DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:

(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “hardware processor configured to access/generate/build/identify/mitigate” in claim 20.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-18 of U.S. Patent No. 10,958,667.  Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant application are directed towards related subject from the patented ‘667 claims in that the claims of the ‘667 patent contain all of the limitations of the instant application. The ‘667 patented claims are directed towards a various statutory classes not claimed in the same order as the instant application. It would have been .

17/027,411
1. A non-transitory computer-readable medium whose contents, when executed by a hardware processor, cause the hardware processor to perform a method for mitigating attacks on a computing system, the method comprising: generating a node graph for a threat artifact received by the computing system, wherein the node graph includes a plurality of nodes representing attributes derived from the threat artifact, and edges that each represent a relationship between two of the nodes, wherein the attributes describe the threat artifact, and wherein at least one of the nodes is assigned a predicted maliciousness value based on known maliciousness values of multiple other of the plurality of nodes of the node graph; and performing an action based on an analysis of the 


1. A system, comprising:
a memory;
a hardware processor coupled to the memory and configured to:
access multiple threat artifacts associated with a network of computing resources;
generate a single node graph for each of the multiple threat artifacts;
derive an intermediate node based on two of the multiple threat artifacts;
build a composite node graph for the network of computing resources that represents a current threat status of the network of computing resources, wherein the composite node graph includes the single node graphs and the intermediate node, and wherein the intermediate node connects the single node 
identify one or more attacks to the network of computing resources based on an analysis of the composite node graph; and
perform an action to mitigate the identified one or more attacks to the network of computing resources.
2. The system of claim 1, wherein the hardware processor is further configured to access data from one or more data sources external to the network of computing resources and augment the composite node graph with one or more additional nodes that represent data from the one or more data sources that is related to information associated with one or more nodes of the composite node graph.
3. The system of claim 1, wherein the hardware processor is further configured to:
generate a user interface configured to display a graphical representation of the composite node graph; and

wherein the presented artifact information includes information identifying relationships between the artifact and one or more other artifacts of the network of computing resources.
4. The system of claim 1, wherein the hardware processor is further configured to:
generate a user interface configured to display a graphical representation of the composite node graph; and
present artifact information associated with one or more nodes displayed by the graphical representation of the composite node graph,
wherein the presented artifact information includes information identifying relationships between indicators associated with the artifact and one or more other artifacts of the network of computing resources.
5. The system of claim 1, wherein the hardware processor is further configured to access information provided by detection tools 
6. The system of claim 1, wherein each of the single node graphs include nodes that represent indicators for the artifact and edges that represent relationships between the indicators of the artifact.
7. The system of claim 1, wherein the hardware processor is further configured to analyze clusters of nodes in an attack vector of the composite node graph, identify major classes of attack vectors within the composite node graph, or determine distances between nodes associated with malicious entities within the composite node graph.
8. The system of claim 1, wherein the hardware processor is further configured to perform an action to dynamically adjust or modify operation of security devices of the network of network resources.
9. The system of claim 1, wherein the one or more attacks are identified by an attack determination module and wherein the hardware processor is further configured to perform an 
10. A method, comprising:
accessing multiple threat artifacts associated with a network of computing resources;
generating a single node graph for each of the multiple threat artifacts;
derive an intermediate node based on two of the multiple threat artifacts;
building a composite node graph for the network of computing resources that represents a current threat status of the network of computing resources, wherein the composite node graph includes the single node graphs and the intermediate node, and wherein the intermediate node connects the single node graphs corresponding to the two of the multiple threat artifacts;
identifying one or more attacks to the network of computing resources based on an analysis of the composite node graph; and

11. The method of claim 10, further comprising:
generating a user interface configured to display a graphical representation of the composite node graph; and
presenting artifact information associated with one or more nodes displayed by the graphical representation of the composite node graph,
wherein the presented artifact information includes information identifying relationships between the artifact and one or more other artifacts of the network of computing resources.
12. The method of claim 10, further comprising:
generating a user interface configured to display a graphical representation of the composite node graph; and
presenting artifact information associated with one or more nodes displayed by the graphical representation of the composite node graph,
wherein the presented artifact information includes information identifying relationships between indicators associated with the artifact 
13. The method of claim 10, further comprising accessing phishing emails received by the network of computing resources.
14. The method of claim 10, wherein each of the single node graphs include nodes that represent indicators for the artifact and edges that represent relationships between the indicators of the artifact.
15. The method of claim 10, wherein performing an action to mitigate the identified one or more attacks to the network of computing resources includes dynamically adjusting or modifying operation of security devices of the network of network resources.
16. The method of claim 10, wherein performing an action to mitigate the identified one or more attacks to the network of computing resources includes modifying operation of the network of computing resources to prevent future attacks.
17. A non-transitory computer-readable medium whose contents, when executed by a hardware processor of a computing system, cause the 
generating a single node graph for each of multiple threat artifacts received by the computing system,
wherein the single node graphs include nodes representing indicators derived from the multiple threat artifacts and edges that represent relationships between indicators;
deriving an intermediate node based on two of the multiple threat artifacts;
combining the single node graphs and the intermediate node into a composite node graph, wherein the intermediate node connects the single node graphs corresponding to the two of the multiple threat artifacts; and
performing an action based on an analysis of the composite node graph to dynamically adjust security operations of the computing system.
18. The non-transitory computer-readable medium of claim 17, wherein the single node graphs include nodes having weights associated .



Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 10,785,239.  Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant application are anticipated by the ‘239 patented claims in that the claims of the ‘239 patent contain all of the limitations of the instant application.  Claims 1-20 of the instant application are not patentably distinct from the earlier filed patented claims, and as such, is unpatentable for obvious-type double patenting.

17/027,411
1. A non-transitory computer-readable medium whose contents, when executed by a hardware processor, cause the hardware processor to perform a method for mitigating attacks on a computing system, the method comprising: generating a node graph for a threat artifact 


1.  A non-transitory computer-readable medium whose contents, when executed 
by a hardware processor, cause the hardware processor to perform a method for 
mitigating attacks on a computing system, the method comprising: generating a 

node graph includes a plurality of nodes including a first node representing 
the threat artifact and second nodes representing attributes derived from the 
threat artifact, and edges that each represent a relationship between two of 
the nodes, wherein the attributes describe the threat artifact, and wherein one 
of the second nodes representing the attributes is assigned a predicted 
maliciousness value based on known maliciousness values of multiple other of 
the plurality of nodes of the node graph;  and performing an action based on an 
analysis of the node graph to dynamically adjust security operations of the 
computing system. 
 
    2.  The non-transitory computer-readable medium of claim 1, wherein the 
method further comprises: combining the generated node graph with another node 

one or more intermediate nodes that join unique instances of attributes derived 
from different artifacts received by the computing system. 
 
    3.  The non-transitory computer-readable medium of claim 1, wherein the 
node graph includes nodes having weights associated with corresponding 
determined maliciousness values assigned to the attributes represented by the 
nodes, and wherein the predicted maliciousness value for the one of the second 
nodes is based on the weights assigned to the attributes represented by the 
multiple other of the plurality of nodes of the node graph. 
 
    4.  The non-transitory computer-readable medium of claim 1, wherein 
assigning the predicted maliciousness value based on the known maliciousness 

one of the second nodes includes using relational learning to determine a 
predicted maliciousness factor for the at least one of the second nodes. 
 
    5.  The non-transitory computer-readable medium of claim 1, wherein 
assigning the predicted maliciousness value based on the known maliciousness 
values of the multiple other of the plurality of nodes of the node graph to the 
one of the second nodes includes assigning the predicted maliciousness value 
based on topological features and known attributes of neighboring nodes to the 
at least one of the second nodes. 
 
    6.  The non-transitory computer-readable medium of claim 1, wherein 
assigning the predicted maliciousness value based on the known maliciousness 

one of the second nodes includes: learning latent relationship, node, and 
attribute embeddings for the one of the second nodes by utilizing a latent 
feature model based on tensor factorization;  and approximating unknown 
attributes associated with the one of the second nodes based on the latent 
feature model. 
 
    7.  The non-transitory computer-readable medium of claim 1, wherein the 
threat artifact includes a phishing email. 
 
    8.  The non-transitory computer-readable medium of claim 1, wherein 
generating the node graph for the threat artifact received by the computing 
system includes generating the node graph for a received phishing email that 
includes: (1) a node that represents an email, (2) a node that represents a 

email, and (4) a node that represents an attachment to the email. 
 
    9.  The non-transitory computer-readable medium of claim 1, wherein the 
method further comprises: accessing data from one or more data sources external 
to the computing system and augmenting the node graph with one or more 
additional nodes that represent data from the one or more data sources that is 
related to information associated with one or more nodes of the node graph. 
 
    10.  The non-transitory computer-readable medium of claim 1, wherein 
performing the action based on the analysis of the node graph to dynamically 
adjust security operations of the computing system includes performing an 
action to dynamically adjust or modify operation of security devices of the 

 
    11.  A method for mitigating attacks to a computing system, the method 
comprising: generating a node graph for a threat artifact received by the 
computing system, wherein the node graph includes a plurality of nodes 
including a first node representing the threat artifact and second nodes 
representing attributes derived from the threat artifact, and edges that each 
represent a relationship between two of the nodes, wherein the attributes 
describe the threat artifact, and wherein one of the second nodes representing 
the attributes is assigned a predicted maliciousness value based on known 
maliciousness values of multiple other of the plurality of nodes of the node 
graph;  and performing an action based on an analysis of the node graph to 
dynamically adjust security operations of the computing system. 

