2Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 
DETAILED ACTION
1.	This action is responsive to:  communication filed on 22 March 2021 with acknowledgement of an original application filed on 18 February 2019 and that this application is a continuation of multiple applications that have been allowed as well as a provisional application with a filing date of 22 March 2012.
2.	Claims 1-28 are currently pending.  Claims 1, 8, 15, and 21, are independent claims. 
3.	The IDS submitted on 11 August 2021 and 15 March 2021 has been considered. 
Response to Arguments & Remarks

4.	Applicant's arguments filed 22 March 2021 have been fully considered however they are moot due to new grounds of rejection below.  The Examiner notes that the Examiner of record for this application has been changed to Ellen Tran.  On 2 November 2021 the Examiner and the Applicant’s Representative had an interview to discuss the invention.  
Claim Objections
5.	Claim 28 is  objected to because of the following informalities: there appears to be a “period” on the fourth line of the claim after “process information”.  Appropriate correction is required.
Double Patenting
6.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A statutory obviousness-type double patenting rejection is In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and  In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. 
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/forms/.
 The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. 
 An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, please refer 
 
7.	Claims 1-28 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-31 of application 14/382,992 now patent 9,560,065 and claims 1-28 of application 15/419,673 now patent 9,825,979, and claims 1-24 of application 15/809,297 now patent 10,243,984.  Although the conflicting claims are not identical, they are not patentably distinct from each other because all the elements/features of claimed method that detects anomalous behavior exist in the patented applications in similar or different names, essentially performing the same tasks.  Below is a table showing the pending application claim 1 to patent 10,243,984, claim 1.
Pending Application 16/782,225
Patent 10,243,984
A computer-implemented method, comprising: applying, by the computing system, an edge resolution model to a plurality of enumerated| k-paths of sequences of directed edges in a graph representing real connections in a computer network on a sliding window basis; and detecting, by the computing system, anomalous behavior based on the applied edge resolution model, wherein k is at least 2, and the k-paths have k directed edges.
A computer-implemented method, comprising: applying, by a computing system, an edge resolution model to a plurality of enumerated k-paths on a sliding window basis; and detecting, by the computing system, anomalous behavior based on the applied edge resolution model, wherein the edge resolution model comprises an Observed Markov Model (“OMM”) or a Hidden Markov Model (“HMM”).

Claim Rejections - 35 USC § 103

8.	The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.


9.	Claims 1, 3, and 7, are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Coffman U.S. Patent Application Publication No. 20070209075 (hereinafter ‘075).
As to independent claim 1, “A computer-implemented method, comprising:” “and detecting, by the computing system, anomalous behavior” is taught in ‘075 Abstract, paragraphs 4, and 12, note the method and system detect and map activity occurring between devices on a computer network and utilize the mapped activity to detect and prevent network intrusions (i.e. anomalous behavior);
the following is not explicitly taught in ‘075:
“applying, by the computing system, an edge resolution model to a plurality of enumerated| k-paths of sequences of directed edges in a graph representing real connections in a computer network on a sliding window basis” however ‘075 teaches an enhanced graph matching intrusion detection system (eGMIDS), that maps a plurality of activity occurring at and between devices on a network and generates a graphical representation of the network devices 
 “… based on the applied edge resolution model, wherein k is at least 2, and the k-paths have & directed edges” however ‘075 teaches an enhanced graph matching intrusion detection system (eGMIDS), that maps activity occurring at and between devices (i.e. at least 2) on a network and generates a graphical representation of the network (devices) and the activity occurring at/amongst the various devices in an ‘edge’ representation in the Abstract, paragraphs 12, 20-21, and 108.
	It would have been obvious to one of ordinary skill in the art at the time of the invention of a network intrusion detection taught in ‘075 to include a means apply an edge resolution model to a plurality of enumerated k-paths of sequences of directed edges( i.e. graph) on a sliding window (i.e. constraints) basis to detect anomalous behavior.  One of ordinary skill in the art would have been motivated to perform such a modification because conventional network-based intrusion detection system analyze each event in isolation without considering the context of events or the communication structure of other activity that is also occurring in the network.  The current method utilized graphical representation to store attributes by each device (node) or relationship (edge).  The stored attributes (which is interpreted equivalent to a plurality of k-paths) improve the accuracy of pattern searches (intrusion detection) see ‘075 (paragraphs 7-11 and 20-21). 
As to dependent claim 3, “The computer-implemented method of claim 1, wherein the plurality of enumerated k-paths comprise 3-paths” is taught in ‘075 paragraph 118.
.
10.	Claims 2, 4-6, and 8-27, are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Coffman U.S. Patent Application Publication No. 20070209075 (hereinafter ‘075) in view of Coffman et al. U.S. Patent Application Publication No. 2008/0109730 (hereinafter ‘730).
	As to dependent claim 2, the following is not explicitly taught in ‘075: “wherein the edge resolution model comprises an Observed Markov Model (“OMM7”) or a Hidden Markov Model (“HMM”)” however ‘730 teaches in paragraphs 12 and 58.
	It would have been obvious to one of ordinary skill in the art at the time of the invention of a network intrusion detection taught in ‘075 to include a means to use a Markov Model.  One of ordinary skill in the art would have been motivated to perform such a modification because Social Network Analysis (SNA) convention techniques metrics were developed to distill the data see ‘730 (paragraphs 9-12).  In addition ‘075 is referenced see paragraph 3 in ‘730 and both are by the same inventor Coffman.
As to dependent claim 4, “The computer-implemented method of claim 1, further comprising: determining, by the computing system, historical parameters of the network to determine normal activity levels, wherein the computing system determines the historical parameters by taking into account at least two edge types” is taught in ‘730 paragraph 16.

