information) in the database 378. The same anomalies may also be stored in the time series database 370. The anomalies may also be stored in the graph database 374 in the form of anomaly nodes in a graph or graphs; specifically, after an event is determined to be anomalous);

determining a degree of separation between (i) the node at the network in which the occurrence of the malicious event has been detected, and (ii) a different node at the network, based at least on whether the node and the different node have engaged in direct or indirect data communication (Para: 0175 teaches a security graph, is generated will represents the relationships between entities in the network and any anomalies identified. For example, the 
Figs.35-38 and Para: 0406 teaches storing and analyzing the security data structure (e.g., a graph including nodes and edges) for identifying security threats in a computer network. The nodes represent entities in or associated with the computer network, such as users, devices, applications, and anomalies. The edges [which is the degree of separation herein], which connect nodes, represent the relationships between the entities. Generating a composite relationship graph that includes nodes which represent the anomalies and edges represent relationships between anomalies and other entities involved in the events, i.e., detecting which all nodes have engaged in direct or indirect data communication with the anomaly node.
Fig.36 and Para: 0414-0415 teaches creating a composite relationship graph. The composite relationship graph 3600 includes a number of nodes U1 through U11 that represent users (also referred to as "user nodes") and a number of nodes IP1 through IP7 that represent network devices (also referred to as "device nodes"). The composite relationship graph 3600 further includes a number of nodes I1 through I4 that represent anomalies (also referred to as "anomaly nodes"). For example, anomaly node I1 suggests that a user represented by node U5 has engaged in certain suspicious activity with, or in relation to, the device represented by node IP3. In graph 3600 there are three anomaly nodes I1, I2 and I4 connected to the same device node IP3. These anomaly nodes will be indicative of a security threat involving the device IP3. The anomaly nodes I1, I2 and I4 also connect to the user nodes U4, U5 and U7 and device node IP5. This may indicate that users U4, U5 and U7 are suspicious, meaning these users can potentially be malicious users who engage in or will engage in activities detrimental to the security of the computer network. For example, users U4, U5 and U7 may be invaders who have breached network devices with malicious intentions. Thus, a decision engine (e.g., including a machine learning model) can identify a security threat represented by a group of 

and assigning, to the different node at the network, a particular risk score that is commensurate with whether the different node is infected with malicious code based at least on the determined degree of separation (Figs. 64 and Para: 0579-0581 teaches calculate an anomaly score [risk score herein] for a particular user and decide whether anomaly is detected based on the anomaly score. The anomaly score indicates a likelihood that the anomaly relates to a security threat [malicious code]. The anomaly score can be calculated based on, for example, the difference between a similarity score of the particular network device and a statistical measure (e.g., an average) of similarity scores of other devices with which the user has interacted [i.e., how the nodes or entities are interconnected or link together, which is the determined degree of separation herein]. The machine learning model 6300 then detects the anomaly if the model determines that the anomaly score exceeds a threshold value for anomaly scores. For example, the similarity score of the network device 6424 is 0.06, and the average similarity score of network devices 6422 and 6423 is 0.315. The difference between the similarity scores is 0.255. The machine learning model calculates the anomaly score as, e.g., 0.355, by summing the similarity score difference of 0.255 and an extra weight of 0.1 in recognition that the network device 6424 is a server of high importance. Because the anomaly score of 0.355 exceeds a threshold of 0.3, the machine learning model 6300 detects an anomaly). 

