DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 03/25/2021 has been entered.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 04/07/2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Response to Amendment
Claims 1-5, 8-13, 16-21 and 23 have been amended and claims 6-7, 14-15 and 22 have been cancelled. Claims 1-5, 8-13, 16-21 and 23 are currently pending. 

Response to Arguments
Applicant’s arguments with respect to claim 1 has been considered but are moot in view of new grounds of rejections. Applicant’s remaining arguments are based on Applicant's arguments against claim 1.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 9 and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over MASHEVSKY et al., US-20110083180-A1 (hereinafter “MASHEVSKY ‘180”; provided by IDS dated 07/12/2019) in view of Goddard, US-20050086530-A1 (hereinafter “Goddard ‘530”).
Per claim 1 (independent):
MASHEVSKY ‘180 discloses: A security service system for identifying a suspicious activity, the security service comprising: one or more processors; and memory coupled to the one or more processors, the memory including a plurality of modules communicatively coupled to each other and executable by the one or more processors, the plurality of modules comprising: a data module configured to store known patterns, the known patterns including known suspicious activity patterns and known indicators of attack (IoAs) ([0003], “related to anti-malware technology, and more particularly, to detection of unknown malware threats based on real-time automatic event and analysis of behavioral patterns of objects”; FIG. 1, [0042], “the incoming information regarding various events and file metadata … is filtered using the information stored in WL and BL knowledge databases (step 101) … checks both WL and BL for the presence of any data regarding the incoming event information and object information, and filters out the known event information and object information.” where known event and object information is filtered out using the information (activity patterns; IoAs) stored in WL and BL knowledge databases.);
a monitoring module configured to receive monitored data in a process running on a monitored computing device ([0012], “for detection of previously unknown malware, the method comprising: (a) receiving event information and file metadata from a remote computer”); 
an identification module configured to identify one or more suspicious activity patterns based on a comparison between the received monitored data and the known patterns ([0012], “(b) identifying whether the event information or the file metadata is indicative of the known malware, indicative of the unknown malware, or indicative of malware absence”; [0042], “the incoming information regarding various events and file metadata … is filtered using the information stored in WL and BL knowledge databases (step 101).”);
MASHEVSKY ‘180 does not disclose but Goddard ‘530 discloses: an administrative status module configured to determine an administrative status of a user associated with the process running on the monitored computing device (FIG. 3, [0020], “evaluating an extent of sensitivity of the customer which uses the application or which the application serves … lowering the probability of a malicious user accessing the application … an application used by a systems administrator to automate administration of a system would be hidden from the customer, and therefore have a lower sensitivity” where an extent of sensitivity of a customer (user) who uses an application (process) is to be evaluated 
wherein the identification module is further configured to identify the one or more suspicious activity patterns based, in part, on a weight factor associated with the administrative status of the user indicative of types of processes that the user of the administrative status is likely to run (FIG. 3, [0023], “a determination is made whether at least one customer has direct access to the application (step 303). If so, a value of "one" is added to the score (step 306) … a determination is made whether the application is shared by two or more customers (decision 308). If so, a value of "six" is added to the score (step 310) … a determination is made whether any of the customers or users of the application have high importance (decision 314). If so, a value of "three" is added to the score (step 316)” where different values varying based on a user (administrative) status, such as a customer who has a direct access or high importance in regard to an application, and also a type of application which may be shared or not, are added (weighted) to the score for determining the scoring for customer sensitivity).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified MASHEVSKY ‘180 with the customer sensitivity by considering a user (administrative) status and a type of application as taught by Goddard ‘530 because it would evaluate a security risk of an application in an intelligent way by adaptively considering a plurality of aspects associated with users and related applications.

Per claim 9 (independent):
The limitations of the claim(s) correspond(s) to features of claim 1 and the claim(s) is/are rejected for the reasons detailed with respect to claim 1.

Per claim 18 (independent):
The limitations of the claim(s) correspond(s) to features of claim 1 and the claim(s) is/are rejected for the reasons detailed with respect to claim 1.

