Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This action is responsive to application filed on 5/23/2019. Claims 1, 8 and 15 are independents. Claims 1-20 are currently pending.

Claim Objections
Claim 1 is objected. The second limitation, the vertices, the relations, the edges, should delete "the"; the fourth limitation, the coefficient, the strength of the relations, "the" should be deleted; the fifth limitation, the total coefficient, "the" should be deleted; the sixth limitation, identifying the object, "the" should be deleted.
Claims 8 and 15 have similar deficiencies.
Claim 3, the probability, "the" should be deleted. 

Claims 10 and 17 have similar deficiencies.
Claim 5, the subgraphs whose diameters, "the" should be deleted.

Claims 12 and 19 have similar deficiencies.

Appropriate corrections are required.

Claim Rejections-35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103(a) are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

This application currently names joint inventors. In considering patentability of the claims, the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Choudhury et al. (US 20180329958 A1), hereinafter Choudhury, in view of Bindu, Graph Feature Based Multi-Layer Social Network Analysis for Anomaly Detection, Thesis, Department of Computer Science and Engineering, National Institute of Technology Kamataka, March, 2018.

Regarding claims 1, 8 and 15, Choudhury teaches a method for detecting a source of malicious activity in a computer system (FIG. 2 and para. 0014), comprising:
gathering information related to the objects of the computer system (FIG. 3 and para. 0014, vertices of the data graph represent network entities selected from the group consisting of machines (having IP addresses or other network addresses), services, and applications, and the edges of the data graph represent communications between the network entities);
forming a graph based on the information gathered on the objects (FIG. 3 and para. 0088, a graph G is an ordered pair G=(V,E)), where the objects appear as the vertices of the graph (FIG. 3, para. 0014 and 0088, vertices of the data graph represent network entities selected from the group consisting of machines (having IP addresses or other network addresses), services, and applications ... graph represents a target pattern of links in a set of documents (e.g., Web pages, blog posts), the vertices of the data graph represent the respective documents), and the relations between objects, as determined based on analysis of the gathered information, appear as the edges of the graph (FIG. 3 and para. 0014, the edges of the data graph represent communications between the network entities ... the edges of the data graph represent links between the documents);
selecting at least two induced subgraphs from the resulting graph (FIG. 3, para. 0014 and 0089, subgraph isomorphism 330. FIG. 4 and 0089, plurality of query graph 410 and plurality of subgraph isomorphism);


Bindu teaches determining, from the selected subgraphs, a subgraph whose coefficient of harmfulness is a minimum among the determined coefficients of harmfulness of the subgraphs (page 22 para. 03, SCAN and GskeletonClu depend on a sensitive parameter called minimum similarity threshold for clustering. Page 93 para. 02, Each user in the Tweet network layer GT (V. ET , U) is tested for a behavioral characteristic, and if it does not satisfy the minimum threshold, the user is marked as a base spammer [a sensitive parameter called minimum similarity threshold for clustering meets the coefficient of harmfulness is a minimum limitation]), and the total coefficient of harmfulness of the subgraphs related to that subgraph is a maximum (page 23 para. 03, A clustering algorithm based on Expected Maximization (EM) is then used to categorize the users according to their initial anomaly scores. Finally, the method makes use of Fuzzy logic using membership functions to define the degree of anomalousness ... It then employs Expected Maximization­ Gaussian Mixture Model algorithm, Fuzzy c-means clustering algorithm, and a combination of Gaussian Mixture Model and fuzzy logic to differentiate between normal and anomalous individuals).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Choudhury and Bindu because it solved the difficulty to develop a general-purpose anomaly detection 

Regarding claims 2, 9 and 16, the combination of Choudhury and Bindu teaches all of the limitations of claims 1, 8 and 15, as described above. Choudhury further teaches determining the coefficient of harmfulness of the subgraph based on a degree of similarity of that subgraph with at least one subgraph from a database of graphs containing previously formed graphs of malicious activity of the computer system, each of which is associated with a coefficient of harmfulness (para. 0078, Statistics (266) for the query graph (230) and/or its query subgraphs can be compared or juxtaposed against normative patterns. This may help a user determine which of the query subgraphs has the most discriminatory strength and/or assess how many false positives are likely with the query graph).

Regarding claims 3, 10 and 17, the combination of Choudhury and Bindu teaches all of the limitations of claims 1, 8 and 15, as described above. Bindu further teaches wherein the coefficient of harmfulness of a subgraph is a coefficient of harmfulness characterizing the probability that at least one object of those associated with the vertices of the mentioned subgraph is malicious (FIG 2.2, anomaly detection on dynamic networks and nodes [nodes are equivalent to vertices of subgraph] and probability-based. page 29 para. 01, An anomalous subgraph has many low-probability or unexpected edges and lacking many high-probability or expected edges within itself, and between itself and its neighborhood).


Regarding claims 4, 11 and 18, the combination of Choudhury and Bindu teaches all of the limitations of claims 1, 8 and 15, as described above. Choudhury further teaches wherein only subgraphs related to other subgraphs by graph edges associated with a cause and effect relationship are analyzed (para. 0014, graph represents a target pattern of links in a set of documents (e.g., Web pages, blog posts), the vertices of the data graph represent the respective documents, and the edges of the data graph represent links between the documents).

Regarding claims 5, 12 and 19, the combination of Choudhury and Bindu teaches all of the limitations of claims 1, 8 and 15, as described above. Bindu further teaches wherein the subgraphs whose diameters are less than a predetermined threshold value are analyzed (page 104 table 5.4, spammer community statistics, diameter (largest shortest path) is 9).
Therefore, It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Choudhury and Bindu because it solved the difficulty to develop a general-purpose anomaly detection system (Bindu page 4, list of challenges that are encountered white detecting anomalies).

Regarding claims 6, 13 and 20, the combination of Choudhury and Bingu teaches all of the limitations of claims 1, 8 and 15, as described above. Choudhury further teaches wherein previously unknown objects are selected from the objects found as being the source of the malicious activity (para. 0014, the query graph represents a target pattern of intrusion or attack in a computer network).

Regarding claims 7 and 14, the combination of Choudhury and Bindu teaches all of the limitations of claims 1 and 8, as described above. Choudhury further teaches wherein the objects comprise at least one of files, folders, applications, registry entries, or web sites (para. 0014, the vertices of the data graph represent network entities selected from the group consisting of machines (having IP addresses or other network addresses), services, and applications, and the edges of the data graph represent communications between the network entities ... graph represents a target pattern of links in a set of documents (e.g., Web pages, blog posts), the vertices of the data graph represent the respective documents, and the edges of the data graph represent links between the documents).

Reference Cited Not Used
The closest art Hadar et al. (US 20200177616 A1) teaches a method for agile security platforms in enterprise, including providing graph data defining a graph that is representative of an enterprise network, the graph including nodes and edges between nodes, each node representing an asset within the enterprise network, and each edge 
The closest art Chari et al. (US 20160364794 A1) teaches method for identifying fraudulent transactions. Transactions data corresponding to a plurality of transactions between accounts are obtained from one or more different transaction channels. At least one graph of transaction payment relationships between the accounts is generated from the transaction data. Features are extracted from the at least one graph of transaction payment relationships between the accounts. A fraud score for a current transaction is generated based on the extracted features from the at least one graph of transaction payment relationships between the accounts.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHU CHUN GAO whose telephone number is (571)270-5999. The examiner can normally be reached on Monday -Thursday 6:00-4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KRISTINE KINCAID can be reached on 571-272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/SHU CHUN GAO/Examiner, Art Unit 2437 


/NELSON S. GIDDINS/Primary Examiner, Art Unit 2437