10.  Regarding claims 3,12 and 21 Muddu teaches the method, the system and a non-transitory machine-readable storage device, wherein the network activity involves multiple distinct nodes in the network and processing the event graph comprises: determining a risk level of the network activity involving the multiple distinct nodes in response to processing the information about the network activity using the GPU coupled to the graph (Figs.63-64 and Para: 0568 
Figs.39-51, Para: 00140 and Para: 0442 teaches the security platform can detect anomalies and threats produced by a user, a device, or an application, regardless of whether the entity that causes the anomalies or threats is from outside or inside the organization's network. The security platform can include a graphical user interface GUI, which is processed by a GPU for display that can create visualizations of the detected anomalies and threats within an organization, and map the threats across an attack kill-chain in a visual way. 
Para: 0175 and Para: 0225 teaches the security graph that is generated will represents the relationships between entities in the network and any anomalies identified. For example, the security graph will map out the interactions between users, including information regarding which devices are involved, who or what is talking to whom/what, when and how interactions occur, which nodes or entities will be anomalous, and the like. 
Para: 0178-0179 teaches store the anomalies (e.g., including event data representing an anomalous event and any associated information) in the database 378. The same anomalies may also be stored in the time series database 370. The anomalies may also be stored in the graph database 374 in the form of anomaly nodes in a graph or graphs; specifically, after an event is determined to be anomalous.
Fig. 64 and Para: 0579-0581 teaches the machine learning model calculates an anomaly score [risk score] for the network entities/devices. If the anomaly score exceeds a threshold [risk level herein], the machine learning model detects an anomaly).

11.    Regarding claims 4, 13 Muddu teaches the method and the system, wherein determining the risk level of the network activity comprises: generating a respective risk score for each node 
Para: 0175 and Para: 0225 teaches the security graph that is generated will represents the relationships between entities in the network and any anomalies identified. For example, the security graph will map out the interactions between users, including information regarding which devices are involved, who or what is talking to whom/what, when and how interactions occur, which nodes or entities will be anomalous, and the like. 
Figs.63-64 and Para: 0579-00581 teaches the machine learning model 6300 can calculate an anomaly score for a particular user and decide whether anomaly is detected based on the anomaly score. The anomaly score indicates a likelihood that the anomaly relates to a security threat. The anomaly score can be calculated based on, for example, the difference between a similarity score of the particular network device and a statistical measure (e.g., an average) of similarity scores of other devices with which the user has interacted. The machine learning model 6300 then detects the anomaly if the model determines that the anomaly score [risk score] exceeds a threshold value [risk level]. For example, in fig. 64 the similarity score of the network device 6424 is 0.06, and the average similarity score of network devices 6422 and 6423 is 0.315. The difference between the similarity scores is 0.255. The machine learning model calculates the anomaly score as, e.g., 0.355, by summing the similarity score difference of 0.255 and an extra weight of 0.1 in recognition that the network device 6424 is a server of 

12.    Regarding claims 5, 14 Muddu teaches the method and the system, comprising: generating a node structure based on the respective risk scores for each node of the multiple distinct nodes (Figs. 35-38 and Para: 0406 teaches generating and analyzing a security data structure (e.g., a graph including nodes and edges) [node structure herein] for identifying security threats in a computer network. The nodes represent entities in or associated with the computer network, such as users, devices, applications, and anomalies. The edges, which connect nodes, represent the relationships between the entities
Para: 0579-00580 teaches the machine learning model calculates an anomaly score [risk score] for the network entities/devices. If the anomaly score exceeds a threshold [risk level], the machine learning model detects an anomaly. The anomaly score indicates a likelihood that the anomaly relates to a security threat. The anomaly score can be calculated based on, for example, the difference between a similarity score of the particular network device and a statistical measure (e.g., an average) of similarity scores of other devices with which the user has interacted. The machine learning model 6300 then detects the anomaly if the model determines that the anomaly score exceeds a threshold value for anomaly scores. For example, in fig.64 the similarity score of the network device 6424 is 0.06, and the average similarity score of network devices 6422 and 6423 is 0.315. The difference between the similarity scores is 0.255. The machine learning model calculates the anomaly score as, e.g., 0.355, by summing the similarity score difference of 0.255 and an extra weight of 0.1 in recognition that the network device 6424 is a server of high importance. Because the anomaly score of 0.355 exceeds a threshold of 0.3, the machine learning model 6300 detects an anomaly), 

