DETAILED ACTION
This is a non-final office action in response to applicant’s communication filed on 1/9/2020.
Claims 1-20 are pending and being considered.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Specification
The disclosure is objected to because of the following informalities:
Para. [0121] line 7 “Monitor Module 329”, underlined may be typo.  
Appropriate correction is required.
Claim Objections
Claims 1-4, 6, 10, 12, 15-16, 19-20 are objected to because of the following informalities:  
Claim 1 line 3 recites “directed edges” and line 4 recites “direct edge”. Applicant is suggested to clarify those terms. 
Similarly for claim 15 lines 4 and 5, and claim 20 lines 4 and 5.
Claim 2 line 2, “updating a probability of penetration directly to a node” may read “updating the probability of penetration directly to the node”.
Claim 3 line 2, “updating a payload utility of a node” may read “updating the payload utility of the
Claim 4 line 203, “updating …from a source node to a target node” may read “updating …from the source node to the target node”.
Claim 6 line 1, “wherein the edge in the graph of …” may read “wherein an edge in the graph of …”.
Claim 10 recites “computing a utility of an application of a plurality of mitigation actions, wherein the utility of a mitigation action is computed based on …”. The underlined “utility” is referring to “utility of an application of a plurality of mitigation actions” but also recited as “the utility of a mitigation action (which is not of an application of a plurality of mitigation actions) …”. Applicant is suggested to clarify the claim language. 
Similarly for claim 19.
Claim 12 lines 9-10, “with respect to the reduction in usability caused by the mitigation action” may read “with respect to the reduction in the usability caused by the mitigation action”.
Claim 15, lines 1-2, “…, which program instructions …” may read “…, the program instructions …” or more appropriate form.
Claim 16 line 3, “updating a probability of penetration directly to a node” may read “updating the probability of penetration directly to the node”; line 4, “updating a payload utility of a node” may read “updating the payload utility of the node”.
Claim 20 recites “An apparatus comprising a processor and a memory unit, wherein said processor is configured to perform: …” which renders it unclear whether the memory is inactive, or both the memory and processor are configured to perform .
Appropriate correction is required.
Allowable Subject Matter
Claim 12 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of limitations of the base claim and any intervening claims.
The prior arts identified, namely Maor, Seiver, Krebs, Griffin, either singly or in combination does not teach the limitation of the claim, “wherein the utility is computed based on the reduction in the estimated loss from penetration, based on an estimated cost of applying the mitigation action, and based on a reduction in usability caused by the mitigation action; wherein the utility is a monotonically increasing function with respect to the reduction in the estimated loss from penetration; wherein the utility is a monotonically decreasing function with respect to the estimated cost of applying the mitigation action; and wherein the utility is a monotonically decreasing function with respect to the reduction in usability caused by the mitigation action”.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.


Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA  35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