As to dependent claim 6, “The computer-implemented method of claim 5, wherein the second edge type is parameterized by a mean vector to ensure that models are not overly sensitive to low count edges” is disclosed in ‘730 paragraph 18.

As to independent claim 8, “An apparatus, comprising: at least one processor; and memory storing computer program instructions, wherein the instructions, when executed by at least one processor, are configured to cause the at least one processor to:” “and detect anomalous behavior” is taught in ‘075 Abstract, paragraphs 4, and 12, note the method and system detect and map activity occurring between devices on a computer network and utilize the mapped activity to detect and prevent network intrusions (i.e. anomalous behavior);the following is not explicitly taught in ‘075:
“… based on the applied statistical model, wherein k is at least 2, and the k-paths have & directed edges” however ‘075 teaches an enhanced graph matching intrusion detection system (eGMIDS), that maps activity occurring at and between devices (i.e. at least 2)  on a network and generates a graphical representation of the network (devices) and the activity 
	It would have been obvious to one of ordinary skill in the art at the time of the invention of a network intrusion detection taught in ‘075 to include a means to utilize k-paths and directed edges( i.e. graph) to detect anomalous behavior.  One of ordinary skill in the art would have been motivated to perform such a modification because conventional network-based intrusion detection system analyze each event in isolation without considering the context of events or the communication structure of other activity that is also occurring in the network.  The current method utilized graphical representation to store attributes by each device (node) or relationship (edge).  The stored attributes (which is interpreted equivalent to a plurality of k-paths) improve the accuracy of pattern searches (intrusion detection) see ‘075 (paragraphs 7-11 and 20-21). 
the following is not explicitly taught in ‘075:
“apply a statistical model to a plurality of enumerated| k-paths of sequences of directed edges in a graph representing real connections in a computer network on a sliding window basis” however ‘730 teaches an enhanced graph matching intrusion detection system (eGMIDS) that utilizes a statistical pattern classification (i.e. statistical model) in the Abstract, paragraphs 15, 18, 83, and 86;
	It would have been obvious to one of ordinary skill in the art at the time of the invention of a network intrusion detection taught in ‘075 to include a means to use a statistical model to detect anomalous behavior.  One of ordinary skill in the art would have been motivated to perform such a modification because there is no accurate enough model to determine what is 

