DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office Action is in response to Application 16991288 filed on 08/12/2020.
Claims 1-20 have been examined and are pending in this application.  This Office Action is made Non-Final.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 08/12/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 3-5, 8 and 10-12 are rejected under 35 U.S.C. 103 as being unpatentable over PURI et al. (“PURI,” US 20170324759, published on 11/09/2017) in view of Kvasyuk et al. (“Kvasyuk,” US 20210006471, filed on 07/02/2019)


Regarding Claim 1; 

PURI discloses a computer implemented provenance-based threat detection method, comprising (abstract: a report indicative of the cyber security threat generated based on the anomaly in the representative network graph): 
building a provenance graph including a plurality of paths using a processor device from provenance data obtained from one or more computer systems and/or networks (par 0022; generate a master network graph that specifies known events and transitions between the known events. The master network graph generated by monitoring incoming trace events, and connecting probabilities of transitions between trace events based on unique identifiers that link trace events together in a master set of walks; par 0023; paths selected with respect to probabilities of occurrence of the paths in the master network graph); 
sampling the provenance graph to form a plurality of linear sample paths (par 0023; fig. 5; sampling the master network graph to generate the representative network graph that includes the reduced number of paths of the master network graph);
calculating a regularity score for each of the plurality of linear sample paths using a processor device (par 0025; a determination that the probability related the further path and the retained predetermined number of paths meets a predetermined probability threshold (e.g., 70%, etc.)); 
selecting a subset of linear sample paths from the plurality of linear sample paths based on the regularity score (par 0025; a determination that the probability related the further path and the retained predetermined number of paths meets a predetermined probability threshold; par 0026; randomly selecting the one of the retained predetermined number of paths from the bucket); 
detecting anomalies in the embedded paths to identify malicious process activities (par 0027; determining, based on the comparison of the incoming log file data related to the source to the representative network graph, an anomaly in the representative network graph; par 0028; based on the monitoring, a report indicative of the cyber security threat based on the anomaly in the representative network graph); and 
terminating a process related to the embedded path having the identified malicious process activities (par 0028: a report indicative of the cyber security threat; par 0029; based on the anomaly in the representative network graph by disconnecting the source from a network associated with the source).  
PURI discloses all the limitations as recited above, but do not explicitly disclose embedding each of the subset of linear sample paths by converting each of the subset of linear sample paths into a numerical vector using a processor device. 
However, in an analogous art, Kvasyuk discloses traffic in network system/method that includes:
embedding each of the subset of linear sample paths by converting each of the subset of linear sample paths into a numerical vector using a processor device (Kvasyuk: par 0163; the device transforming the trails into sequences of terms by using a dictionary lexicon to represent each flow in a trail as a code. In turn, the device convert the codes in each trail into a vector representation and apply clustering to the vector representations of the trails).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Kvasyuk with the method/system of PURI to include embedding each of the subset of linear sample paths by converting each of the subset of linear sample paths into a numerical vector using a processor device. One would have been motivated to (Kvasyuk: par 0142).
	
Regarding Claim 3; 
PURI in combination with Kvasyuk disclose the method as recited in claim 1,
PURI further discloses wherein selecting a subset of linear sample paths addresses a dependency explosion problem (PURI: par 0056; decomposing the master network graph to generate a representative network graph that includes a reduced number of paths of the master network graph, where the reduced number of paths may be selected with respect to probabilities of occurrence of the paths in the master network graph).

Regarding Claim 4; 
PURI in combination with Kvasyuk disclose the method as recited in claim 1,
PURI further discloses wherein anomalies in the embedded paths are detected using an anomaly detection model that is configured to identify malicious activity (PURI: par 0028; an anomaly indicator generate, based on the monitoring, a report indicative of the cyber security threat based on the anomaly in the representative network graph).  


Regarding Claim 5; 

PURI further discloses wherein the anomaly detection model is trained using a benign training data set (PURI: par 0028; an anomaly indicator generate, based on the monitoring; par 0052; security monitoring inflight for compound/complex behavior sequences, advertising monitoring for adaptive systems and for determining when a model needs to be relearned for a dynamic or evolving data set, etc.).   

Regarding Claim 8;
This Claim recites a non-transitory computer readable storage medium that perform the same steps as method of Claim 1, and has limitations that are similar to Claim 1, thus are rejected with the same rationale applied against claim 1.  

Regarding Claim 10;
This Claim recites a non-transitory computer readable storage medium that perform the same steps as method of Claim 3, and has limitations that are similar to Claim 3, thus are rejected with the same rationale applied against claim 3.  




Regarding Claim 11;
This Claim recites a non-transitory computer readable storage medium that perform the same steps as method of Claim 4, and has limitations that are similar to Claim 4, thus are rejected with the same rationale applied against claim 4.  

Regarding Claim 12;
This Claim recites a non-transitory computer readable storage medium that perform the same steps as method of Claim 5, and has limitations that are similar to Claim 5, thus are rejected with the same rationale applied against claim 5.  