Claim(s) 2-4, 10-12 and 19-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over MASHEVSKY ‘180 in view of Goddard ‘530 and Chen et al., US-20160330226-A1 (hereinafter “Chen ‘226”; provided by IDS dated 07/12/2019).
Per claim 2 (dependent on claim 1):
MASHEVSKY ‘180 in view of Goddard ‘530 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference.
MASHEVSKY ‘180 in view of Goddard ‘530 does not disclose but Chen ‘226 discloses: The security service system of claim 1, wherein: the plurality of modules further comprises a determination module configured to determine an ancestry level of an ancestry command and to determine whether the ancestry level of the ancestry command is different from an expected ancestry level of the ancestry command for a trigger command ([0008], “a graph comprising vertices that represent system entities and edges that represent events between respective system entities. Each edge has one or more timestamps corresponding respective events between two system entities”; [0019], “provide complete evidence of an attacker's activity trace (i.e., the process path) after an attack has occurred”; [0030], “The graph model is represented as a directed graph G=(V, E, T), where T is a set of timestamps,                         
                            E
                            ⊂
                            V
                            ×
                            V
                            ×
                            T
                        
                     is the set of edges, and                         
                            V
                            =
                            F
                            ⋃
                            P
                            ⋃
                            U
                            ⋃
                            S
                        
                     is the set of vertices, where F is the set of files … P is the set of processes … For a specific edge (v,, vj) in E, T(v,, vj) denotes the set of timestamps on the edge”; FIG. 4, [0036], “A candidate path is determined to be suspicious by block 408 if, in the path, the involved entities behave differently from their normal roles … From G, an NxN square transition matrix A is calculated as:

    PNG
    media_image1.png
    89
    291
    media_image1.png
    Greyscale

A[i][j] denotes the probability that the information flows from vi to vJ in G”; [0042], “the anomaly score for the path is calculated as:

    PNG
    media_image2.png
    111
    271
    media_image2.png
    Greyscale

”; [0027], “block 408 calculates an anomaly score of each candidate process to evaluate how abnormal the process is … there may be multiple different sequence patterns of different lengths … Block 410 measures the deviation between the suspicious sequences and the normal sequences, reporting those sequences that have a higher-than-threshold deviation ” where a specific edge                         
                            
                                
                                    
                                        
                                            v
                                        
                                        
                                            i
                                        
                                    
                                    ,
                                    
                                        
                                            v
                                        
                                        
                                            j
                                        
                                    
                                
                            
                        
                     of E tagged with timestamps                         
                            T
                            
                                
                                    
                                        
                                            v
                                        
                                        
                                            i
                                        
                                    
                                    ,
                                    
                                        
                                            v
                                        
                                        
                                            j
                                        
                                    
                                
                            
                        
                     for each ith and jth node represents activities to be traced between system entities (i.e. processes or files) in the graph model G. The node i, j is associated with an ancestry level on which a system entity such as a process (ancestry command) is executed, which is presented by the edge                         
                            
                                
                                    
                                        
                                            v
                                        
                                        
                                            i
                                        
                                    
                                    ,
                                    
                                        
                                            v
                                        
                                        
                                            j
                                        
                                    
                                
                            
                        
                    . Since the edge is marked with the timestamps, an edge                         
                            
                                
                                    
                                        
                                            v
                                        
                                        
                                            i
                                        
                                    
                                    ,
                                    
                                        
                                            v
                                        
                                        
                                            j
                                        
                                    
                                
                            
                        
                     that occurs lastly in terms of the timestamps when an attack happens can be a trigger command. Thus, the matrix A is calculated from the graph model G in order to obtain an anomaly score. Based on the scores, a deviation between the suspicious sequences and the normal sequences are measured to report those sequences that have a higher-than-threshold deviation, i.e., determining how much the ancestry level of the ancestry command (of the suspicious sequences) is different than the expected ancestry level of the ancestry command (of the normal sequences).)
the identification module is further configured to identify the trigger command in the process running on the monitored computing device and identify the ancestry command associated with the trigger command (FIG. 2, [0046], “user invokes a browser and downloads an executable file Tubecodec934.exe … Upon execution, Tubecodec934.exe downloads several other files … In this case, Tubecodec934.exe. is a "parent" to five files … which are the "children" files of Tube­codec934.exe. The system proceeds to perform real time risk analysis and risk assessment, which includes construction of a "parent-child" hierarchy based on the invocation sequence of the files … performing the analysis of these files in order to assess a level of danger associated with these files. In order to detect the unknown threats represented by "parents" and "children", the system builds a graph representation” where once an user downloads the parent “Tubecodec934.exe” which is to run on the system, which may invoke a sequence of other files, i.e., the “children” files of the parent file. If a trigger command associated with the “parent-child” hierarchy is detected based on the database, the system would backtrack by building a graph presentation until it reaches a parent process.);
the data module is further configured to store information associated with the trigger command, the ancestry command, and the ancestry level of the ancestry command as a new suspicious activity pattern ([0044], “Based on the analysis of the DS-graph, the system decides if malware event or object has been detected. If a malicious object or event has been encountered, of if it has been determined that it is the case with a high degree of certainty, the BL is updated with the information on this previously unknown threat in step 105A. However, if the event information or object information are determined to be benign, the system updates the WL accordingly in step 105B” [Emphasis added]).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified MASHEVSKY ‘180 in view of Goddard ‘530 with the comparison of anomaly scores to the one of normal sequences by measuring the deviation between 

