DETAILED ACTION

1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
 
 2.	The Office action is in response to the patent application filed on May 29, 2019.  The application contains 20 claims.  Claims 1-20 are directed to a method, a system, and a computer-readable storage media for layered analysis for network security risk detection.  Claims 1-20 are pending.

Claim Rejections - 35 USC § 102

3.	The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:           (a)(1) the claimed invention was patented, described in a printed publication, or in public use, or sale
 or otherwise available to the public before the effective filing date of the claimed invention.           
4.	Claims 1-2, 4-7, 9-14, and 16-19 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Shu et al. (U.S. 2020/0120118 A1), hereinafter “Shu”.
Referring to claim 1:
	 	Shu teaches:
A system, comprising: 
hardware processing circuitry (see Shu, fig. 2, 204 ‘processor unit’); and 
one or more hardware memories storing instructions that when executed configure the hardware processing circuitry to perform operations comprising (see Shu, fig. 2, 206 ‘memory’):
identifying a computing system event that meets a criterion (see fig. 3, ‘logs/events’; [0081] ‘event’); 
determining a first layer of computing resources, the first layer of computing resources including computing resources referenced during computing system event (see Shu, fig. 7, left side, process ‘chgreg’ accessing ‘registry’, process ‘dropbear’ accessing ‘…\etc\hosts’;  [0081] ‘An event is any information/control flow that connects 
determining a second layer of computing resources, the second layer including: 
           a parent process of a first layer process included in the first layer of computing resources, a file loaded by the first layer process, a process writing to a file included in the first layer of computing resources, or a previous version of a file included in the first layer of computing resources (see Shu, fig. 7, left side, process ‘chgreg’, process ‘dropbear’, ’dropbear.exe’, process ‘firebox (browser)’;  [0061] ‘Direct and indirect inter-process activities typically include control flow, such as process spawn [i.e., a parent process and a child process ],’; fig. 7, disclosing file ‘Dropbear.exe’ is loaded [i.e., a file loaded ] by the first layer process ‘PROCESS:DROPBEAR’; [0052] ‘the application 406 execute sensitive operations, e.g., writing a file to the file system’; [0081] ‘file read [i.e., a file loaded ], process fork [i.e., a parent process and a child process ]’; [0083] ‘READ and WRITE events of a process’); 
determining pairs of computing resources in the first and second layers of computing resources (see Shu, fig. 6, item 608 indicates a first pair of computing resources comprising the first layer of computing resource [i.e., Isass.exe ], and the second layer of computing resources [i.e., rundll.exe, ‘syscall 10’ ]; item 610 indicates a second pair of computing resources comprising the first layer of computing resource [i.e., explore.exe ], and the second layer of computing resources [i.e., firefox.exe (a browser), ‘syscall 11’ ];); 
determining similarities between computing resources included in each of the pairs (see Shu, [0062] ‘In operation, a pattern matching [i.e., determining similarities ] algorithm may then return concrete activities [i.e., where concrete activities refers to the first pair and second pair of computing resources, as disclosed in fig. 6, items 608, 610 ].’); 
determining, based on the determined similarities, high similarity pairs (see Shu, fig. 6, the first pair (608) and the second pair (610) are high similarity pairs (topology matching) ); 