Claims 2, 9 and 15-19 are rejected under 35 U.S.C. 103 as being unpatentable over PURI et al. (US 20170324759) in view of Kvasyuk et al. (US 20210006471) and further in view of Edwards et al. (“Edwards,” US 20210004458, filed on 07/05/2019)

Regarding Claim 2
PURI in combination with Kvasyuk disclose the method as recited in claim 1,
PURI in combination with Kvasyuk disclose all the limitations as recited above, but do not explicitly disclose wherein the provenance graph is built by collecting the provenance data using hook functions.  
However, in an analogous art, Edwards discloses process trees for malware system/method that includes:
 (Edwards: par 0120; the security agent inserts hooks. The hooks may be used to help a mapping module to build a process tree or process graph of the relationships between the original process and other processes on the operating system).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Edwards with the method/system of PURI and Kvasyuk to include embedding each of the subset of linear sample paths by converting each of the subset of linear sample paths into a numerical vector using a processor device. One would have been motivated to construct a genealogical process tree of the malicious process [] and terminate the malicious process and at least some related processes in the genealogical process tree (Edwards: abstract).

Regarding Claim 9;
This Claim recites a non-transitory computer readable storage medium that perform the same steps as method of Claim 2, and has limitations that are similar to Claim 2, thus are rejected with the same rationale applied against claim 2.  

Regarding Claim 15; 
PURI discloses a system for provenance-based threat detection, comprising (abstract: a report indicative of the cyber security threat generated based on the anomaly in the representative network graph):  
(par 0079; fig. 10; the computer system execute, by a processor, the methods, functions and other processes described herein. These methods, functions and other processes may be embodied as machine readable instructions stored on a computer readable medium, which may be non-transitory, such as hardware storage devices (e.g., RAM (random access memory), ROM (read only memory)); 
wherein the provenance-based threat detection tool is configured to: 
build a provenance graph including a plurality of paths using the one or more processor devices from provenance data obtained from the computer systems and/or a network (par 0022; generate a master network graph that specifies known events and transitions between the known events. The master network graph generated by monitoring incoming trace events, and connecting probabilities of transitions between trace events based on unique identifiers that link trace events together in a master set of walks; par 0023; paths may be selected with respect to probabilities of occurrence of the paths in the master network graph); 
sample the provenance graph to form a plurality of linear sample paths (par 0023; fig. 5; sampling the master network graph to generate the representative network graph that includes the reduced number of paths of the master network graph);
calculate a regularity score for each of the plurality of linear sample paths using the one or more processor devices (par 0025; a determination that the probability related the further path and the retained predetermined number of paths meets a predetermined probability threshold (e.g., 70%, etc.)); 
select a subset of linear sample paths from the plurality of linear sample paths based on the regularity score (par 0025; a determination that the probability related the further path and the retained predetermined number of paths meets a predetermined probability threshold; par 0026; randomly selecting the one of the retained predetermined number of paths from the bucket); 
detect anomalies in the embedded paths to identify malicious process activities (par 0027; determining, based on the comparison of the incoming log file data related to the source to the representative network graph, an anomaly in the representative network graph; par 0028; based on the monitoring, a report indicative of the cyber security threat based on the anomaly in the representative network graph); and 
terminate a process related to the embedded path having the identified malicious process activities (par 0028: a report indicative of the cyber security threat; par 0029; based on the anomaly in the representative network graph by disconnecting the source from a network associated with the source).  
PURI discloses all the limitations as recited above, but do not explicitly disclose one or more processor devices and an operating system having a kernel, wherein one or more hook functions operating in the kernel are configured to collect provenance data; a database configured to store the provenance data collected by the one or more hook functions.

one or more processor devices and an operating system having a kernel (Edwards: par 0021; if a process is identified as being malicious [] then ultimately this would lead to terminating the operating system kernel itself), wherein one or more hook functions operating in the kernel are configured to collect provenance data (Edwards: par 0120; the hooks used to help a mapping module to build a process tree or process graph of the relationships between the original process and other processes on the operating system); a database configured to store the provenance data collected by the one or more hook functions (Edwards: par 0048; monitoring these processes (e.g., via hooks) is expensive in terms of memory and/or compute resources; par 0120; the hooks used to help a mapping module to build a process tree or process graph of the relationships between the original process and other processes on the operating system). 
 Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Edwards with the method/system of PURI to include one or more processor devices and an operating system having a kernel, wherein one or more hook functions operating in the kernel are configured to collect provenance data; a database configured to store the provenance data collected by the one or more hook functions. One would have been motivated to construct a genealogical process tree of the malicious process [] and terminate the malicious process and at least some related processes in the genealogical process tree (Edwards: abstract).