Per claim 3 (dependent on claim 2):
MASHEVSKY ‘180 in view of Goddard ‘530 and Chen ‘226 discloses the elements detailed in the rejection of claim 2 above, incorporated herein by reference.
MASHEVSKY ‘180 discloses: The security service system of claim 2, wherein: the trigger command is a trigger command of a plurality of preselected trigger commands, and the ancestry command is an ancestry command of a plurality of preselected ancestry commands associated with the trigger command ([0047], “Once the graph is built, the system calculates for every "parent" a so-called X-factor. The X-factor defines the level of danger of a given "parent" and is based on the data about its "children". The X-factor shows to what type of programs a given object tends: for example, to the file managers or to a Trojan-dropper, to browsers and legitimate downloads or to a Trojan-downloader” [Emphasis added.]; [0053], “The parameter "Danger" is calculated based on the so-called decision tree of weight coefficients, the majority of which dynamically changes depending on the accumulated information in the knowledge database.” [Emphasis added.] where the parameter Danger is calculated based on the decision tree of weight coefficients, relying upon the information in the knowledge database that includes a list of (preselected) source of software (commands), or the type of the software. Furthermore, the X-factor describes that a type of a trigger command at each object can be chosen among a plurality of trigger commands.).

Per claim 4 (dependent on claim 3):

MASHEVSKY ‘180 discloses: The security service system of claim 3, wherein the plurality of preselected ancestry commands is associated with the trigger command for (FIG. 2, [0046], “user invokes a browser and downloads an executable file Tubecodec934.exe … Upon execution, Tubecodec934.exe downloads several other files … In this case, Tubecodec934.exe. is a "parent" to five files: Svch0st.exe, Ntkrnl.dll, Calc.exe, 1.exe and Hosts.vbs, which are the "children" files of Tube­codec934.exe. The system proceeds to perform real time risk analysis and risk assessment, which includes construction of a "parent-child" hierarchy based on the invocation sequence of the files … performing the analysis of these files in order to assess a level of danger associated with these files. In order to detect the unknown threats represented by "parents" and "children", the system builds a graph representation analogous to the one shown in FIG. 2” [Emphasis added.] where there are a number of preselected parents (commands) starting from the children file “Protect.sys” (trigger command) to the parent “Tubecodec934.exe” (oldest ancestry command).Thus, a level of danger is assessed based on this information.).
MASHEVSKY ‘180 in view of Goddard ‘530 does not disclose but Chen ‘226 discloses: the expected ancestry level is measured based on the event sequences and associated patterns (FIG. 4, [0025], “A blueprint graph is used as input. The blueprint graph is a heterogeneous graph constructed from a historical dataset of communications in a network, with nodes of the blueprint graph representing physical devices on an enterprise network and edges reflecting the normal communication patterns among the nodes. Block 402 performs graph modeling” [Emphasis added.]; [0026], “Block 406 then scans the graph to determine candidate event sequences that is consistent with the patterns. A "pattern" refers to an ordered set of system entity types, while a "sequence" refers to an ordered set of specific system entities.” [Emphasis added.]; [0027], “block 408 calculates an anomaly score of each candidate process to evaluate how abnormal the process is. As there may be multiple different sequence patterns of different length … Block 410 measures the deviation between the suspicious sequences and the normal sequences, reporting those sequences that have a higher-than-threshold deviation” [Emphasis added.] where the anomaly score (ancestry level) of each event sequence is measured by using the set of system entities (e.g., processes, files, etc.) and patterns, which may be multiple different sequence patterns of different length.).

