DETAILED ACTION
This office action is in response to applicant’s amendment filed on 12/09/2021.  Claims 1, 3, 8, 10, 15, and 17 have been amended.  Claims 1-21 are pending and are directed towards apparatus, method, and computer product for Iterative Constraint Solving in Abstract Graph Matching for Cyber Incident Reasoning.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
1.	Applicant’s arguments filed 12/09/2021 have been fully considered.
A) Applicant’s arguments, with respect to the 103 rejection of claim 1, that Coffman does not teach “derive a graph of constraint relations in the graph pattern” (page 9-10 of the present response) have been fully considered but they are not persuasive.
	Regarding A) Coffman teaches derive a graph of constraint relations in the graph pattern (Fig. 5B and para 75, line 3-12; initiates pattern matching algorithms for threat patterns in the form of detecting subgraph isomorphism in the graph and Fig. 5B shows the shaded subgraph with interrelations based on the 
B) Applicant’s arguments, with respect to the 103 rejection of claim 1, that Coffman does not teach “iteratively solving constraints in the graph pattern” (page 9-10 of the present response) have been fully considered but they are not persuasive.
	Regarding B) the present disclosure on page 4, line 3-6 defines constraints as “an element relation defining how one element relates to another element in the graph pattern” which corresponds to the interrelations of the threat pattern in Coffman.  In Coffman, the pattern matching algorithms for threat patterns in the form of detecting subgraph isomorphism in the graph 555 in the Coffman prior art corresponds to the iteratively solving constraints in the graph pattern in the claim.  Specifically, pattern matching algorithms for threat patterns in graph 555 in Coffman corresponds to the solving constraints in the graph pattern in the 
C) Applicant’s arguments, with respect to the newly amended limitation of claim 1, that Coffman and Maruhashi do not teach "responsive to a query, finding one or more subgraphs of the activity graph that satisfy the graph pattern by iteratively solving constraints in the graph pattern one at a time, wherein after at least one iteration that solves a constraint is completed and before a next constraint is solved, a result is propagated using a graph traversal of the graph of 
	Regarding C) Coffman teaches responsive to a query, finding one or more subgraphs of the activity graph that satisfy the graph pattern by iteratively solving constraints in the graph pattern one at a time, wherein after at least one iteration that solves a constraint is completed and before a next constraint is solved, a result is propagated using a graph traversal of the graph of constraint relations (Fig. 5B and para 75, line 1-12 and para 127, line 1-11 and para 139, line 1-21; detection manager 356 queries pattern library 358 and initiates pattern matching algorithms for threat patterns in the form of detecting subgraph isomorphism in the graph 555 and Fig. 5B shows the shaded subgraphs with interrelations matching the threat pattern 550 where the merging of each partial matches with the pattern continues after the initial partial matching is performed until the entire threat pattern is matched).  Specifically, Coffman describes the initial partial matches match one node from the input threat pattern to one node in the pattern graph and the algorithm then iteratively merges partial matches with each other until the best matches are found (see cited para 139). 
D) Applicant’s arguments, with respect to the 103 rejection of claims 3, 10, and 17 that Coffman does not teach “iteratively solving constraints” and 
	Regarding D) the present disclosure on page 4, line 14-17 defines propagation as “the propagating operation evaluates whether a previously-satisfied constraint remains valid and, if not, an associated subgraph of the activity graph represented by the previously-satisfied constraint is discarded”.  In Coffman, the algorithm iteratively merges partial matches if all the nodes they match are connected by an edge in the pattern graph 550 where the edge represents relationship where partial matches may be removed (see para 20 and para 139 in the Coffman prior art).  Therefore, the iteratively merging partial matches if all the nodes they match are connected by an edge in the pattern graph 550 in Coffman prior art corresponds to the iteratively solving constraints in the claim.  In addition, merging of partial matches continues until the entire threat pattern is matched in Coffman prior art corresponds to propagating the result to connected constraints in the claim because partial matches containing nodes and their relationship are being merged until the entire pattern is matched according to the pattern matching algorithm (see Fig. 5B, para 77 and para 139 in the Coffman prior art).  

