DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination under 37 CFR 1.114
2. A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 08/26/2021 has been entered. 

Response to Arguments
According to applicant's arguments filed on 07/27/2021; independent claims 2, 22 and 40 has been amended hereby acknowledged.
Applicant’s amendment made the withdrawal of 112(a) rejection over Claims 2, 31 and 40.

Applicant’s arguments with respect to independent claim(s) 2, 31 and 40 have been considered but are moot based on the new grounds of rejection.

Applicant argues that the prior art of record do not discloses the amended feature of independent claims which recite in part: “determining that the significant change of the value of the parameter is associated with a false positive computing network event”.

Examiner would like to point out that the new secondary reference Muddu in para: 0171 and para: 0610 teaches the above claimed limitation (see, the rejection below).

                                                            Double Patenting
7.  The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
    A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l) (1) - 706.02(l) (3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
   The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-

8.   Claims 2,23-26,28-29,31-35,38 and 40 of the instant application are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-8, 10-15 and 17 of U.S. Patent No 10,476,896. Although the conflicting claims are not identical, they are not patentably distinct from each other because the instant application and the granted patent both claim the same invention. For e.g. both the instant application and the patent claims, “detection of threats through analysis of one or more time series graphs”.


                                 Claim Rejections - 35 USC §103
9    The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

10.    Claim(s) 2, 22, 24, 25, 2731, 32, 34, 35, 37 and 40 are rejected under 35 U.S.C. 103 as being unpatentable over Koyanagi (US Pub.No.2016/0255109) in view of Muddu (US Pub.No2017/0063886).
 
11.    Regarding claims 2,22 and 40 Koyanagi teaches a computer-implemented method comprising: determining that each node of a set of nodes of a computing network is a server whose execution of assigned jobs is indicated as being good even when the execution causes a value of a parameter that is associated with a graphical model and the node to exhibit a 
Fig.10-11, Para: 0069, 0071-0074 teaches the detection pattern history DB includes one or more detection patterns 201 and one or more appearance frequencies 202 as detection result history information. According to the appearance frequency 202, the cumulative number of appearances of the detection pattern 201 is stored with respect to each detection pattern 201. It is determined whether a detection pattern is a known pattern based on the appearance frequency 202 of the detection pattern history DB 20. 
Fig.11 is a flowchart that shows a learning process according to the first variation. When this process starts, the known pattern learning part 16 searches the detection pattern history DB 20 for the detection result history information of the detection pattern 201 that matches a detection pattern. The known pattern learning part determines whether there is the detection pattern that matches the detection pattern. In response to determining that there is the detection pattern that matches the detection pattern, the known pattern learning part updates the appearance frequency of the matching detection pattern, and proceeds to step S48 in fig.11. On the other hand, in response to determining that there is no detection pattern that matches the detection 

receiving, by a data analysis device, a data file comprising multiple log data entries, the log data entries including parameters associated with a computer network event in a computing network; producing, by the data analysis device, a graphical model of the computing network based on at least one parameter included in the log data entries; performing, by a graphical processing unit of the data analysis device, a time-series analysis on the parameter to determine a relative importance of the associated particular node in the computing network  (Fig.2, Para: 0045-0048 teaches the detection apparatus detects a pattern of change points of feature value of the time-series data of data detected with various sensors or log data, and determines whether the detected pattern is known or unknown. Para: 0069 teaches the detection apparatus 10 of the first embodiment, change points of feature values of object data are detected with multiple granularities that differ in the width of a unit time, and the order of detection (the order of appearance) of the detected change points is learned as a known pattern. Then, it is determined whether a new detection pattern is known or unknown based on whether the new detection pattern matches a learned known pattern. Thus, according to the detection apparatus 10 of the first embodiment, it is possible to perform a detection process on object data by comparing data 

