Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This communication is in response to the response filed on 01/13/22.

Examiner’s Amendment
An Examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicants, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this Examiner’s amendment was given in a discussion with Douglas Swartz on 01/26/22.

The application has been amended as follows:

	1. (Currently Amended) A non-transitory machine-readable storage medium storing instructions that upon execution cause a system to: 
electronically collect event data, wherein the collected event data is in a form of a least one of electronic network event data, electronic host event data, and electronic application event data from at least one of a plurality of entities in a computing environment; 
construct, based on the collected event data representing a plurality of events in the computing environment, a representation of the plurality of events, the representation including links relating the plurality of events, 

compute issue indications corresponding to potential issues in the computing environment; 
add information based on the issue indications to the representation to form an enriched representation; 
search the enriched representation to find a chain of events representing an issue in the computing environment, wherein each event of the plurality of events represents an activity of the at least one of the plurality of entities; and 
electronically perform a countermeasure to resolve the issue represented by the chain of events in the computer environment, and 
wherein the issue indications comprise threat scores derived based on anomaly scores based on features of the collected event data, each threat score of the threat scores representing a likelihood of a threat in the computing environment.

2. (Canceled) 2  

3. (Previously Presented) The non-transitory machine-readable storage medium of claim 1, wherein the graphical representation comprises a graph of nodes that represent respective events of the plurality of events, and wherein the information based on the issue indications are added to the graph of nodes.

represent a likelihood of an anomaly in the computing environment.

5. (Canceled)  

6. (Previously Presented) The non-transitory machine-readable storage medium of claim 1, wherein add the information based on the issue indications to the representation to form the enriched representation comprises: 
associate the information based on the issue indications with nodes in the representation, the nodes representing respective events of the plurality of events.

7. (Currently Amended) The non-transitory machine-readable storage medium of claim 1, wherein search the enriched representation to find the chain of events representing the issue comprises: 
identify a node, in the enriched representation, that represents an event associated with an issue indication that indicates likely presence of a potential issue; and 
identify a path from the identified node to other nodes in the enriched representation, the other nodes in the enriched representation representing events having a specified relationship with the event represented by the identified node, 
wherein the chain of events includes the events represented by the nodes connected by the identified path.

8. (Previously Presented) The non-transitory machine-readable storage medium of claim 7, wherein the specified relationship comprises a temporal relationship.  

9. (Previously Presented) The non-transitory machine-readable storage medium of claim 7, wherein the instructions upon execution cause the system to: 
compute an aggregate issue indication for the identified path based on aggregating issue indications associated with the events represented by the nodes connected by the identified path; and 
3identify the events connected by the identified path as being part of the chain of events in response to the aggregate issue indication.  

10. (Original) The non-transitory machine-readable storage medium of claim 9, wherein the aggregate issue indication is further based on penalizing a value of the aggregate issue indication for a length of the identified path.  

11. (Original) The non-transitory machine-readable storage medium of claim 7, wherein the instructions that upon execution cause the system to: 
compare a collection of the events connected by the identified path to a library including template chains of events representing respective issues; and 
identify the collection of the events connected by the identified path as the chain of events representing the issue in response to a match between the collection of the events and a chain of events in the library.  

12. (Original) The non-transitory machine-readable storage medium of claim 11, wherein the instructions that upon execution cause the system to: 
compute an aggregate issue indication for the chain of events representing the issue based on issue indications associated with the events represented by the nodes connected by the identified path, and a similarity indication indicating a similarity between the collection of the events connected by the identified path and a matching template chain of events in the library.  

13. (Currently Amended) A system, comprising: a processor; and a non-transitory storage medium comprising instructions executable on the processor to: 
electronically collect event data, wherein the collected event data is in a form of a least one of electronic network event data, electronic host event data, and electronic application event data from at least one of a plurality of entities in a computing environment; 
construct, based on the collected event data representing a plurality of events in the computing environment, a representation of the plurality of events, the representation including links relating the plurality of events, 
wherein the representation includes a graphical representation of the plurality of events and the links include temporal links including sequential directional edges relating the plurality of events; 
4compute scores corresponding to potential issues in the computing environment; 
add information based on the scores to the representation to form an enriched representation; 
search the enriched representation to find a chain of events representing an issue in the computing environment, 
wherein each event of the plurality of events represents an activity of the at least one of the plurality of entities; and 
electronically perform a countermeasure to resolve the issue represented by the chain of events in the computer environment, 
wherein the search of the enriched representation to find the chain of events representing the issue comprises: 
identify a node, in the enriched representation, that represents an event associated with a score that exceeds a threshold; and 
identify a path from the identified node to other nodes in the enriched representation, the other nodes in the enriched representation representing events having a specified relationship with the event represented by the identified node, 
wherein the chain of events includes the events represented by the nodes connected by the identified path.  