performing, based on the group, a mitigating action (see Shu, fig. 14, 6 ‘mitigation and resilience’).
Referring to claims 2, 10, 16:
	Shu further discloses:
	wherein the mitigating action comprises: indicating the group in an alert message; and generating an alert based on the alert message (see Shu, fig. 14, 6.2 react -> raise alert).
Referring to claims 4, 11, 17:
	Shu further discloses:
	a first memory, the operations further comprising storing, in the first memory, information including cross-host network communications associated with the computing system event, and processes initiating the cross-host network communications, and ancestor processes of the processes, wherein the first layer of computing resources is based on the information stored in the first memory, and wherein the determining of the second layer of computing resources is based on second information stored in a second memory (see Shu, [0036] ‘memory 206…hard drive, a flash memory, a rewritable optical disk…’)
Referring to claim 5:
	Shu further discloses:
           wherein the first memory is a random-access memory cache, and the second memory is a disk-based memory (see Shu, [0063] ‘stored on disk and cached in memory’).
Referring to claims 6, 12, 18:
	Shu further discloses:
           wherein the determining of the similarities comprises comparing one or more features of a pair of processes, the one or more features including one or more of a process key, a low integrity process key, a process name, a process command, a process creation time difference, a user security identifier (SID), a domain, an ancestor 
Referring to claims 7, 13, 19:
	Shu further discloses:
           wherein the determining of the similarities compares one or more features of a pair of files, the one or more features including one or more of a file key, a low integrity file key, a file hash, a file path, a file name, a file extension, a file directory, a file size, a file creation time, a most recent file access time, or a most recent file modification time (see Shu, fig. 7, leaf side, ‘…\etc\hosts [i.e., a file path, a file directory, a file name ]’, ‘Dropbear.exe [i.e., a file extension .exe ]’; right side, ‘3.concreate signature matching -> …\etc\hosts [i.e., where signature is a file hash ]’). 
Referring to claims 9, 14:
	 	Shu teaches:
A method, comprising: 
identifying a computing system event that meet a criterion (see fig. 3, ‘logs/events’; [0081] ‘event’); 
determining a first layer of computing resources, the first layer of computing resources including computing resources referenced during the computing system event (see Shu, fig. 7, left side, process ‘chgreg’ accessing ‘registry’, process ‘dropbear’ accessing ‘…\etc\hosts’;  [0081] ‘An event is any information/control flow that connects two or more entities. Events typically are information flows between pair of entities at specific times. Events can be captured in the form of system calls, etc.’); 
determining a second layer of computing resources, the second layer including: 
a parent process of any first layer processes included in the first layer of computing resources, a file loaded by the first layer processes, a process writing to a file included in the first layer of computing resources, or a previous version of a file included in the first layer of computing resources (see Shu, fig. 7, left side, process, ‘chgreg’, process ‘dropbear’, ’dropbear.exe’, process ‘firebox (browser)’;  [0061] ‘Direct and process spawn [i.e., a parent process and a child process ],’; fig. 7, disclosing file ‘Dropbear.exe’ is loaded [i.e., a file loaded ] by the first layer process ‘PROCESS:DROPBEAR’; [0052] ‘the application 406 execute sensitive operations, e.g., writing a file to the file system’; [0081] ‘file read [i.e., a file loaded ], process fork [i.e., a parent process and a child process ]’; [0083] ‘READ and WRITE events of a process’); 
determining pairs of computing resources in the first and second layers of computing resources (see Shu, fig. 6, item 608 relates to a first pair of computing resources comprising the first layer of computing resource [i.e., Isass.exe ], the second layer of computing resources [i.e., rundll.exe, ‘syscall 10’ ]; item 610 relates to a second pair of computing resources comprising the first layer of computing resource [i.e., explore.exe ], the second layer of computing resources [i.e., firefox.exe (a browser), ‘syscall 11’ ];); 
determining similarities between members of each of the pairs (see Shu, [0062] ‘In operation, a pattern matching [i.e., determining similarities ] algorithm may then return concrete activities [i.e., the first pair of computing resources, and the second pair of computing resources, as disclosed in fig. 6, 608, 610 ] on a host endpoint that match the pattern.’); 
identifying a group of related high similarity pairs (see Shu, fig. 6, the group comprises the first pair, related to item 608, and the second pair, related to item 610); and 
performing, based on the group, a mitigating action (see Shu, fig. 14, 6 ‘mitigation and resilience’). 

Claim Rejections - 35 USC § 103

5.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

6.	Claims 3, 8, 15, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Shu et al. (U.S. 2020/0120118 A1), in view of Pernicha (U.S. 2016/0191466 A1). 
Referring to claims 3, 15:
	However, Shu does not disclose modifying a firewall policy to mitigate a risk.
           Pernicha disclose modifying a firewall policy (see Pernicha, [0020] ‘modification of firewall/access control policy rules’).
	 	It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Pernicha into the system of Shu to modify firewall.  Shu teaches a system that “It facilitates discovery of complicated and/or long-acting cyberattacks based on direct and indirect inter-process activities, and facilitates one or more post-detection operations to address an attack.” (see Shu, [0008]).  Therefore, Pernicha’s teaching could enhance the system of Shu, because Pernicha’s teaching of modifying a firewall “allow enhanced computing performance, rule management, policy optimization, and session/network traffic packet flow management.” (see Pernicha, [0020]). 
Referring to claims 8, 20:
	Shu and Pernicha further disclose:
	determining a weight of each of the one or more features, wherein the determining of the similarities is based on the determined weights (see Pernicha, [0020] ‘weights assigned to traffic attributes (e.g., source address, destination address, service, port information’).
            It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Pernicha into the system of Shu to assign a weight to each feature.  Shu teaches a system that “It facilitates discovery of complicated and/or long-acting cyberattacks based on direct and indirect inter-process activities, and facilitates one or more post-detection operations to address an attack.” (see Shu, [0008]).  Therefore, Pernicha’s teaching could enhance the system of Shu, because Pernicha’s teaching of assign a weight to each feature provides ‘a dynamic priority’ for the feature (see Pernicah, [0061]).
 
Conclusion

7.	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
(a)	Niemela; Jarno (US 20200007560 A1) disclose Method for Threat Control in a Computer Network Security System;
(b)	Aoyama; Soya (US 20180341770 A1) disclose anomaly detection method and anomaly detection apparatus;
(c)	Kraemer; Jeffrey Albin et al. (US 20170272462 A1) disclose System and Method for Process Hollowing Detection;
(d)	Mrkos; Jan et al. (US 20160352760 A1) disclose Tracking Users over Network Hosts Based on User Behavior;
(e)	Jenks; Joshua C. et al. (US 8584241 B1) disclose Computer forensic system;
(f)	Nakae, Masayuki  et al. (US 20040172557 A1) disclose Attack defending system and attack defending method.

 	8.       Any inquiry concerning this communication or earlier communications from the examiner should be directed to Peiliang Pan whose telephone number is (571) 272-5987.  The examiner can normally be reached on Monday-Friday 8:00 am - 5:00 pm EST.
          If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
           Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business 



/PEILIANG PAN/
Examiner, Art Unit 2492



/ERIC W SHEPPERD/Primary Examiner, Art Unit 2492