	As to dependent claim 9, the following is not explicitly taught in ‘075: “wherein the statistical model comprises an Observed Markov Model (“OMM7”) or a Hidden Markov Model (“HMM”)” however ‘730 teaches in paragraphs 12 and 58.
	It would have been obvious to one of ordinary skill in the art at the time of the invention of a network intrusion detection taught in ‘075 to include a means to use a Markov Model.  One of ordinary skill in the art would have been motivated to perform such a modification because Social Network Analysis (SNA) convention techniques metrics were developed to distill the data see ‘730 (paragraphs 9-12).  In addition ‘075 is referenced see paragraph 3 in ‘730 and both are by the same inventor Coffman.
As to dependent claim 10, “wherein the plurality of enumerated k-paths comprise 3-paths” is taught in ‘075 paragraph 118.
As to dependent claim 11, “wherein the computer program instructions are further configured to cause the at least one processor to determine historical parameters of the network to determine normal activity levels by taking into account at least two edge types” is taught in ‘730 paragraph 16.
As to dependent claim 12, “wherein a first edge type of the at least two edge types comprises member edges having sufficient data to estimate an individual model, and a second edge type of the at least two edge types comprises member edges where there is not sufficient data to estimate individual models for the member edges” is shown in ‘730 Figure 6A [item 609] and paragraph 72.

As to dependent claim 14, ““wherein the computer program instructions are further configured to cause at least one processor to: collect data from a plurality of host agents pertaining to network communications sent and received by respective hosts in the network; and analyze the collected data to detect anomalous behavior during a predetermined time period” is shown in ‘075 paragraphs 13 and 50.
As to independent claim 15, “A system, comprising: memory storing computer program instructions; and a plurality of processing core configured to execute the stored computer program instructions, wherein the plurality of processing cores is configured to:” “and detect anomalous behavior” is taught in ‘075 Abstract, paragraphs 4, and 12, note the method and system detect and map activity occurring between devices on a computer network and utilize the mapped activity to detect and prevent network intrusions (i.e. anomalous behavior);the following is not explicitly taught in ‘075:
“… based on the applied statistical model, wherein k is at least 2, and the k-paths have & directed edges” however ‘075 teaches an enhanced graph matching intrusion detection system (eGMIDS), that maps activity occurring at and between devices (i.e. at least 2)  on a network and generates a graphical representation of the network (devices) and the activity occurring at/amongst the various devices in an ‘edge’ representation in the Abstract, paragraphs 12, 20-21, and 108.


the following is not explicitly taught in ‘075:
“apply a statistical model to a plurality of enumerated| k-paths of sequences of directed edges in a graph representing real connections in a computer network on a sliding window basis” however ‘730 teaches an enhanced graph matching intrusion detection system (eGMIDS) that utilizes a statistical pattern classification (i.e. statistical model) in the Abstract, paragraphs 15, 18, 83, and 86;
	It would have been obvious to one of ordinary skill in the art at the time of the invention of a network intrusion detection taught in ‘075 to include a means to use a statistical model to detect anomalous behavior.  One of ordinary skill in the art would have been motivated to perform such a modification because there is no accurate enough model to determine what is 
	As to dependent claim 16, the following is not explicitly taught in ‘075: “wherein the statistical model comprises an Observed Markov Model (“OMM7”) or a Hidden Markov Model (“HMM”)” however ‘730 teaches in paragraphs 12 and 58.
	It would have been obvious to one of ordinary skill in the art at the time of the invention of a network intrusion detection taught in ‘075 to include a means to use a Markov Model.  One of ordinary skill in the art would have been motivated to perform such a modification because Social Network Analysis (SNA) convention techniques metrics were developed to distill the data see ‘730 (paragraphs 9-12).  In addition ‘075 is referenced see paragraph 3 in ‘730 and both are by the same inventor Coffman.
As to dependent claim 17, “wherein the plurality of enumerated k-paths comprise 3-paths” is taught in ‘075 paragraph 118.
As to dependent claim 18, “wherein the plurality of processing cores is further configured to determine historical parameters by taking in account at least two edge types, 
 of the network to determine normal activity levels by taking into account at least two edge types having sufficient data to estimate an individual model, and a second edge type of the at least two edge types comprises member edges where there is not sufficient data to estimate individual models for the member edges” is shown in ‘730 Figure 6A [item 609] and paragraph 72.
As to dependent claim 19, “wherein the second edge type is parameterized by a mean vector to ensure that models are not overly sensitive to low count edges” is disclosed in ‘730 paragraph 18.


