Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim status: claims 1-20 are pending in this Office Action

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
	
 	The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1,148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under pre- AIA  35 U.S.C. 103(a) are summarized as follows: 	1. Determining the scope and contents of the prior art. 	2. Ascertaining the differences between the prior art and the claims at issue. 	3. Resolving the level of ordinary skill in the pertinent art. 	4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1, 3-4, 6-12, 14-15, 17, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Yadav (US20160359695), in view of Brezinski (US9225730).
Regarding to claim 1:
Yadav teaches A computer-implemented method to detect anomalous connections between nodes of a multi-node computer network, the method comprising: 
obtaining information representative of a defined network topology type for a first computer network (Yadav, fig. 5, step 70 [0073] receives network traffic data collected from a plurality of sensors. [0025] Fig. 1 … connect nodes over dedicated private communication links. [0054] the network devices and topology shown in FIG. 1 … leaf-spine architecture. [0023-26] The spine nodes … leaf nodes … connect geographically … according to predefined protocols), the first computer network including a plurality of sets of multiple interconnected nodes (see fig. 1), each instance of the multiple interconnected nodes in a first set having at least one connection with at least one other instance of another node in the first set of the plurality of sets (Yadav, fig. 1 [0027] One or more of the endpoints may have instantiated thereon one or more virtual switches (not shown) for communication with one or more virtual machines 18); 
obtaining information representative of communication connections between each instance of the multiple interconnected nodes in the first set ([0031] components to obtain network traffic data from packets transmitted from and received at the network components … The term `component` … virtual machine, switch, router, gateway, etc) ; 
the graph representation having a graph-node instance for each instance of the multiple interconnected nodes in the first set ((Fig. 1 [0076] The collected data may comprise … graphs, or any other representation. [0027] Virtual switches and virtual machines 18 may be created and run on each physical server on top of a hypervisor 19 (of end point 16) … one or more of the other endpoints having virtual machines 18 installed thereon may also comprise a hypervisor); 
automatically assigning a role to each graph-node, the role assigned based on expected roles for the defined network topology type and the at least one connection ([0019] network behavior … use of machine learning algorithms to detect suspicious activity … activity that does not conform to this expected behavior may be flagged as suspicious … based on dynamic modeling of network behavior. [0042] the sensors 26 may preprocess network traffic data before sending it to the collectors 32 … flagged abnormal activity … the collectors 32 … flag anomalous data. [0043] Information collected at the collectors 32 may include, for example, network information … VM ID. Note: using software algorithms to flag abnormal is automatically assigning a role; flagged anomalous data (VM ID) is assigning a role to each graph-node)
analyzing the assigned role for each graph-node to identify instances of anomalous connections with respect to the defined network topology for the first set of multiple interconnected nodes, wherein anomalous connections represent improper or missing connections (Fig. 5, 74. [0073] Anomalies within the network are identified based on dynamic modeling of network behavior (step 74). [0042] identify traffic flows and connection links, or flag anomalous data)
Yadav does not explicitly disclose creating a graph representation of a connection topology for the first set.
Brezinski teaches creating a graph representation of a connection topology for the first set (Col 2 lines 31-37 “The collected event data may be analyzed to generate a graph that interrelates or correlates a plurality of events. A graph is a representation of a plurality of objects … objects as a vertex (e.g., a node) … between objects as an edge (e.g., link). Col 2 lines 65-67 “an event may include a risk metric indicating a level of security risk associated with the event”)
It would have been obvious to a person of ordinary skill in the art at the time the invention was made before the effective filling date of the claimed invention to take the teachings of Brezinski and apply them on the teachings of Yadav to further implement creating a graph representation of a connection topology for the first set.  One would be motivated to do so because in order to improve better system and method to generate a graph that interrelates or correlates a plurality of events. A graph is a representation of a plurality of objects as a vertex (e.g., a node), between objects as an edge (e.g., link) (Brezinski, Col 2 lines 31-37).
Regarding to claim 3:
The computer-implemented method of claim 1, wherein the defined network topology type is a leaf-spine network topology type (Yadav [0025] Fig. 1 … connect nodes over dedicated private communication links. [0054] the network devices and topology shown in FIG. 1 … leaf-spine architecture) and 
the role assigned to each graph-node is either a leaf node role or a spine node role (Yadav see fig. 1 for leaf/spine node [0042] the sensors 26 may preprocess network traffic data … flagged abnormal activity … the collectors 32 … flag anomalous data. [0043] Information collected at the collectors 32 may include, for example, network information … VM ID (see VM on leaf nodes 16). 
Regarding to claim 4:
The computer-implemented method of claim 1, wherein the graph representation is a mathematical representation (Yadav, [0079] anomaly detection may be based on the cumulative probability of time series binned multivariate feature density estimates (step 88). [0080] Rareness (e.g anomalous) may then be calculated based on cumulative probability of regions with equal or smaller density (step 90))
Regarding to claim 6:
The computer-implemented method of claim 1, wherein obtaining information representative of communication connections comprises discovering, using a network discovery device, active communication connections between the multiple interconnected nodes (Yadav, [0017] to identify suspicious network activity potentially indicative of malicious behavior. [0081] All of identifying suspicious activity in network data).
Regarding to claim 7:
The computer-implemented method of claim 6, further comprising initiating an event to a real-time network monitoring system, the event indicating an identified instance of an anomalous connection (Yadav, [0053] discover applications or select machines on which to discover applications, and then run application dependency algorithms … visualize and evaluate the data, and publish policies for simulation … real time compliance monitored).
Regarding to claim 8:
The computer-implemented method of claim 7, wherein the real-time network monitoring system comprises an enterprise management system providing information for system administration of the first computer network (Yadav, [0053] the analytics module 30 may also discover applications or select machines on which to discover applications, and then run application dependency algorithms … visualize and evaluate the data, and publish policies for simulation … The policies may then be published to a policy controller and real time compliance monitored … real time compliance reports may be generated. These may be used to select application dependency targets and side information).
Regarding to claim 9:
The computer-implemented method of claim 8, wherein the enterprise management system further provides information for system administration of at least a second computer network, the second computer network having a different network topology than the first computer network (Yadav, [0053] the analytics module 30 may also discover applications or select machines on which to discover applications, and then run application dependency algorithms … visualize and evaluate the data, and publish policies for simulation … The policies may then be published to a policy controller and real time compliance monitored … real time compliance reports may be generated. These may be used to select application dependency targets (e.g select machines above) and side information). [0052] The analytics module 30 may establish patterns and norms for component behavior … VMs (See VMs18 on endpoints). Note: Physical machines and VMs are different network topology)
Regarding to claim 10:
The computer-implemented method of claim 1, wherein obtaining information representative of communication connections comprises obtaining information from a stored set of attributes for off-line analysis of communication connections for the first computer network (Yadav, [0035] analyze the traffic … label (for anomalies) the process and user information and send it to the collector 32. [0041] collectors 32 for storage [0079] Anomalies may be identified … based on historical frequencies of the discretized feature combinations. [0081] New observations with a historically rare (e.g anomalies) combination of features may be labeled as anomalies. off-line analysis. See spec [0022] an off-line network analysis … analysis for historical errors)
Regarding to claim 11:
The computer-implemented method of claim 10, wherein the off-line analysis of communications for the first computer network is performed using a computer system remote from the first computer network (Yadav, [0046] the analytics module 30 may be implemented in an active-standby. See analytics module 30 is remotely in fig. 1)
Regarding to claim 12:
[Rejection rationale for claim 1 is applicable].

