DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file previsions of the AIA .
This notice of allowance is in response to applicant’s amendments filed on 05/03/2021 and examiner initiated interview on 08/05/2021 and examiner’s amendments proposed on 08/05/2021.
The text of those sections of Title 35 U.S. Code not included in this section can be found in the prior office action. The prior office actions are incorporated herein by reference. In particular, the observations with respect to claim language, and response to previously presented arguments.
Claim 1, 11 and 16 are amended. No claim is added and cancelled. Claim 1-20 are pending.

EXAMINER’S AMENDMENTS
AN EXAMINER’S AMENDMENT TO THE RECORD APPEARS BELOW. SHOULD THE CHANGES AND/OR ADDITIONS BE UNACCEPTABLE TO APPLICANT, AN AMENDMENT MAY BE FILED AS PROVIDED BY 37 CFR 1.312. TO ENSURE CONSIDERATION OF SUCH AN AMENDMENT, IT MUST BE SUBMITTED NO LATER THAN THE PAYMENT OF THE ISSUE FEE. AUTHORIZATION FOR THIS EXAMINER’S AMENDMENT WAS GIVEN IN A TELEPHONE INTERVIEW AND VIA EMAIL WITH THE APPLICANT’S REPRESENTATIVE, ATTORNEY THOMAS M. BONACCI, REG. #47973. PLEASE ENTER THE FOLLOWING CLAIM AMENDMENTS: PLEASE REPLACE CLAIM 1, 11 and 16 WITH THE FOLLOWING:
        1.	(Currently Amended) In a computing environment, a method for detecting multistage attacks, the method comprising:
	accessing a collection of data associated with one or more computer resources and utilization; 
	constructing a graph using the collected data, nodes of the graph being items within the collection of data and edges connecting the nodes being relationships between the connected nodes; 
, a kill chain comprising steps an attack uses to access a target;
	determining a score for each of the identified attack subgraphs, the score being a combination of scores for weighted activities and associated with a measure of a number of steps from the each subgraph to a particular activity or to a sensitive resource;
	filtering the identified possible attack subgraphs to determine a set of domain specific subgraphs;  
	ranking the domain specific subgraphs based on at least one of connectivity and relevance;
	identifying one or more of the domain specific subgraphs where the determined score is above a particular threshold indicating a likelihood of an actual attack; and
	publishing the identified likely actual attack to an administrator, user, or security system.

11. (Currently Amended) A system for detecting multistage attacks, the system comprising: one or more computer processors; and one or more data storage devices having stored thereon computer-executable instructions which, when executed upon the one or more computer processors, enable the system to perform:
accessing a collection of data associated with one or more computer resources and utilization; 
	constructing a graph using the collected data, nodes of the graph being items within the collection of data and edges connecting the nodes being relationships between the connected nodes; 
	identifying possible attack subgraphs within the constructed graph by applying a probabilistic kill chain model, the identified attack subgraphs being subgraphs of the constructed graph, a kill chain comprising steps an attack uses to access a target;
	determining a score for each of the identified attack subgraphs, the score being a combination of scores for weighted activities and associated with a measure of a number of steps from the each subgraph to a particular activity or to a sensitive resource;
	filtering the identified possible attack subgraphs to determine a set of domain specific subgraphs;  
	ranking the domain specific subgraphs based on at least one of connectivity and relevance;
	identifying one or more of the domain specific subgraphs where the determined score is above a particular threshold indicating a likelihood of an actual attack; and
	publishing the identified likely actual attack to an administrator, user, or security system.


16. (Currently Amended) A computer program product for detecting multistage attacks, the computer program product comprising one or more data storage devices having stored thereon computer-executable instructions which, when executed upon one or more computer processors of a computer system, enable the system to perform:
accessing a collection of data associated with one or more computer resources and utilization; 
	constructing a graph using the collected data, nodes of the graph being items within the collection of data and edges connecting the nodes being relationships between the connected nodes; 
	identifying possible attack subgraphs within the constructed graph by applying a probabilistic kill chain model, the identified attack subgraphs being subgraphs of the constructed graph, a kill chain comprising steps an attack uses to access a target;
	determining a score for each of the identified attack subgraphs, the score being a combination of scores for weighted activities and associated with a measure of a number of steps from the each subgraph to a particular activity or to a sensitive resource;
	filtering the identified possible attack subgraphs to determine a set of domain specific subgraphs;  

	identifying one or more of the domain specific subgraphs where the determined score is above a particular threshold indicating a likelihood of an actual attack; and
	publishing the identified likely actual attack to an administrator, user, or security system.

ALLOWABLE SUBJECT MATTER
Claims 1-20 are allowed in light of applicant’s amendments, examiner’s amendments and prior art(s) of record. 

EXAMINER’S STATEMENT OF REASONS FOR ALLOWANCE
Following is an examiner’s statement of reasons for the allowance:
As to claim 1, independent claim 1 recites, inter-alia, “identifying possible attack subgraphs within the constructed graph by applying a probabilistic kill chain model, the identified attack subgraphs being subgraphs of the constructed graph, a kill chain comprising steps an attack uses to access a target; determining a score for each of the identified attack subgraphs, the score being a combination of scores for weighted activities and associated with a measure of number of steps from the each subgraph to a particular activity or to a sensitive resource”. None of the prior arts of on the record, either taken by itself or in any combination, would anticipate or made obvious the above limitation combined with other limitations recited in claim 1 at or before the time it was filed.
Examiner performed updated search and identified prior art, Tang et al. (US20180032724) teaches multi-phase attack detection using subgraph and kill chain. Tang also teach finding the shortest path between two nodes in the subgraph, but Tang does not teach determining subgraph’s core based on weighted activities and distance.  Choudhury et al. (US20180103052) teaches attack detection and 
Independent claim 11 and 16 although are different, further recites similar limitations to those found in claim 1. Therefore, claim 11 and 16 are considered to be allowable for the same reason as discussed above.
Dependent claims 2-10, 12-15 and 17-20 depend upon one of the above-mentioned allowed claims and are therefore allowed by virtue of their dependencies.
Any comments considered necessary by applicant must be submitted no later than payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.''

CONCLUSION
Prior arts made of record, not relied upon: See PTO-892.	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LIN CHANG whose telephone number is (571)272-9998.  The examiner can normally be reached on Monday-Thursday 9AM-6PM EST Friday: Variable.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/L.C./Examiner, Art Unit 2438                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         /TAGHI T ARANI/Supervisory Patent Examiner, Art Unit 2438