	Regarding E) the present disclosure on page 4, line 14-17 defines propagation as “the propagating operation evaluates whether a previously-satisfied constraint remains valid and, if not, an associated subgraph of the activity graph represented by the previously-satisfied constraint is discarded”.  In Coffman, the algorithm iteratively merges partial matches if all the nodes they match are connected by an edge in the pattern graph 550 where the edge represents relationship where partial matches may be removed (see para 20 and para 139 in the Coffman prior art).  In addition, merging of partial matches continues until the entire threat pattern is matched in Coffman prior art corresponds to propagating the result to connected constraints in the claim because partial matches containing nodes and their relationship are being merged until the entire pattern is matched according to the pattern matching algorithm (see Fig. 5B, para 77 and para 139 in the Coffman prior art).
F) Applicant’s arguments, with respect to the 103 rejection of claims 5, 12, and 19 that Coffman does not teach “all propagation of results from evaluating of 
	Regarding F) as mentioned above, the present disclosure on page 4, line 14-17 defines propagation as “the propagating operation evaluates whether a previously-satisfied constraint remains valid and, if not, an associated subgraph of the activity graph represented by the previously-satisfied constraint is discarded”.  In addition, the present disclosure on page 24, line 19-20 defines single element constraints as (e.g., properties/classes/concepts of a vertex/edge in a pattern graph PG). In Coffman, the iteratively merging partial matches if all the nodes they match are connected by an edge or relationship in the pattern graph 550 until the entire pattern is matched in Coffman prior art corresponds to all propagation of results from evaluating of the single element constraints in the claim.  Specifically, the iterative merging process combine all the partial matches with an edge to create the match for the entire threat pattern (see Fig. 5B, para 77 and para 139 in the Coffman prior art).  Then if any of the complete matches are sufficiently similar to the threat pattern and removes partial matches of low quality and pass the match quality threshold, the algorithm records these matches and provides them to the analyst to examine (see para 139 in Coffman 
Claim Objections
2.	Claim 17 is objected to because of the following informalities:  
A.	Claim 17, line 2, has a typo where the old dependency on claim 16 is removed but no new dependency is recited.  The examiner interprets this claim as being dependent on claim 15 based on similar claim amendments for claims 3 and 10.
Appropriate correction is required.
Claim Rejections - 35 USC § 103
3.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the 
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
4.	Claims 1-21 are rejected under 35 U.S.C. 103 as being unpatentable over Coffman (US Pub. 2007/0209074) filed on Mar. 4, 2006 in view of Maruhashi (US Pub. 2017/0154445) filed on Nov. 21, 2016.
Regarding claim 1, Coffman teaches a method for storage-efficient graph pattern matching (para 12, line 1-10; enhanced graph matching system on a control server), comprising: 
providing a graph pattern that comprises a set of elements with constraints and connections among them (Fig. 5B and para 127, line 1-5; threat pattern 550 is modeled as graph comprising a set of entities and interrelations between those entities);  
5deriving a graph of constraint relations in the graph pattern (Fig. 5B and para 75, line 3-12; initiates pattern matching algorithms for threat patterns in the form of detecting subgraph isomorphism in the graph and Fig. 5B shows the shaded subgraph with interrelations based on the threat pattern);
Coffman does not teach as a supplemental data structure distinct from the graph pattern
Maruhashi teaches as a supplemental data structure distinct from the graph pattern (Fig. 5 and para 75, line 1-17; finds a reference pattern graph 51 from graph indicating fraudulent events, which is used to evaluate a graph as to whether it contains subgraphs that matches the reference pattern 51)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Coffman 
Coffman teaches providing an activity graph representing activity data captured in association with one of: a process, a host machine, and a network of machines (Fig. 5B and para 77, line 3-8; an activity graph 555 is generated utilizing data related to the network nodes (remote hosts and local hosts devices) and activity occurring at/between each host device detected across the network); and 
responsive to a query, finding one or more subgraphs of the activity graph that satisfy the graph pattern by iteratively solving constraints in the graph pattern one at a time, wherein after at least one iteration that solves a constraint is completed and before a next constraint is solved, a result is propagated using a graph traversal of the graph of constraint relations (Fig. 5B and para 75, line 1-12 and para 127, line 1-11 and para 139, line 1-21; detection manager 356 queries pattern library 358 and initiates pattern matching algorithms for threat patterns in the form of detecting subgraph isomorphism in the graph 555 and Fig. 5B shows the shaded subgraphs with interrelations matching the threat pattern 550 
Regarding claim 2, Coffman and Maruhashi teach method of claim 1.