Per claim 10 (dependent on claim 9):
MASHEVSKY ‘180 in view of Goddard ‘530 discloses the elements detailed in the rejection of claim 9 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 2 and the claim(s) is/are rejected for the reasons detailed with respect to claim 2.

Per claim 11 (dependent on claim 10):
MASHEVSKY ‘180 in view of Goddard ‘530 and Chen ‘226 discloses the elements detailed in the rejection of claim 10 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 3 and the claim(s) is/are rejected for the reasons detailed with respect to claim 3.

Per claim 12 (dependent on claim 11):
MASHEVSKY ‘180 in view of Goddard ‘530 and Chen ‘226 discloses the elements detailed in the rejection of claim 11 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 4 and the claim(s) is/are rejected for the reasons detailed with respect to claim 4.

Per claim 19 (dependent on claim 18):
MASHEVSKY ‘180 in view of Goddard ‘530 discloses the elements detailed in the rejection of claim 18 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 2 and the claim(s) is/are rejected for the reasons detailed with respect to claim 2.

Per claim 20 (dependent on claim 19):
MASHEVSKY ‘180 in view of Goddard ‘530 and Chen ‘226 discloses the elements detailed in the rejection of claim 19 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 3 and the claim(s) is/are rejected for the reasons detailed with respect to claim 3.
	
Claim(s) 5, 8, 13, 16-17, 21 and 23 is/are rejected under 35 U.S.C. 103 as being unpatentable over MASHEVSKY ‘180 in view of Goddard ‘530 and Chen ‘226 and Li et al., US-20160105454-A1 (hereinafter “Li ‘454”; provided by IDS dated 07/12/2019).
Per claim 5 (dependent on claim 4):
MASHEVSKY ‘180 in view of Goddard ‘530 and Chen ‘226 discloses the elements detailed in the rejection of claim 4 above, incorporated herein by reference.
MASHEVSKY ‘180 in view of Goddard ‘530 and Chen ‘226 does not disclose but Li ‘454 discloses: The security service system of claim 4, wherein the plurality of the preselected ancestry commands is different from a plurality of preselected ancestry commands for a second ancestry level that is associated with the trigger command and that is different from the expected ancestry level (FIG. 3C, [0047], “dependency explosion resulting from a "Unix domain socket, multiple senders" source in a a dependency between cupsd 307 (Common Unix Printing System Daemon) and all other applications which ever printed a document such as Ip 301 (e.g., a printing tool) and a word processor 303. As a result, if an attacker performs a privilege escalation 311 on cupsd and/or system libraries 309, and the attack is backtracked using conventional backtracking, the resulting backtracking graph includes the actions of all applications which ever printed a file, which causes increased overhead and/or system slowdown.” [Emphasis added.]; FIG. 5, [0063], “The reference model generated in block 508 may be used to derive a relevancy score for each edge. A specific threshold th may be used as the cutoff point for distinguishing relevancy, and the threshold may be pre-defined or defined during system operation. Any edge with a score below th may considered irrelevant to the attack” [Emphasis added.] where if the “cupsd” 307 (trigger command) initiates an attack, under the settings where a dependency explosion occurs, there would be different chains of processes (i.e., ancestry commands) that cause the attack. In particular, a specific attack path (ancestry level) may be chosen by using the relevancy score based on the backtracking graph.).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified MASHEVSKY ‘180 in view of Goddard ‘530 and Chen ‘226 with the dependency graph for backtracking toward an origin of an attack as taught by Li ‘454 because it would effectively detect and/or prune away resources unrelated to attacks to generate an accurate and concise backtracking graph by using a relevancy score for each edge [0007]-[0009].

Per claim 8 (dependent on claim 2):