Claim 11 is rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends.  
Claim 11 depends on claim 1 and recites “wherein an estimated loss from penetration to a node is computed based on probability of penetration directly to the node and based on payload utility of nodes that are reachable from the node”, while claim 1 recites “wherein the graph indicates for a node at least one of: a payload utility of the node and a probability of penetration to the node”. Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-2, 4, 6, 9, 14-16, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Maor et al (US20210203684A1, hereinafter, "Maor"), in view of Seiver et al (US20170078322A1, hereinafter, “Seiver”).
Regarding claim 1, Maor teaches:
A method (Maor, discloses detection of a risky edge in a lateral movement path of cybersecurity techniques to prevent risk of an attack to computer system of an organization, see [Abstract] and [0001]) comprising: 
obtaining a graph of network lateral movements (Maor, referring to Fig. 3 step 302 Obtain lateral movement graph), wherein the graph comprises nodes and directed edges, (Maor, examples of lateral movement graphs are shown in Fig. 6A-6H, and [0004] A lateral movement graph is a directed acyclic graph having nodes representing user accounts, devices, and groups (i.e. asset) and edges representing the relationship between the two nodes connected to an edge… The graph contains paths from a non-sensitive node to a sensitive node. Each edge in each lateral movement graph is analyzed to determine whether the edge can lead to a lateral movement attack to a sensitive entity based on the paths that the edge is part of and the entities and relationships of the entities in those paths. And [0049] The graph 600 has directed edges from several non-sensitive nodes (nodes 2-5) to the sensitive node (node 1). The arrows of the edges in graph 600 illustrate the direction of the relationship), wherein the graph indicates for a node (Maor, for example Fig. 6A sensitive or non-sensitive node(s)) [at least one of: a payload utility of the node and a probability of penetration to the node] (see Seiver below for limitation in bracket);
detecting an event that affects the graph of network lateral movements (Maor, [0038] Additionally, the LMP graph generation component 124 updates the LMP graphs 126 periodically to obtain the most current tenant data. The updates may be made at pre-configured time intervals or dynamically based on the frequency and/or occurrence of certain events), [wherein the event affects at least one of: the payload utility of the node and the probability of penetration to the node] (see Seiver below for limitation in bracket); 
(Maor, Fig. 3 step 314, and [0041] The LMP graph generation component 124 updates the LMP graph 126 for each tenant periodically (block 314) and the process is repeated (block 310—no) to detect other risky edges on a lateral movement path (blocks 304-308); Examiner notes a modified graph is interpreted as response to the event, therefore detected risky edge on a lateral movement path indicates graph being modified.
analyzing the modified graph to determine one or more mitigation actions to be applied (Maor, [0039] For each tenant's LMP graph 126, the LMRPI component 122 calculates a risk score for each edge of the graph (block 304) (i.e. analyzing the modified graph). The risk score identifies the riskiest edges that have the most potential for a lateral movement attack and may be used to prioritize which edges require additional scrutiny (block 306)); and 
providing the one or more mitigation actions to be applied (Maor, [0040] Upon detection of a risky edge, the LMRPI component 122 may perform one or more preventive actions (i.e. mitigation actions) to deter a lateral movement attack (block 308). In one aspect, the preventive actions may be recommendations of actions that an administrator may perform).  
	While Maor teaches the main concept of the invention such as detection of risky edge in lateral movement path for computer nodes in a computer system but does not explicitly teach nodes with indication of at least one of: a payload utility of the node and a probability of penetration to the node, however in the same field of endeavor Seiver teaches:
wherein the graph indicates for a node at least one of: a payload utility of the node and a probability of penetration to the node (Seiver, discloses network risk assessment of user access rights associated with network of devices, see [Abstract], [Title]. And [0083] The risk assessment system 100 has determined that node 214 is associated with a low compromise value and high compromise (i.e. penetration) likelihood (i.e. probability), e.g., a high probability that the node can be compromised, and node 218 is associated with a high compromise value and low compromise likelihood, e.g., a low probability that the node can be compromised. Based on the information displayed in the user interface 210B, a system administer may consider whether the edge 216 between node 214 and node 218 can be eliminated. Also see Fig. 2A-2E in particular 2C showing nodes with compromise value and compromise likelihood (i.e.  probability of penetration to the node));
wherein the event affects at least one of: the payload utility of the node and the probability of penetration to the node] (Seiver, [0168] The system can obtain the compromised information associated with the external event (e.g., user account, or other private, information), and determine whether any persons associated with user accounts of the networks (e.g., employees) utilized the compromised domain, and if so, can raise the compromise vulnerabilities of the affected user accounts (e.g., the persons may have utilized the same passwords for their user accounts of the networks and the compromised domain user accounts) (i.e. event effects));
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Seiver in the real-time detection of risky edge in lateral movement path of Maor by showing compromise value and compromise likelihood value for network nodes in graph displayed with user interface. This would have been obvious because the person having ordinary skill in the art 

