Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This action is responsive to the application 16/677,370 filed on November 7, 2019. Claims 1-20 are pending.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sharifi Mehr (US 10,521,584) in view of Eder (US 2012/0158633).
Claim 1
Sharifi Mehr teaches a computer-implemented method for managing a knowledge graph, comprising: 
providing, to an agent [i.e. threat analysis service] and based on a request from the agent, an output of a number of signals having an indicated correlation in a graph [i.e. the threat analysis service acquiring (obviously providing to the threat analysis service) trigger event records which are arranged in a graph based on correlations between event records; and the correlations may be based on credentials, attributes, tags, instance identifiers or other characteristics] (Sharifi Mehr, abstract, col. 13, line 40-col. 14, line 3; col. 15, lines 9-44); 
receiving, from the agent, additional correlation information for at least a portion of the number of signals and/or additional signals [i.e. obtaining and determining additional attributes of the trigger event records] (Sharifi Mehr, col. 16, lines 5-22); and 
storing, in the graph, the additional correlation information [i.e. the additional attributes of the trigger events are contained in the graph] (Sharifi Mehr, col. 16, lines 5-22; col. 10, lines 30-43).  
Sharifi Mehr fails to teach a knowledge graph.
However, in an analogous art, Eder teaches a knowledge graph (Eder, abstract).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to modify the teachings of Sharifi Mehr to include the teachings of Eder of knowledge graph. One ordinary skill in the art would be motivated to provide a useful system that develops and maintains one or more contexts in a systematic fashion or a knowledge graph that supports the operation and coordination of software (Eder, 0003). 


Claim 2
Sharifi Mehr in combination with Eder teach the computer-implemented method of claim 1, further comprising determining to correlate the portion of the number of signals and/or the additional signals based at least in part on the additional correlation information [i.e. determining additional attributes of the trigger event records which are arranged in the graph based on correlations/attributes] (Sharifi Mehr, abstract, col. 16, lines 5-22).   

Claim 3
Sharifi Mehr in combination with Eder teach the computer-implemented method of claim 1, further comprising providing, to a second agent [i.e. threat graph data store] and based on a second request from the second agent, a second output of at least the portion of the number of signals and/or the additional signals based on the additional correlation information [i.e. the additional attributes of the trigger events are contained in the graph is sent to the threat graph data store] (Sharifi Mehr, figure 4, col. 10, lines 30-43; col. 16, lines 5-22).  

Claim 4
Sharifi Mehr in combination with Eder teach the computer-implemented method of claim 1, further comprising: 
receiving, from the second agent, further additional correlation information for another portion of at least the portion of the number of signals, the additional signals, and/or further 
storing, in the graph, the further additional correlation information [i.e. the additional attributes of the trigger events are contained in the graph] (Sharifi Mehr, col. 16, lines 5-22; col. 10, lines 30-43); and 
the knowledge graph (Eder, abstract). Therefore, it would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to modify the teachings of Sharifi Mehr to include the teachings of Eder of knowledge graph. One ordinary skill in the art would be motivated to provide a useful system that develops and maintains one or more contexts in a systematic fashion or a knowledge graph that supports the operation and coordination of software (Eder, 0003). 

Claim 5
Sharifi Mehr in combination with Eder teach the computer-implemented method of claim 1, wherein the agent includes a frequency agent that obtains the number of signals based on the indicated correlation being a number of times the number of signals are viewed within a period of time [i.e. the threat analysis service monitors and obtains the customer environment, which includes the event records, for a period of time] (Sharifi Mehr, col. 3, lines 33-50).  

Claim 6
Sharifi Mehr in combination with Eder teach the computer-implemented method of claim 1, wherein the agent includes an anomaly agent that obtains the number of signals based on the indicated correlation being an detected anomaly among the number of signals [i.e. the 

Claim 7
Sharifi Mehr in combination with Eder teach the computer-implemented method of claim 6, wherein the agent includes a causation agent that obtains the number of signals based on the indicated correlation being a pattern detected between the detected anomaly and the number of times the number of signals are viewed within the period of time [i.e. obtaining trigger events based on the indicated correlation between the records which have been monitored/collected in a period of time] (Sharifi Mehr, col. 2, lines 17-55; col. 3, lines 33-50).  

Claim 8
Sharifi Mehr in combination with Eder teach the computer-implemented method of claim 1, further comprising updating the graph based at least in part on user feedback received regarding the additional correlation information [i.e. the threat analysis service uses the resulting to detect connections between events that indicate data compromise or trigger records and provide the ongoing threat level assessment updates associated with the graph] (Sharifi Mehr, col. 3, lines 4-50); and the knowledge graph (Eder, abstract). Therefore, it would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to modify the teachings of Sharifi Mehr to include the teachings of Eder of knowledge graph. One ordinary skill in the art would be motivated to provide a useful system that develops 

Claim 9
Sharifi Mehr in combination with Eder teach the computer-implemented method of claim 1, wherein the graph is a layer in a multiple-layer relational graph used to determine correlated service events, wherein the multiple-layer relational graph includes a configuration layer defining configured relationships between services or service events, an observation layer defining observed relationships between services or service events, and learned layer defining algorithmically-determined relationships between services or service events [i.e. the threat analysis server configures relationships between services or services events/records included/contained in the graph] (Sharifi Mehr, col. 3, lines 4-50; col. 10, lines 4-43); and the knowledge graph (Eder, abstract). Therefore, it would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to modify the teachings of Sharifi Mehr to include the teachings of Eder of knowledge graph. One ordinary skill in the art would be motivated to provide a useful system that develops and maintains one or more contexts in a systematic fashion or a knowledge graph that supports the operation and coordination of software (Eder, 0003).  

Claims 10-18 do not teach or define any new limitation other than above claims 1-9. Therefore, claims 10-18 are rejected for similar reasons. 
Claims 19-20 do not teach or define any new limitation other than above claims 1-2. Therefore, claims 19-20 are rejected for similar reasons. 
Correspondence Information



Any inquiry concerning this communication or earlier communications from the examiner should be directed to MINH CHAU N NGUYEN whose telephone number is (571)272-4242.  The examiner can normally be reached on M-F 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, TONIA DOLLINGER can be reached on (571)272-4170.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/MINH CHAU NGUYEN/Primary Examiner, Art Unit 2459