and based on the node structure, identifying one or more types of ordered-connections that exist between two or more nodes of the multiple distinct nodes (Para: 0670 teaches the anomaly detection module further analyzes the group to determine if the machine-generated traffic includes benign traffic or anomalous traffic. The anomaly detection module extracts beacon data from the machine-generated traffic. The beacon data can include parameters such as destination IP addresses of the connection requests in the group, destination port(s), and if the connection request is a HTTP request, [which is the type of ordered connection herein], the beacon data can also include a type of the connection request, e.g., a GET or POST, and URI of the destination. The anomaly detection module compares the beacon data with any of the known group types (also referred to as "beacon types") that are identified as likely to be anomalous to determine whether the machine-generated traffic is anomalous). 

13.    Regarding claims 6, 15 Muddu teaches the method and the system, wherein detecting the occurrence of the malicious event comprises: detecting the occurrence of the malicious event based on: a particular type of ordered-connection that exists between two distinct nodes of the multiple distinct nodes (Para: 0670 teaches the anomaly detection module further analyzes the group or users or devices to determine if the machine-generated traffic includes benign traffic or anomalous traffic. The anomaly detection module extracts beacon data from the machine-generated traffic. The beacon data can include parameters such as destination IP addresses of the connection requests in the group, destination port(s), and if the connection request is a HTTP request [which is the type of ordered connection herein], the beacon data can also include a type of the connection request, e.g., a GET or POST, and URI of the destination. The anomaly detection module compares the beacon data with any of the known group types (also referred to as "beacon types") that are identified as likely to be anomalous to determine whether the machine-generated traffic is anomalous); 

and the respective risk score for each of the two nodes (Para: 0579-00580 teaches the machine learning model 6300 can calculate an anomaly score for each of the particular user and decide whether anomaly is detected based on the anomaly score [risk score]. The anomaly score indicates a likelihood that the anomaly relates to a security threat. The anomaly score can be calculated based on, for example, the difference between a similarity score of the particular network device and a statistical measure (e.g., an average) of similarity scores of other devices with which the user has interacted. The machine learning model 6300 then detects the anomaly if the model determines that the anomaly score exceeds a threshold value for anomaly scores. For example, in fig.64 the similarity score of the network device 6424 is 0.06, and the average similarity score of network devices 6422 and 6423 is 0.315. The difference between the similarity scores is 0.255. The machine learning model calculates the anomaly score as, e.g., 0.355, by summing the similarity score difference of 0.255 and an extra weight of 0.1 in recognition that the network device 6424 is a server of high importance. Because the anomaly score of 0.355 exceeds a threshold of 0.3, the machine learning model 6300 detects an anomaly).

14. Regarding claims 7,16 Muddu teaches the method and the system, comprising: structuring the log data in a graphical format in response to determining that the parameters in the log data have a data format that conflicts with a graphical data format of the graph database; and providing a data stream of parameters to the graph database in response to extracting the parameters from the log data as part of structuring the log data (Fig.6 and Para: 0182 and Para:0184-0186 teaches the security platform 300 can create a behavior baseline for any type of entity (for example, a user, a group of users, a device, a group of devices, an application, and/or a group of applications). The activities of server 606 are monitored and a baseline profile 616 specific for the server 606 is generated over time, based on event data indicative of network 

15. Regarding claims 8, 17 Muddu teaches the method and the system, wherein storing the event graph in the graph database comprises: storing the event graph as a graphical data structure configured for accelerated processing by the GPU coupled to the graph database, in response to structuring the log data in the graphical format (Figs.63-64 and Para: 0568 teaches 
Figs.39-51, Para: 00140 and Para: 0440-0441 teaches the security platform can detect anomalies and threats produced by a user, a device, or an application, regardless of whether the entity that causes the anomalies or threats is from outside or inside the organization's network. The security platform can include a graphical user interface, which is processed by a GPU for display that can create visualizations of the detected anomalies and threats within an organization, and map the threats across an attack kill-chain in a visual way. 
Para: 0175 and Para: 0225 teaches the security graph that is generated will represents the relationships between entities in the network and any anomalies identified. For example, the security graph will map out the interactions between users, including information regarding which devices are involved, who or what is talking to whom/what, when and how interactions occur, which nodes or entities will be anomalous, and the like. 
Para: 0178-0179 teaches store the anomalies (e.g., including event data representing an anomalous event and any associated information) in the database 378. The same anomalies may also be stored in the time series database 370. The anomalies may also be stored in the graph database 374 in the form of anomaly nodes in a graph or graphs; specifically, after an event is determined to be anomalous).