Regarding claim 15, Maor-Seiver combination teaches:
A non-transitory computer readable medium retaining program instructions, which program instructions when read by a processor (Maor, discloses detection of a risky edge in a lateral movement path of cybersecurity techniques to prevent risk of an attack to computer system of an organization, see [Abstract] and [0001]. See Fig. 7 for computer readable medium in storage device 714, 730 and processors 710, 726 and [0057]), cause the processor to perform: 38Attorney Docket: 665-105method steps substantially similar to the method steps of claim 1, therefore is rejected with same rational set forth as rejection of claim 1 above. 

Regarding claim 20, Maor-Seiver combination teaches:
An apparatus comprising a processor and a memory unit (Maor, referring to Fig. 7 and [0057] processors 710, 726 and memory devices 712, 728), wherein said processor is configured to perform: method steps substantially similar to the method steps of claim 1, therefore is rejected with same rational set forth as rejection of claim 1 above. 

Regarding claim 2, Maor-Seiver combination further teaches:
The method of Claim 1, wherein said updating the graph of network lateral movements comprises: updating a probability of penetration directly to a node (Seiver, [0084] the total compromise value for a particular node is determined from compromise values of nodes the particular node has access to. In these implementations, the graph 200B can be updated to include the compromise risk value, allowing a system administrator to directly compare nodes).  

Regarding claim 4, Maor-Seiver combination further teaches:
The method of Claim 1, wherein said updating the graph of network lateral movements comprises: updating a probability of successful network lateral movement from a source node to a target node (Maor, [0041] The LMP graph generation component 124 updates the LMP graph 126 for each tenant periodically (block 314) and the process is repeated (block 310—no) to detect other risky edges on a lateral movement path (blocks 304-308)). And [0065] determine if another risky edge exists from the updated graph. Additional instructions identify the risky edge from a risk score, the risk score based on a number of distinct detached non-sensitive nodes, a number of distinct detached sensitive nodes, and a number of distinct paths containing the risky edge).

Regarding claim 6, Maor-Seiver combination further teaches:
The method of Claim 1, wherein an edge in the graph of network lateral movements is associated with one or more methods enabling network lateral movements that comprise at least one of: a Pass the Hash (PtH) technique; a Pass the Ticket (PtT) technique; a modification of a logon script; a Remote Desktop Protocol (RDP) attack; and a Server Message Block (SMB) relay attack (Maor, [0017] Lateral movement attacks of on-premises domains involve attackers exploiting non-sensitive accounts of a network by such techniques as Pass the Ticket or credential theft and then making lateral moves to more sensitive accounts, groups, or machines that share stored log-in credentials… Lateral movement paths can be developed with on-premises networks via types of client-server protocols, such as LDAP (Lightweight Directory Access Protocol), SAMR (Security Account Manager Remote protocol), and SMB (Server Message Block), through session enumeration to each account in the domain).  

Regarding claim 9, Maor-Seiver combination further teaches:
The method of Claim 1, further comprises: detecting a second event that affects the graph of network lateral movements (Seiver, [0168] The system can also obtain information describing external events (e.g., outside of the control of an entity that maintains the networks) that identify real world events that inform, or affect, compromise vulnerabilities of network devices or user accounts), wherein the second event affects at least one of: the payload utility of the node and the probability of penetration to the node; updating the modified graph of network lateral movements based on the second event, whereby obtaining a second modified graph; analyzing the second modified graph to determine at least one mitigation action to be applied; and providing the at least one mitigation action to be applied (Maor in view of Seiver teaches above limitations. It is obvious to one ordinary skilled in the art that the same teachings applied to an event can be applied similarly to a second event. See the rejection of claim 1 above).  