	Coffman teaches a constraint is one of: a single element defining an attribute of a node or edge in the graph pattern, and an element relation defining how one element relates to another element in the graph pattern (Fig. 5B and para 127, line 1-5; threat pattern 550 is modeled as graph comprising a set of entities and interrelations between those entities).
	 Regarding claim 3, Coffman and Maruhashi teach method of claim 1.
	Coffman teaches iteratively solving constraints comprises satisfying a latest-solved constraint in the graph pattern to generate the result, and propagating the result to connected constraints in the graph of constraint relations (para 139, line 1-22; the initial partial matches match one node from the input threat pattern to one node in the pattern graph, the algorithm then iteratively merges partial matches with each other, and builds up a list of partial matches and combining them with other partial matches until a match for the entire threat pattern is found).
Regarding claim 4, Coffman and Maruhashi teach method of claim 3.

Regarding claim 5, Coffman and Maruhashi teach method of claim 4.
	Coffman teaches outputting the one or more subgraphs after all single element constraints have been evaluated, and all propagation of results from evaluation of the single element constraints have been performed (para 74, line 18-21 and para 139, line 1-22; the process of merging continues until the entire threat pattern is matched and, at this point, if any of the complete matches are sufficiently similar to the threat pattern and pass the match quality threshold, the algorithm records these matches and provides them to the analyst to examine).
	Regarding claim 6, Coffman and Maruhashi teach method of claim 1.

	Regarding claim 7, Coffman and Maruhashi teach method of claim 6.
	Coffman teaches performing a post-detection operation to address the cyber incident (para 75, line 9-16; detection manager generates lists of threats (alerts) in the activity graph and this information is transmitted to activity archive for storage).
Regarding claim 8, Coffman teaches an apparatus for storage-efficient graph pattern matching (para 12, line 1-10; enhanced graph matching system on a control server), comprising: 
a processor (para 68, line 3-6; CPU 210); 
computer memory holding computer program instructions executed by the processor, the computer program instructions configured to (para 68, line 3-6; software code stored within memory 220 and executed by CPU 210):  
5provide a graph pattern that comprises a set of elements with constraints and connections among them (Fig. 5B and para 127, line 1-5; threat pattern 550 is modeled as graph comprising a set of entities and interrelations between those entities); 
5derive a graph of constraint relations in the graph pattern (Fig. 5B and para 75, line 3-12; initiates pattern matching algorithms for threat patterns in the form of detecting subgraph isomorphism in the graph and Fig. 5B shows the shaded subgraph with interrelations based on the threat pattern);
Coffman does not teach as a supplemental data structure distinct from the graph pattern
Maruhashi teaches as a supplemental data structure distinct from the graph pattern (Fig. 5 and para 75, line 1-17; finds a reference pattern graph 51 from graph indicating fraudulent events, which is used to evaluate a graph as to whether it contains subgraphs that matches the reference pattern 51)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Coffman to incorporate the teachings of Maruhashi to provide finding a reference pattern graph from graph indicating fraudulent events.  Doing so would allow for searching for subgraphs for the purpose of fraud detection, as recognized by Maruhashi. 