determining, as a result of the time-series analysis performed by the graphical processing unit, that, within a predetermined period of time, a significant change in the value of the parameter that satisfies the threshold value has occurred; in response to determining that the significant change in the value of the parameter that satisfies the threshold value has occurred, determining that the particular node is included among the set of defined, known good nodes
 (Fig.2, Para: 0045-0048 teaches the detection apparatus detects a pattern of change points of feature value of the time-series data of data detected with various sensors or log data, and determines whether the detected pattern is known or unknown. Figs.21-23 and Para: 0095-0100 teaches a learning process in which the process starts, with a known pattern learning part 16 that determines whether there is the detection order 171a of a known pattern that matches the detection order of a detected detection pattern in the known pattern DB 17. In response to determining that there is a known pattern that has the matching detection order 171a in the known pattern DB 17, the known pattern learning part 16 determines whether there is a known pattern stored in the known pattern DB 17 that has the detection order 171a equal to the detection order of the detected detection pattern and has the detection interval 171b whose differences in the individual detection intervals of change points from the detection interval of the detected detection pattern are each less than or equal to a threshold d. In response to determining the presence of such a known pattern in the known pattern DB 17, the known pattern learning part 16 updates a range of appearances of similar patterns (similar pattern 

Koyanagi teaches all the above claimed limitations but does not expressly teach determining that the significant change of the value of the parameter is associated with a false positive computing network event.

Muddu teaches in response to determining that the particular node is included among the set of defined, known good nodes, determining that the significant change of the value of the parameter is associated with a false positive computing network event (Para:0184-0186 teaches determining the significant change of the value of the parameters. Para: 0171 and para: 0610 teaches if the threat detection is a false positive, the human operator may so indicate upon being presented with the anomaly or the threat. The rejection of the analysis result may also be provided to the database. The operator feedback information may be employed to update the model to improve future evaluation).

Therefore, it would have been obvious to one of ordinary skills of art before the invention was filed to modify Koyanagi to include determining that the significant change of the value of the parameter is associated with a false positive computing network event as taught by Muddu, since such a setup would yield a predictable result of determine anomalous event in the computer network based on variations in network patterns.



13.    Regarding claims 24 and 34 Koyanagi teaches the method and the system further comprising: performing, by the data analysis device, a periodic log data update that comprises point-in-time partitioning by, for each update of the periodic log data update (Para: 0045-0047,0069 and Para:0105-0107 teaches updating the log data [object data] as new logs are generated), receiving a past time window of log data entries associated with the graphical model and storing, in a data storage unit of the data analysis device, the past time window (Figs.2,3, 10 and Para:0052-0054 teaches the recording the historical log data within the graphical model).

14.    Regarding claims 25 and 35 Koyanagi teaches the method and the system, further comprising, analyzing, by the computer processor, the past time window of log data entries associated with the graphical model to produce a subsequent set of GA metrics (Para: 0045-0047 and Para: 0053-0057 teaches the recording the historical data (the time series data of objects) within the graphical model. The historical data is analyzed which consists of parameters such as log data (data object) it’s ID (detection id) and time (detection time) and generating a graph based on these parameters, which can be used to produce subsequent sets).

15.    Regarding claims 27 and 37 Koyanagi teaches the method and the system, wherein performing time-series analysis on the parameter includes analyzing, by the data analysis device, the node of the computing network to detect a change in an attribute of the node that .

16.    Claim(s) 28, 29, 38 and 39 are rejected under 35 U.S.C. 103 as being unpatentable over Koyanagi (US Pub.No.2016/0255109) in view of Muddu (US Pub.No2017/0063886) as applied to claims 2 and 31 and in view of Munro (US Pub.No.2018/0020015).

17.  Regarding claims 28 and 38 Koyanagi teaches the method and the system, further comprising: extracting, by the data analysis device, the parameters associated with the computer network event and preparing at least one parameter to be loaded into a data storage unit of the data analysis device (Para: 0045-0047 and Para: 0053-0057 teaches receiving log data. The log data (data object’s) includes parameters such as its ID (detection id) and time (detection time) and generating a graph, and entering it into a DB); but does not expressly teach the instruction comprises an extract, transform, load (ETL) data processing function.