Regarding claim 14, Maor-Seiver combination further teaches:
(Maor, [0016] A risk score is computed for each edge in the lateral movement graph...The risk score for each edge is used to identify a potential exposure for which preventive actions are recommended or performed to eliminate a potential lateral movement attack. And [0042] As shown in FIG. 4, the User1 account has the riskiest security impact with a score of 442 and the recommended action is to remove the User1 account from the Finance Users Group (line 410)).  

Regarding claim 16, Maor-Seiver combination further teaches:
The non-transitory computer readable medium of Claim 15, wherein said updating the graph of network lateral movements comprises at least one of: updating a probability of penetration directly to a node; updating a payload utility of a node; and updating a probability of successful network lateral movement from a source node to a target node (Seiver, [0084] the total compromise value for a particular node is determined from compromise values of nodes the particular node has access to. In these implementations, the graph 200B can be updated to include the compromise risk value, allowing a system administrator to directly compare nodes).  

Claims 3, 13 are rejected under 35 U.S.C. 103 as being unpatentable over Maor-Seiver combination as applied above to claim 1, in further view of Muddu et al (US20180288079A1, hereinafter, “Muddu”).
Regarding claim 3, Maor-Seiver combination teaches:
The method of Claim 1, 
While the combination of Maor-Seiver does not explicitly teach however in the same field of endeavor Muddu teaches:
wherein said updating the graph of network lateral movements comprises: updating a payload utility of a node (Muddu, discloses detection of security related anomalies and threats in a computer network environment. And [0567] the processes of generating the classification metadata and/or assigning usage similarity scores (i.e. a payload utility) are performed in real-time as the event data are received. And [0571] The machine learning model 6300 further identifies usage relationships 6330 between the users and the network devices based on the event data 6310).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Muddu in the real-time detection of risky edge in lateral movement path of Maor-Seiver by assigning a usage similarity score to computer devices in network to identify usage relationships between users and the network devices presented as a graph having nodes and edges interconnecting nodes. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the usage similarity score to indicate which of the devices have been used by the users in lateral movement detection (Muddu, [Abstract], [0567]-[0573]).

Regarding claim 13, Maor-Seiver combination teaches:
The method of Claim 1, 

wherein said providing the one or more mitigation actions to be applied comprises automatically applying the one or more mitigation actions (Muddu, [0151] The anomalies and threats detected by the real-time processing path may be employed to automatically trigger an action, such as stopping the intrusion, shutting down network access, locking out users, preventing information theft or information transfer).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Muddu in the real-time detection of risky edge in lateral movement path of Maor-Seiver by automatically trigger mitigation actions to stop intrusion. This would have been obvious because the person having ordinary skill in the art would have been motivated for detection of lateral movement in network security analysis and automatically stop intrusion for network protection (Muddu, [Abstract], [0151]).

Claims 5, 17 are rejected under 35 U.S.C. 103 as being unpatentable over Maor-Seiver combination as applied above to claim 1, 15 respectively, in further view of Coull et al (US11201890B1, hereinafter, “Coull”) and Thomas et al (US20190124112A1, hereinafter, “Thomas”).
Regarding claim 5, similarly claim 17, Maor-Seiver combination teaches:
The method of Claim 1, the non-transitory computer readable medium of Claim 15,