However, in an analogous art, Kvasyuk discloses traffic in network system/method that includes:
embed each of the subset of linear sample paths by converting each of the subset of linear sample paths into a numerical vector using the one or more processor devices (Kvasyuk: par 0163; the device transforming the trails into sequences of terms by using a dictionary lexicon to represent each flow in a trail as a code. In turn, the device convert the codes in each trail into a vector representation and apply clustering to the vector representations of the trails).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Kvasyuk with the method/system of PURI and Edwards to include embed each of the subset of linear sample paths by converting each of the subset of linear sample paths into a numerical vector using the one or more processor devices. One would have been motivated to generate a graph for a given endpoint device that defines the boundaries of traffic. This can be particularly useful to identify the potential spread of malware (Kvasyuk: par 0142).


 
Regarding Claim 16;


Regarding Claim 17;
This Claim recites a system that perform the same steps as method of Claim 3, and has limitations that are similar to Claim 3, thus are rejected with the same rationale applied against claim 3.  
Regarding Claim 18;
This Claim recites a system that perform the same steps as method of Claim 4, and has limitations that are similar to Claim 4, thus are rejected with the same rationale applied against claim 4.  

Regarding Claim 19;
This Claim recites a system that perform the same steps as method of Claim 5, and has limitations that are similar to Claim 5, thus are rejected with the same rationale applied against claim 5.  




Claims 6 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over PURI et al. (US 20170324759) in view of Kvasyuk et al. (US 20210006471) and further in view of KRAUS et al. (“KRAUS,” US 20200285737, filed on 03/05/2019)

Regarding Claim 6; 

PURI in combination with Kvasyuk disclose all the limitations as recited above, but do not explicitly disclose wherein embedding each of the plurality of paths is done using graph2vec or doc2vec.  
However, in an analogous art, KRAUS discloses detection of sequence anomalies system/method that includes:
wherein embedding each of the plurality of paths is done using graph2vec or doc2vec (KRAUS: par 0290; the anomaly detection approach embeds the output sequences into a vector space [] use the doc2vec algorithm for the embedding).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of KRAUS with the method/system of PURI and Kvasyuk to include wherein embedding each of the plurality of paths is done using graph2vec or doc2vec. One would have been motivated to detect by approximating user sessions with heuristically extracted event sequences, allowing behavior analysis even without user identification or session identifiers (KRAUS: abstract).
Regarding Claim 13;
This Claim recites a non-transitory computer readable storage medium that perform the same steps as method of Claim 6, and has limitations that are similar to Claim 6, thus are rejected with the same rationale applied against claim 6.  

Claims 7 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over PURI et al. (US 20170324759) in view of Kvasyuk et al. (US 20210006471) and further in view of Lee et al. (“Lee,” US 11091020, filed on 02/01/2019)

Regarding Claim 7; 
PURI in combination with Kvasyuk disclose the method as recited in claim 5,
PURI in combination with Kvasyuk disclose all the limitations as recited above, but do not explicitly disclose wherein the anomaly detection model is selected from the group consisting of one-class support vector machine (OC-SVM) and Local Outlier Factor (LOF).  
However, in an analogous art, Lee discloses machine learning system/method that includes:
wherein the anomaly detection model is selected from the group consisting of one-class support vector machine (OC-SVM) and Local Outlier Factor (LOF) (Lee; Col 24, lines 32-39; machine learning earnings model may be constructed using a supervised or unsupervised machine learning algorithm such as a vector machine, neural network algorithm, decision trees, and the like. A machine learning earnings model may be constructed using one or more of a One-Class Support Vector Machine (SVM) and a Local Outlier Factor (LOF)).  
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of (Lee: Col 2, lines 20-23).

Regarding Claim 14;
This Claim recites a non-transitory computer readable storage medium that perform the same steps as method of Claim 7, and has limitations that are similar to Claim 7, thus are rejected with the same rationale applied against claim 7.  

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over PURI et al. (US 20170324759) in view of Kvasyuk et al. (US 20210006471) and Edwards et al. (US 20210004458) and further in view of Lee et al. (US 11091020)

Regarding Claim 20; 
PURI in combination with Kvasyuk and Edwards disclose the system as recited in claim 15, 
PURI in combination with Kvasyuk and Edwards disclose all the limitations as recited above, but do not explicitly disclose wherein the anomaly detection 
However, in an analogous art, Lee discloses machine learning system/method that includes:
wherein the anomaly detection model is selected from the group consisting of one-class support vector machine (OC-SVM) and Local Outlier Factor (LOF) (Lee; Col 24, lines 32-39; machine learning earnings model may be constructed using a supervised or unsupervised machine learning algorithm such as a vector machine, neural network algorithm, decision trees, and the like. A machine learning earnings model may be constructed using one or more of a One-Class Support Vector Machine (SVM) and a Local Outlier Factor (LOF)).  
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Lee with the method/system of PURI and Kvasyuk and Edwards to include wherein the anomaly detection model is selected from the group consisting of one-class support vector machine (OC-SVM) and Local Outlier Factor (LOF). One would have been motivated to combines a first output from a support vector machine learning model and a second output from a local outlier factor calculation, to produce a combined output for identifying anomalous time data (Lee: Col 2, lines 20-23).
  
Conclusion


Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571)270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  


For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/C.W./Examiner, Art Unit 2439     


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439