Regarding to claim 14:
[Rejection rationale for claim 3 is applicable].

Regarding to claim 15:
[Rejection rationale for claim 4 is applicable].

Regarding to claim 17:
[Rejection rationale for claim 1 is applicable].

Regarding to claim 19:
[Rejection rationale for claim 3 is applicable].

Regarding to claim 20:
[Rejection rationale for claim 4 is applicable].

Claims 2, 5, 13, 16, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Yadav (US20160359695), in view of Brezinski (US9225730), further in view of Chase (US20130074024).
Regarding to claim 2:
Yadav-Brezinsk teaches The computer-implemented method of claim 1, wherein the analyzing includes analysis based on bipartite graph (Yadav,see fig. 1 bipartite graph.[0023-26] The spine nodes … leaf nodes … connect geographically. [0073] Anomalies within the network are identified based on dynamic modeling of network behavior (step 74). [0042] identify traffic flows and connection links, or flag anomalous data) and 
Yadav-Brezinsk does not explicitly disclose bi-colorable graph techniques.
Chase teaches bi-colorable graph techniques (Chase, [0238] As each island is added to a tree it is colored oppositely of the color of the island to which it will be connected in the tree … the island (node). [0026] The coloring violations preferably are reported to a user in the form of visual indications of the cycles among the inter-island multi-patterning candidate spacing violations. 0275] the graph of islands interconnected by multi-patterning candidate spacing violations)
Yadav-Brezinsk to further implement bi-colorable graph techniques.  One would be motivated to do so because in order to improve better system and method to provide each island is added to a tree it is colored oppositely of the color of the island to which it will be connected in the tree (Chase, [0238]).
Regarding to claim 5:
Yadav-Brezinsk teaches The computer-implemented method of claim 1, further comprising:
Yadav-Brezinsk does not explicitly disclose displaying the graph representation as a visual representation on a display device
Chase teaches displaying the graph representation as a visual representation on a display device (Chase, [0026] The coloring violations preferably are reported to a user in the form of visual indications of the cycles among the inter-island multi-patterning candidate spacing violations. [0275] the graph of islands interconnected by multi-patterning candidate spacing violations)
the visual representation having a color for each graph-node in accordance with the role assigned to graph-node (Chase, [0026] The coloring violations preferably are reported to a user in the form of visual indications of the cycles among the inter-island multi-patterning candidate spacing violations. [0238] each island is added to a tree it is colored oppositely of the color of the island to which it will be connected in the tree … the color of the island (node)
It would have been obvious to a person of ordinary skill in the art at the time the invention was made before the effective filling date of the claimed invention to take the teachings of Chase and apply them on the teachings of Yadav-Brezinsk to further implement displaying the graph representation as a visual representation on a display device and the visual representation having a color for each graph-node in accordance with the role assigned to graph-node.  One would be motivated to do so because in order to improve better system and method to provide The coloring violations preferably are reported to a user in the form of visual indications of the cycles among the inter-island multi-patterning candidate spacing violations (Chase, [0026]).

Regarding to claim 13:
[Rejection rationale for claim 2 is applicable].

Regarding to claim 16:
[Rejection rationale for claim 5 is applicable].

Regarding to claim 18:
[Rejection rationale for claim 2 is applicable].

Conclusion

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SRIVASTAVA VIVEK can be reached on 571-272-7304(571)272-7304.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/HIEN V DOAN/Examiner, Art Unit 2449                     

/NORMIN ABEDIN/Primary Examiner, Art Unit 2449