Coffman teaches provide an activity graph representing activity data captured in association with one of: a process, a host machine, and a network of machines (Fig. 5B and para 77, line 3-8; an activity graph 555 is generated utilizing 
10 responsive to a query, finding one or more subgraphs of the activity graph that satisfy the graph pattern by iteratively solving constraints in the graph pattern one at a time, wherein after at least one iteration that solves a constraint is completed and before a next constraint is solved, a result is propagated using a graph traversal of the graph of constraint relations (Fig. 5B and para 75, line 1-12 and para 127, line 1-11 and para 139, line 1-21; detection manager 356 queries pattern library 358 and initiates pattern matching algorithms for threat patterns in the form of detecting subgraph isomorphism in the graph 555 and Fig. 5B shows the shaded subgraphs with interrelations matching the threat pattern 550 where the merging of each partial matches with the pattern continues after the initial partial matching is performed until the entire threat pattern is matched).
Regarding claim 9, Coffman and Maruhashi teach apparatus of claim 8.
	Coffman teaches a constraint is one of: a single element defining an attribute of a node or edge in the graph pattern, and an element relation 15defining how one element relates to another element in the graph pattern (Fig. 5B and 
Regarding claim 10, Coffman and Maruhashi teach apparatus of claim 8.
	Coffman teaches iteratively solve constraints comprise computer program instructions configured to satisfy a latest-solved constraint in the graph pattern to generate the 20result, and further configured to propagate the result to connected constraints in the graph of constraint relations (para 139, line 1-22; the initial partial matches match one node from the input threat pattern to one node in the pattern graph, the algorithm then iteratively merges partial matches with each other, and builds up a list of partial matches and combining them with other partial matches until a match for the entire threat pattern is found).
Regarding claim 11, Coffman and Maruhashi teach apparatus of claim 10.
	Coffman teaches propagate the result to connected constraints evaluate whether a previously-satisfied constraint remains valid and, when the previously-satisfied constraint is no longer valid, are further configured to remove a subgraph of the activity graph represented 5by the previously-satisfied constraint (para 139, line 1-22; any two partial matches that differ by exactly one node may be combined if all the nodes are connected by an edge in the pattern graph and the new partial matches may be removed if they cannot pass the quality 
Regarding claim 12, Coffman and Maruhashi teach apparatus of claim 11.
	Coffman teaches output the one or more subgraphs after all single element constraints have been evaluated, and all propagation of results from evaluation of the 10single element constraints have been performed (para 74, line 18-21 and para 139, line 1-22; the process of merging continues until the entire threat pattern is matched and, at this point, if any of the complete matches are sufficiently similar to the threat pattern and pass the match quality threshold, the algorithm records these matches and provides them to the analyst to examine).
Regarding claim 13, Coffman and Maruhashi teach apparatus of claim 8.
	Coffman teaches the one or more subgraphs of the activity graph represent a cyber incident (Fig. 5B and para 127, line 1-11; detect 2 matches of possible threat to the system comprising interrelations between entities).
Regarding claim 14, Coffman and Maruhashi teach apparatus of claim 13.
Coffman teaches performing a post-detection operation to address the cyber incident (para 75, line 9-16; detection manager generates lists of threats (alerts) in the activity graph and this information is transmitted to activity archive for storage).