MASHEVSKY ‘180 in view of Goddard ‘530 and Chen ‘226 does not disclose but Li ‘454 discloses: The security service system of claim 2, wherein the plurality of modules further comprises an analysis module configured to: determine a plurality of process trees in a plurality of connections within a specific environment to which the monitored computing device belongs (FIG. 3C, [0047], “dependency explosion resulting from a "Unix domain socket, multiple senders" source in a graph 350 (e.g., DGraph) … a Unix domain socket (UDS) 305 (e.g., Cups.sock) may cause a dependency explosion if multiple processes 301, 303 send a message through the UDS 305 to other processes (e.g., Common Unix Printing System Daemon (cupsd) 307). For example, in FIG. 3C, a dependency explosion occurs due to a UDS 305 shared by multiple processes 301, 303. The result is a dependency between cupsd 307 (Common Unix Printing System Daemon) and all other applications which ever printed a document such as Ip 301 (e.g., a printing tool) and a word processor 303. As a result, if an attacker performs a privilege escalation 311 on cupsd and/or system libraries 309, and the attack is backtracked using conventional backtracking, the resulting backtracking graph includes the actions of all applications which ever printed a file, which causes increased overhead and/or system slowdown.” [Emphasis added.] where if the “cupsd” 307 (trigger command) initiates an attack, under the settings where a dependency explosion occurs, there would be different chains of processes (process trees) that causes the attack. In particular, a different attack path (ancestry level) may be chosen in terms of backtracking graph.); identify a process tree of the plurality of process trees having a number of command lines less than a threshold number as a suspicious activity; statistically analyze the process tree of the plurality of process trees for frequency of the new suspicious activity pattern; and identify the process tree as a suspicious activity if the frequency is lower than a threshold frequency ([0008], “A relevancy score for each edge of the DGraphs is determined. Irrelevant events from the DGraphs are pruned to generate a condensed backtracking graph. An origin is located by backtracking from an attack detection point in the condensed backtracking graph” [Emphasis added.]; [0062], “A reference model builder may be employed in block 508 to automatically identify attack relevant events … the following observations and assumptions for identifying attack relevant events: (1) at any particular moment in time, the majority of hosts in an enterprise are unlikely to be compromised by an attacker. (2) events which occur frequently amongst all hosts in the enterprise are not likely relevant to an attack; and (3) an attack usually generates some rare events,” [Emphasis added.]; [0081], “the backtracking method using the condensed backtracking graph to locate an attack origin is performed in block 512. The method (hereinafter k-hop back­tracking) according to one embodiment is described in Method 1 below:”; [0082], “the input to the algorithm is the DGraph (created by the monitoring agent), the source edge (the detection point found (e.g., by an administrator)), a value for k, and a maximum frequency threshold … For each edge encountered during the depth limited search, if it is considered as relevant (based on the relevancy score, r) then the event ev is traversed upon during backtracking and added to the resulting backtracking graph. An edge is considered relevant if its corresponding frequency in the reference model is less than the specified threshold (th).” [Emphasis added.] where an edge would be considered relevant if its corresponding frequency in the reference model is less than the specified threshold (th). In other words, the corresponding event ev may be traversed (i.e. backtracked) if the frequency in the reference model < th since they are not pruned (i.e. resources are highly related to attacks as [0062] explained above.). Para 0062 teaches that as the number of frequency when events (which may be caused by suspicious activity) occur gets smaller, the probability that attacks happen gets higher. Based on this assumption, a decision has been made for an edge to be included in a condensed backtracking list.).

Per claim 13 (dependent on claim 12):

The limitations of the claim(s) correspond(s) to features of claim 5 and the claim(s) is/are rejected for the reasons detailed with respect to claim 5.

Per claim 16 (dependent on claim 10):
MASHEVSKY ‘180 in view of Goddard ‘530 and Chen ‘226 discloses the elements detailed in the rejection of claim 10 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 8 and the claim(s) is/are rejected for the reasons detailed with respect to claim 8.

Per claim 17 (dependent on claim 16):
MASHEVSKY ‘180 in view of Goddard ‘530 and Chen ‘226 and Li ‘454 discloses the elements detailed in the rejection of claim 16 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 8 and the claim(s) is/are rejected for the reasons detailed with respect to claim 8.

Per claim 21 (dependent on claim 19):
MASHEVSKY ‘180 in view of Goddard ‘530 and Chen ‘226 discloses the elements detailed in the rejection of claim 19 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 5 and the claim(s) is/are rejected for the reasons detailed with respect to claim 5.

Per claim 23 (dependent on claim 19):

The limitations of the claim(s) correspond(s) to features of claim 8 and the claim(s) is/are rejected for the reasons detailed with respect to claim 8.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SANGSEOK PARK whose telephone number is (571)272-4332.  The examiner can normally be reached on Monday-Thursday 7:30-5:30 and Alternate Fridays 8:30-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on (571) 272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/SANGSEOK PARK/Examiner, Art Unit 2494                                                                                                                                                                                                        
/Kevin Bechtel/Primary Examiner, Art Unit 2491