Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Dan Fishman on July 16, 2021.

In the claims:

1. 	(Previously Presented) A method for optimizing ingestion of security structured data into a graph database for security analytics, the method comprising:
	receiving a plurality of streams of information from a plurality of security information sources;
	ingesting respective subsets of information from each of the plurality of security information sources to generate small subgraphs of security information, wherein each of the small subgraphs is generated in a local knowledge graph database to comply to a schema used by a master knowledge graph, wherein the security information is uniquely marked with a unique key so that entities associated with the security information are identified similarly in both local and master knowledge graph databases; and


2.	(Original) The method of claim 1 further comprising:
	using the master knowledge graph to determine whether a security incident event is associated with a known or suspected malicious action during security incident analysis.

3.	(Original) The method of claim 2 further comprising:
	performing a set of action steps to mitigate the known or suspected malicious action.

4.	(Original) The method of claim 1 further comprising:
	dividing the plurality of streams of information into respective JavaScript Object Notation (JSON) security risk data files for each of the plurality of security information sources.

5.	(Original) The method of claim 4 further comprising:
	generating a plurality of security risk knowledge subgraphs in a plurality of different local knowledge graph databases, each particular security risk knowledge subgraph is generated from a corresponding JSON security risk data file.

6.	(Original) The method of claim 1 further comprising:
	performing a look ahead procedure prior to inserting a new node or edge into the master knowledge graph as part of bulk upload.

7.	(Currently Amended) The method of claim 1, wherein the batch process is performed in parallel by a plurality of tailored script instances, each tailored script instance for ingesting a specific type of security information.

8.	(Currently Amended) The method of claim 7, wherein the plurality of tailored script instances is a plurality of custom scripts.



10.	(Previously Presented) The method of claim 1, wherein the plurality of security information sources is selected from a group of threat portals including Internet Protocol address reputation, malware hashes, Uniform Resource Locator reputation, vulnerability information, and Domain Name System records.

11.	(Previously Presented) A data processing system for optimizing ingestion of security structured data into a graph database for security analytics, the data processing system comprising:
	a bus system;
	a storage device connected to the bus system, wherein the storage device stores program instructions; and
	a set of processors connected to the bus system, wherein the set of processors executes the program instructions to:
	receive a plurality of streams of information from a plurality of security information sources;
	ingest respective subsets of information from each of the plurality of security information sources to generate small subgraphs of security information, wherein each of the small subgraphs is generated in a local knowledge graph database to comply to a schema used by a master knowledge graph, wherein the security information is uniquely marked with a unique key so that entities associated with the security information are identified similarly in both local and master knowledge graph databases; and
	perform a batch process to ingest a plurality of small subgraphs into the master knowledge graph.

12. 	(Original) The data processing system of claim 11, wherein the set of processors further executes the program instructions to:


13. 	(Original) The data processing system of claim 12, wherein the set of processors further executes the program instructions to:
	perform a set of action steps to mitigate the known or suspected malicious action.

14. 	(Original) The data processing system of claim 11, wherein the set of processors further executes the program instructions to:
	divide the plurality of streams of information into respective JavaScript Object Notation (JSON) security risk data files for each of the plurality of security information sources.

15. 	(Original) The data processing system of claim 14, wherein the set of processors further executes the program instructions to:
	generate a plurality of security risk knowledge subgraphs in a plurality of different local knowledge graph databases, each particular security risk knowledge subgraph is generated from a corresponding JSON security risk data file.

16.	(Previously Presented) A computer program product for optimizing ingestion of security structured data into a graph database for security analytics, the computer program product comprising a computer readable storage medium having program instructions embodied therewith, the program instructions executable by a set of processors to cause the set of processors to perform a method comprising:
	receiving a plurality of streams of information from a plurality of security information sources;
	ingesting respective subsets of information from each of the plurality of security information sources to generate small subgraphs of security information, wherein each of the small subgraphs is generated in a local knowledge graph database to comply to a schema used by a master knowledge graph, wherein the security information is uniquely marked with a unique key so that entities associated with the security information are identified similarly in both local and master knowledge graph databases; and


17. 	(Original) The computer program product of claim 16 further comprising:
	using the master knowledge graph to determine whether a security incident event is associated with a known or suspected malicious action during security incident analysis.

18. 	(Original) The computer program product of claim 17 further comprising:
	performing a set of action steps to mitigate the known or suspected malicious action.

19. 	(Original) The computer program product of claim 16 further comprising:
	dividing the plurality of streams of information into respective JavaScript Object Notation (JSON) security risk data files for each of the plurality of security information sources.

20. 	(Original) The computer program product of claim 19 further comprising:
	generating a plurality of security risk knowledge subgraphs in a plurality of different local knowledge graph databases, each particular security risk knowledge subgraph is generated from a corresponding JSON security risk data file.

21.	(Currently Amended) A method for optimizing ingestion of security structured data into a graph database for security analytics, the method comprising:
	receiving a plurality of streams of information from a plurality of security information sources;
	ingesting respective subsets of information from each of the plurality of security information sources to generate small subgraphs of security information, wherein each of the small subgraphs comply to a schema used by a master knowledge graph; and
	performing a batch process to ingest a plurality of small subgraphs into the master knowledge graph,
	wherein the batch process is performed in parallel by a plurality of tailored script instances, each tailored script instance for ingesting a specific type of security information.



23.	(New) The data processing system of claim 22, wherein the plurality of tailored script instances is a plurality of custom scripts.

24.	(New) The computer program product of claim 16, wherein the batch process is performed in parallel by a plurality of tailored script instances, each tailored script instance for ingesting a specific type of security information.

25.	(New) The computer program product of claim 24, wherein the plurality of tailored script instances is a plurality of custom scripts.

Reasons For Allowance

The following is an examiner’s statement of reasons for allowance: 
Claims 1 – 25 are allowable over the prior art since the prior art references taken individually or in combination fail to particularly disclose, fairly suggest, or render obvious Applicant’s independent claims. 
The Examiner asserts the prior art of record does not reasonably suggest Applicant’s innovative concept and independent claim language, including the whole, of ingesting respective subsets of information from each of the plurality of security information sources to generate small subgraphs of security information, wherein each of the small subgraphs comply to a schema used by a master knowledge graph; and performing a batch process to ingest a plurality of small subgraphs into the master knowledge graph, wherein the batch process is performed in parallel by a plurality of tailored script instances, each tailored script instance for ingesting a specific type of security information.


Accordingly, the prior art of record does not suggest Applicant's independent claim language.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Brian Shaw whose telephone number is (571) 270-5191.  The examiner can normally be reached M-TH 6am-3:30pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on (571) 272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 703-872-9306.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/BRIAN F SHAW/
Primary Examiner, Art Unit 2491