Regarding claim 15, Coffman teaches a computer program product in a non-transitory computer readable medium for use in a data processing system for storage-efficient graph pattern matching, the computer program product holding computer program instructions that, when executed by the data processing system (para 12, line 1-10 and para 68, line 3-6; software code stored within memory 220 and executed by CPU 210 to provide enhanced graph matching system on a control server), are configured to:  
5provide a graph pattern that comprises a set of elements with constraints and connections among them (Fig. 5B and para 127, line 1-5; threat pattern 550 is modeled as graph comprising a set of entities and interrelations between those entities); 
5deriving a graph of constraint relations in the graph pattern (Fig. 5B and para 75, line 3-12; initiates pattern matching algorithms for threat patterns in the form of detecting subgraph isomorphism in the graph and Fig. 5B shows the shaded subgraph with interrelations based on the threat pattern);
Coffman does not teach as a supplemental data structure distinct from the graph pattern
Maruhashi teaches as a supplemental data structure distinct from the graph pattern (Fig. 5 and para 75, line 1-17; finds a reference pattern graph 51 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Coffman to incorporate the teachings of Maruhashi to provide finding a reference pattern graph from graph indicating fraudulent events.  Doing so would allow for searching for subgraphs for the purpose of fraud detection, as recognized by Maruhashi. 
Coffman teaches provide an activity graph representing activity data captured in association with one of: a process, a host machine, and a network of machines (Fig. 5B and para 77, line 3-8; an activity graph 555 is generated utilizing data related to the network nodes (remote hosts and local hosts devices) and activity occurring at/between each host device detected across the network); and  
10 	responsive to a query, finding one or more subgraphs of the activity graph that satisfy the graph pattern by iteratively solving constraints in the graph pattern one at a time, wherein after at least one iteration that solves a constraint is completed and before a next constraint is solved, a result is propagated using a graph traversal of the graph of constraint relations (Fig. 5B and para 75, line 1-12 
Regarding claim 16, Coffman and Maruhashi teach computer product of claim 15.
Coffman teaches a constraint is one of: a single element defining an attribute of a node or edge in the graph pattern, and an element relation defining how one element relates to another element in the graph pattern (Fig. 5B and para 127, line 1-5; threat pattern 550 is modeled as graph comprising a set of entities and interrelations between those entities).
Regarding claim 17, Coffman and Maruhashi teach computer product of claim 16; however, the examiner interprets this as a typo and should be interpreted as being dependent on claim 15.
	Coffman teaches iteratively solve constraints comprise computer program instructions configured to satisfy a latest-solved constraint in the graph pattern to generate the 20result, and further configured to propagate the result to connected 
Regarding claim 18, Coffman and Maruhashi teach computer product of claim 17.
	Coffman teaches propagating the result to 20connected constraints evaluates whether a previously-satisfied constraint remains valid and, when the previously-satisfied constraint is no longer valid, removes a subgraph of the activity graph represented by the previously-satisfied constraint (para 139, line 1-22; any two partial matches that differ by exactly one node may be combined if all the nodes are connected by an edge in the pattern graph and the new partial matches may be removed if they cannot pass the quality threshold match and the process of merging continues until the entire threat pattern is matched).
Regarding claim 19, Coffman and Maruhashi teach computer product of claim 18.
	Coffman teaches output the one or more subgraphs after all single element constraints have been evaluated, and all propagation of results from evaluation of 
Regarding claim 20, Coffman and Maruhashi teach computer product of claim 15.
	Coffman teaches the one or more subgraphs of the activity graph represent a cyber incident (Fig. 5B and para 127, line 1-11; detect 2 matches of possible threat to the system comprising interrelations between entities).
Regarding claim 21, Coffman and Maruhashi teach computer product of claim 20.
	Coffman teaches perform a post-detection operation to address the cyber incident (para 75, line 9-16; detection manager generates lists of threats (alerts) in the activity graph and this information is transmitted to activity archive for storage).
Conclusion
5.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following are relevant prior arts:  Apostolopoulos (US .
6.	THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be 
7.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to NHAN H NGUYEN whose telephone number is (571)272-6443.  The examiner can normally be reached on Monday-Friday 8:30am - 4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on 571-272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private 






/NHAN HUU NGUYEN/Examiner, Art Unit 2492


/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492