    12.  The method of claim 11, further comprising: combining the generated 
node graph with another node graph into a composite node graph, wherein the 
composite node graph includes one or more intermediate nodes that join unique 
instances of attributes derived from different artifacts received by the 
computing system. 
 
    13.  The method of claim 11, wherein the node graph includes nodes having 
weights associated with corresponding determined maliciousness values assigned 
to the attributes represented by the nodes, and wherein the predicted 
maliciousness value for the one of the second nodes is based on the weights 
assigned to the attributes represented by the multiple other of the plurality 
of nodes of the node graph. 
 

value based on the known maliciousness values of the multiple other of the 
plurality of nodes of the node graph to the one of the second nodes includes 
using relational learning to determine a predicted maliciousness factor for the 
at least one of the second nodes. 
 
    15.  The method of claim 11, wherein assigning the predicted maliciousness 
value based on the known maliciousness values of the multiple other of the 
plurality of nodes of the node graph to the one of the second nodes includes 
assigning the predicted maliciousness value based on topological features and 
known attributes of neighboring nodes to the at least one of the second nodes. 
 
    16.  The method of claim 11, wherein assigning the predicted maliciousness 

plurality of nodes of the node graph to the one of the second nodes includes: 
learning latent relationship, node, and attribute embeddings for the one of the 
second nodes by utilizing a latent feature model based on tensor factorization;  
and approximating unknown attributes associated with the one of the second 
nodes based on the latent feature model. 
 
    17.  The method of claim 11, wherein the threat artifact includes a 
phishing email. 
 
    18.  The method of claim 11, wherein generating the node graph for the 
threat artifact received by the computing system includes generating the node 
graph for a received phishing email that includes: (1) a node that represents 
an email, (2) a node that represents a human sender of the email, (3) a node 

an attachment to the email. 
 
    19.  The method of claim 11, further comprising: accessing data from one or 
more data sources external to the computing system and augmenting the node 
graph with one or more additional nodes that represent data from the one or 
more data sources that is related to information associated with one or more 
nodes of the node graph. 
 
    20.  A system, comprising: a memory;  and a hardware processor coupled to 
the memory and configured to: access multiple threat artifacts associated with 
a network of computing resources;  generate a single node graph for each of the 
multiple threat artifacts, wherein the single node graph for each of the 
multiple threat artifacts includes a plurality of nodes including a first node 

attributes derived from the corresponding threat artifact, wherein the 
attributes describe the corresponding threat artifact, and wherein one of the 
second nodes is assigned a predicted maliciousness value based on known 
maliciousness values of multiple neighboring nodes of the single node graph;  
and build a composite node graph for the network of computing resources that 
represents a current threat status of the network of computing resources;  
identify one or more attacks to the network of computing resources based on an 
analysis of the composite node graph;  and mitigate the identified one or more 
attacks to the network of computing resources. 




Allowable Subject Matter
Claims 1-20 are allowed, however the claims are currently rejected under obvious-type double patenting requiring the filing of terminal disclaimers.
The following is a statement of reasons for the indication of allowable subject matter:

As per claim 1, it was not found to be taught in the prior art of mitigating attacks on a computing system, comprising: generating a node graph for a threat artifact received by a computing system, wherein the node graph includes a plurality of nodes representing attributes derived from the threat artifact, and edges that each represent a relationship between two of the nodes, wherein the attributes describe the threat artifact, and wherein at least one of the nodes is assigned a predicted maliciousness value based on known maliciousness values of multiple other of the plurality of nodes of the node graph; and performing an action based on an analysis of the node graph to dynamically adjust security operations of the computing system.
Independent claims 11 and 20 are similar in scope to independent claim 1, and are allowable for similar reasons.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Badaway et al, US 2020/0169565 is relied upon for disclosing of a graph representing identities or artifacts.  Edges of the graphs join nodes and can be associated with similarity of weight representing a degree of similarity between identities, see paragraph 0010.
Stockdale et al, US 2020/0244673 is relied upon for disclosing of a graph detection module for collecting device states.  An edge of the graph represents a connection between devices, whereby the graph describes the edges, see paragraph 0047.
Kursun et al, US 2020/0169483 is relied upon for disclosing of anomaly data that includes characteristics of graphs of nodes and edges, see paragraph 0070.
Muddu et al, US 2017/0063910 is relied upon for disclosing of graphs that includes edges representing a plurality of computer network activities of particular categories, see paragraph 0426.
Kursun et al, U.S. Patent 11,102,092 is relied upon for disclosing of anomaly data that includes characteristic data of graphs of nodes and edges, see column 12, line 65 through column 13, line 3.
Murphey et al, U.S. Patent 10,771,486 is relied upon for disclosing of a graph representing event states, whereby the graph includes nodes and edges, see column 39, lines 33-40.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER A REVAK whose telephone number is (571)272-3794. The examiner can normally be reached 5:30am - 3:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LYNN FEILD can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.















/CHRISTOPHER A REVAK/Primary Examiner, Art Unit 2431