14. (Currently Amended) The system of claim 13, wherein the scores comprise anomaly scores, and wherein the instructions are executable on the processor to: 
extract features from the collected event data; and 
compute the anomaly scores for the features.  

15. (Original) The system of claim 13, wherein the scores comprise threat scores representing threats in the computing environment.  

16. (Currently Amended) The system of claim 13, wherein add the information based on the scores to the representation to form the enriched representation comprises: 
associate the information based on the scores with nodes in the representation, the nodes in the representation representing 

17. (Canceled) 5  

18. (Previously Presented) The system of claim 13, wherein the instructions are executable on the processor to: 
compute an aggregate score for the identified path based on aggregating scores associated with the events represented by the nodes connected by the identified path; and 
identify the events connected by the identified path as being part of the chain of events in response to the aggregate score.  

19. (Currently Amended) A method performed by a system comprising a hardware processor, comprising: 
electronically collecting event data, wherein the collected event data is in a form of a least one of electronic network event data, electronic host event data, and electronic application event data from at least one of a plurality of entities in a computing environment; 
constructing, based on the collected event data representing a plurality of events in the computing environment, a graph including nodes representing events of the plurality of events and temporal links including sequential directional edges relating the plurality of events; 
computing issue indications corresponding to potential issues in the computing environment; 
adding information based on the issue indications to the graph to form an enriched graph; 
searching the enriched graph to find a chain of events representing an issue in the computing environment; and 
electronically performing a countermeasure to resolve the issue represented by the chain of events in the computing environment, 
wherein each event of the plurality of events represents an activity of the at least one of the plurality of entities, 
wherein the searching of the enriched graph to find the chain of events representing the issue comprises: 
identify a node, in the enriched graph, that represents an event associated with a score that exceeds a threshold; and 
identify a path from the identified node to other nodes in the enriched graph, the other nodes representing events having a specified relationship with the event represented by the identified node, 
6wherein the chain of events includes the events represented by the nodes connected by the identified path.  

20. (Original) The method of claim 19, wherein computing the issue indications comprises computing anomaly scores of anomalies, and/or computing threat scores of threats based on the anomalies.  

21. (Previously Presented) The method of claim 19, wherein adding information based on the issue indications to the graph to form an enriched graph including associating the information based on the issue indications with nodes in the graph.

Allowance
Claims 1, 3-4, 6-16, and 18-21 are allowed.

Examiner’s Statement of Reasons for Allowance
The following is an examiner’s statement of reasons for allowance:
None of the prior art of record discloses, individually or in a reasonable combination, the following combination of limitations as recited in independent claim 1: “wherein the representation includes a graphical representation of the plurality of events and the links include temporal links including sequential directional edges relating the plurality of events”, “add information based on the issue indications to the representation to form an enriched representation”, “search the enriched representation to find a chain of events representing an issue in the computing environment,” and “wherein the issue indications comprise threat scores derived based on anomaly scores based on features of the collected event data, each threat score of the threat scores representing a likelihood of a threat in the computing environment” in combination with other limitations as a whole and in the context recited in the claim.
None of the prior art of record discloses, individually or in a reasonable combination, the following combination of limitations as recited in independent claim 13: “wherein the representation includes a graphical representation of the plurality of events and the links include temporal links including sequential directional edges relating the plurality of events”, “add information based on the scores to the representation to form an enriched representation”, “search the enriched representation to find a chain of events representing an issue in the computing environment”, and “wherein the search of the enriched representation to find the chain of events representing the issue comprises: identify a node, in the enriched representation, that represents an event associated with a score that exceeds a threshold; and identify a path from the identified node to other nodes in the enriched representation, the other nodes in the enriched representation representing events having a specified relationship with the event represented by the identified node, wherein the chain of events includes the events represented by the nodes connected by the identified path” in combination with other limitations as a whole and in the context recited in the claim.
None of the prior art of record discloses, individually or in a reasonable combination, the following combination of limitations as recited in independent claim 19: “constructing, based on the collected event data representing a plurality of events in the computing environment, a graph including nodes representing events of the plurality of events and temporal links including sequential directional edges relating the plurality of events”, “adding information based on the issue indications to the graph to form an enriched graph”, “searching the enriched graph to find a chain of events representing an issue in the computing environment”, and “wherein the searching of the enriched graph to find the chain of events representing the issue comprises: identify a node, in the enriched graph, that represents an event associated with a score that exceeds a threshold; and identify a path from the identified node to other nodes in the enriched graph, the other nodes representing events having a specified relationship with the event represented by the identified node, wherein the chain of events includes the events represented by the nodes connected by the identified path” in combination with other limitations as a whole and in the context recited in the claim.
	Dependent claims are allowed as they depend from allowable independent claims.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRONG NGUYEN whose telephone number is (571)270-7312.  The examiner can normally be reached on Monday through Thursday 9:00 AM - 5:00 PM EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GELAGAY SHEWAYE can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/TRONG H NGUYEN/Primary Examiner, Art Unit 2436