As to independent claim 21, “A computer-implemented method, comprising: analyzing, by the computing system, collected data pertaining to network communication for each host of a plurality of hosts in a network to detect anomalous behavior during a predetermined time period” “and when anomalous behavior is detected, providing by the computing system, an indication that the anomalous behavior occurred during the predetermined time period” is taught in ‘075 Abstract, paragraphs 4, and 12, note the method and system detect and map activity occurring between devices on a computer network and utilize the mapped activity to detect and prevent network intrusions (i.e. anomalous behavior);
the following is not explicitly taught in ‘075:
“… based on the applied statistical model, wherein k is at least 2, and the k-paths have & directed edges” however ‘075 teaches an enhanced graph matching intrusion detection system (eGMIDS), that maps activity occurring at and between devices (i.e. at least 2)  on a network and generates a graphical representation of the network (devices) and the activity occurring at/amongst the various devices in an ‘edge’ representation in the Abstract, paragraphs 12, 20-21, and 108.


the following is not explicitly taught in ‘075:
“apply a statistical model to a plurality of enumerated| k-paths of sequences of directed edges in a graph representing real connections in a computer network on a sliding window basis” however ‘730 teaches an enhanced graph matching intrusion detection system (eGMIDS) that utilizes a statistical pattern classification (i.e. statistical model) in the Abstract, paragraphs 15, 18, 83, and 86;
	It would have been obvious to one of ordinary skill in the art at the time of the invention of a network intrusion detection taught in ‘075 to include a means to use a statistical model to detect anomalous behavior.  One of ordinary skill in the art would have been motivated to perform such a modification because there is no accurate enough model to determine what is 
	As to dependent claim 22, “wherein the collected data is sent as one-way communication from host agents via User Datagram Protocol (“UDP”)” is taught in ‘730 paragraph 35.
As to dependent claim 23, “wherein the data collected for each host comprises process stop and start information with checksums of starting process images, network connection event logs, a mapping of running processes to established network connections, and a current network connection state” is  shown in ‘075 paragraphs 118-121.
As to dependent claim 24 “wherein the collected data comprises a list of triples of values indicating network communication between hosts, each triple comprising a time when the communication occurred, a source Internet Protocol (“IP”) address, and a destination IP address” is disclosed in ‘075 paragraph 118.
As to dependent claim 25, “wherein the collecting of the data further comprises periodically polling the host agents for the data” is taught in ‘075 paragraph 70.
As to dependent claim 26 “further comprising: using, by the computing system, a Transmission Control Protocol (“TCP”) time wait state to collect information on short duration connections”  is shown in ‘075 paragraphs 150-155.
As to dependent claim 27 “further comprising: establishing, by the computing system, count weights using count information by calculating mean and variance statistics on counts” is disclosed in ‘730 paragraphs 15-18.
11.	Claim 28 is rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Coffman U.S. Patent Application Publication No. 20070209075 (hereinafter ‘075) in view of Coffman et .
As to dependent claim 28 the following is not explicitly taught in ‘075 or ‘730: “wherein the data is collected proportionally to a level of anomalousness on a respective host, at a low level of anomalousness, as deemed by deviation from a baseline probabilistic approach, the computing system collects basic network connectivity and process information at a moderate level of anomalousness, the computing system collects more process accounting and services and more complete network behavioral and at a high level of anomalousness, the computing system collects full host behavioral information and performs full packet capture” however ‘492 teaches based on the risk determination an amount of protection is used such as avoid scanning every file when the risk level is low as well as scanning more files in unsafe environments in paragraph 33.
	It would have been obvious to one of ordinary skill in the art at the time of the invention of a network intrusion detection taught in ‘075 and ‘730 to include a means to collect data proportional to the level of anomalousness.  One of ordinary skill in the art would have been motivated to perform such a modification to improve anti-malware technology so that users would not avoid anti-virus scanning see ‘492 paragraphs 4-5.

Conclusion
12.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to ELLEN C TRAN whose telephone number is (571) 272-3842.  The examiner can normally be reached from M-F 9 AM to 6PM.

		If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeff Pwu can be reached at 571-272-6798.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/ELLEN TRAN/Primary Examiner, Art Unit 2433                                                                                                                                                                                                        28 October 2021