16.    Regarding claims 9,18 Muddu teaches the method and the system, wherein structuring the log data comprises: using a stream analytics engine to apply an extraction function to a subset of the log data to extract the parameters from the subset of the log data; and processing, by an intermediate storage device, the parameters extracted from the subset of the log data for conversion to a graphical file format that is accepted by the graph database in response to 
Para: 0182 and Para:0184-0186 teaches the security platform can create a behavior baseline for any type of entity (for example, a user, a group of users, a device, a group of devices, an application, and/or a group of applications). The activities of server 606 are monitored and a baseline profile 616 specific for the server 606 is generated over time, based on event data indicative of network activities of server 606. Baseline profiles can be continuously updated (whether in real-time as event data streams in, or in batch according to a predefined schedule) in response to received event data, i.e., they can be updated dynamically and/or adaptively based on event data. If the human user 604 begins to access source code server 610 more frequently in support of his work, for example, and his accessing of source code server 610 has been judged to be legitimate by the security platform 300 or a network security administrator (i.e., the anomalies/threats detected upon behavior change have been resolved and deemed to be legitimate activities), his baseline profile 614 is updated to reflect the updated "normal" behavior for the human user 604. The anomalies and threats are detected by comparing incoming event data (e.g., a series of events) against the baseline profile [graph database] for an entity to which the event data relates (e.g., a user, an application, a network node or group of nodes, a software system, data files, etc.). If the variation is more than insignificant, the threshold for which will be dynamically or statically defined, an anomaly will be considered to be detected. The comparison will be based on any of various techniques, for example, time-series analysis (e.g., number of log-ins per hour such as successful logins or unsuccessful logins per hour [which is the parameters herein]), machine learning, or graphical analysis (e.g., in the case of security graphs or security graph projections). Figs.35-38 and Para: 

17.    Regarding claims 10,19 Muddu teaches the method and the system, wherein processing the event graph comprises: processing, at the graph database, a plurality of event graphs stored in the graph database by using the GPU to accelerate graphical analysis of information representing each event graph of the plurality of event graphs (Figs.39-51, Para: 00140 and Para: 0440-0441teaches the security platform can detect anomalies and threats produced by a user, a device, or an application, regardless of whether the entity that causes the anomalies or threats is from outside or inside the organization's network. The security platform can include a graphical user interface, which is processed by a GPU for display that can create visualizations of the detected anomalies and threats within an organization, and map the threats across an attack kill-chain in a visual way. 
Figs.35-38 and Para: 0406 teaches storing and analyzing a security data structure (e.g., a graph including nodes and edges) for identifying security threats in a computer network. The nodes represent entities in or associated with the computer network, such as users, devices, applications, and anomalies. The edges, which connect nodes, represent the relationships between the entities. An ETL process generates event-specific graph data structures (also referred to as "mini -graphs" or "relationship graphs") corresponding to events that have occurred in the computer network. Detecting anomalies based on the mini-graphs, and combines the anomalies with the mini-graphs to generate the composite relationship graph, which may also be called an "enterprise security graph" to the extent it may relate to a network of a particular enterprise (e.g., a corporation, educational institution, government agency, etc.). .

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEREENA T CATTUNGAL whose telephone number is (571)270-0506.  The examiner can normally be reached on Mon-Fri: 7:30 AM-5 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.







/DEREENA T CATTUNGAL/Examiner, Art Unit 2431