Munro teaches extracting and preparing occur in response to a processor of the data analysis device executing an instruction stored in the data storage unit, wherein the instruction 

Therefore, it would have been obvious to one of ordinary skills of art before the invention was filed to modify Koyanagi in view of Muddu to include instruction comprises an extract, transform, load (ETL) data processing function as taught by Munro, such a setup will help to detect the behavioral pattern of the network system.

18.  Regarding claims 29 and 39 Koyanagi teaches the method and the system and wherein the particular node comprises one of a computing asset or a user of a computing asset (Para: 0045-0047 teaches the node comprises of personal computer), but does not expressly teach the parameters associated with the computer network event included in the log data entries comprise a source identifier, or a destination identifier.

 Munro teaches the computer network event included in the log data entries comprise a source identifier, or a destination identifier (Para: 0007 and Para: 0037 teaches the log data entries comprises source IP address and destination IP address).

Therefore, it would have been obvious to one of ordinary skills of art before the invention was filed to modify Koyanagi in view of Muddu to include the computer network event included in the log data entries comprise a source identifier, or a destination identifier as taught by Munro, such a setup will help to monitor network traffic.

19.  Claims 23 and 33 are rejected under 35 U.S.C. 103 as being unpatentable over Koyanagi (US Pub.No.2016/0255109)  in view of Muddu (US Pub.No2017/0063886) as applied to claims 22 and 32 above and in view of Gorman (US Pub.No.2008/0259815).


Gorman teaches the GA measures comprise of a between-ness centrality measure (Para: 0033 teaches computing the between-ness centrality measure).

Therefore, it would have been obvious to one of ordinary skills of art before the invention was filed to modify Koyanagi in view of Muddu to include a between-ness centrality measure as taught by Gorman, such a setup is used to characterize the centrality of a cell in relation to the rest of the network (para: 0033).

21.  Claims 26 and 36 are rejected under 35 U.S.C. 103 as being unpatentable over Koyanagi (US Pub.No.2016/0255109) in view of Muddu (US Pub.No2017/0063886)  as applied to claims 24 and 34 above and in view of Zhou (US Pub.No.2016/0179750).

22.  Regarding claims 26 and 36 Koyanagi in view of Muddu teaches all the above claimed limitations, but does not expressly teach the method and the system, further comprising, storing, in the data storage unit, the graphical model of the data as a compressed sparse matrix.

Zhou teaches storing, in the data storage unit, the graphical model of the data as a compressed sparse matrix (Para: 0003 and Para: 0058 teaches storing the graphical model of the data as a compressed sparse matrix).

.

23.  Claim 30 is rejected under 35 U.S.C. 103 as being unpatentable over Koyanagi (US Pub.No.2016/0255109)  in view of Muddu (US Pub.No2017/0063886) as applied to claims 2 and 31 above and in view of Galloway  (US Pub. No. 2014/0046983).

24.  Regarding claim 30 Koyanagi in view of Muddu teaches all the above claimed limitations, but does not expressly teach the method, wherein the time-series analysis methods comprise at least one of a time-series regression method, an auto-regressive method, or a control-chart based method.

Galloway teaches the time-series analysis methods comprises an auto-regressive method (Fig.5, Para: 0266 and Para: 0269 teaches computing an auto regressive method from the time-series analysis).

Therefore, it would have been obvious to one of ordinary skills of art before the invention was filed to modify Koyanagi in view of Muddu to include an auto-regressive method as taught by Galloway, such a setup is flexible for handling a wide range of different time series patterns.

                                                    Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEREENA T CATTUNGAL whose telephone number is (571)270-0506. The examiner can normally be reached on Mon-Fri: 7 AM-5 PM EST.



If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/DEREENA T CATTUNGAL/Primary Examiner, Art Unit 2431