wherein said analyzing comprises analyzing a previously activated mitigation action (Coull, discloses method for performing cyber-security analysis by generating semantic graph in which object is represented as a node, see [Abstract]. And [Col. 10 lines 18-29] a sub-graph is further analyzed by the processor (e.g., cyber-threat analyzer 200 of FIG. 2) based on a pattern of communication identified as a “malicious lateral movement,” and a set of relevant mitigations may be associated with the subgraph, such that the subgraph and the associated mitigations are then presented to an analyst for action. The mitigations presented to the analyst may be based, for example, on a set of defined mitigations associated with known subgraphs, a set of past mitigations previously implemented by a user or by the analyst for the same or a similar subgraph or malicious behavior, and/or dynamically generated mitigations); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Coull in the real-time detection of risky edge in lateral movement path of Maor-Seiver by performing cyber-security analysis. This would have been obvious because the person having ordinary skill in the art would have been motivated to present mitigation action to analyst for selective remediation of cyber-threats (Coull, [Abstract], [0001]).
The combination of Maor-Seiver-Coull does not teach the following limitation(s) however in the similar field of endeavor Thomas teaches:
(Thomas, discloses detection of authentication attacks on endpoint with credential, see [Title] and [Abstract]. And [0041] The threat management facility 100 may also provide for the removal of applications that potentially interfere with the operation of the threat management facility 100, such as competitor products that may also be attempting similar threat management functions… In the case where such applications are services are provided indirectly through a third-party product, the application may be suspended until action is taken to remove or disable the third-party product's protection facility.).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Thomas in the real-time detection of risky edge in lateral movement path of Maor-Seiver-Coull by disabling protection application that potentially interfere with operation of threat management. This would have been obvious because the person having ordinary skill in the art would have been motivated for improved detection of authentication attacks to prevent compromise to endpoint (Thomas, [Abstract]).

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Maor-Seiver combination as applied above to claim 1, in further view of Chevalier et al (US10896085B2, hereinafter, “Chevalier”).
Regarding claim 7, Maor-Seiver combination teaches:
The method of Claim 1 

further comprises: prior to said detecting: performing an offline analysis to determine a set of one or more mitigation actions to be applied and applying the set of one or more mitigation actions (Chevalier, discloses method of applying a mitigation action to computing system, see [Abstract]. And [Col. 5 lines 43-50] At block 250, a mitigation action is applied according to a policy. The application of a mitigation action is implemented by the recovery and mitigation module 150. In certain cases, applying a mitigation action comprises determining one or more characteristics of the intrusion event, and determining, based on the policy and characteristics of the intrusion event, an appropriate mitigation action to apply); wherein said analyzing comprises determining to activate a mitigation action not included in the set of one or more mitigation actions (Chevalier, [Col. 4 lines 31-33] In order to apply mitigation actions, the recovery and mitigation module 150 is further coupled to a policy management module. And [Claim 1] selecting, based on the determined context, a first policy from a plurality of policies, the first policy specifying a first mitigation action to apply in the computing system in response to the intrusion event, wherein the plurality of policies correspond to respective different contexts and specify application of different mitigation actions for the intrusion event; applying the first mitigation action according to the first policy, wherein the first mitigation action comprises maintaining a first function of the service while disabling a second function of the service...).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Chevalier in the .

Claims 8, 18 are rejected under 35 U.S.C. 103 as being unpatentable over Maor-Seiver combination as applied above to claim 1, 15 respectively, in further view of Krebs (US20190042737A1, hereinafter, “Krebs”).
Regarding claim 8, similarly claim 18, Maor-Seiver combination teaches:
The method of Claim 1, the non-transitory computer readable medium of Claim 15, 
While the combination of Maor-Seiver does not expressly teach the following limitation(s), in the same field of endeavor Krebs teaches:
further comprises: monitoring usage of the network, wherein said detecting is performed in response to said monitoring, wherein said monitoring comprises identifying usage patterns, wherein said analyzing comprises determining estimated reduction in usability of a mitigation action based on the identified usage patterns (Krebs, discloses triggering mitigation action in response to a violation due to intrusion to secure environment’s operation, see [Abstract]. And [0057] once a potential malicious action is detected, the intrusion detection application 136 can trigger one or more mitigation actions in response. And [0060] In some instances, the determination of the potentially malicious activity can be removed, while in other instances, the potential threat level of the issue may be reduced and/or the corresponding mitigation action changed or reduced (e.g., from launch automatic countermeasures to notify administrator of activity and reason for reduced or lowered threat level) (i.e. reduction in usability of mitigation action in pattern of reduced threat level)).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Krebs in the real-time detection of risky edge in lateral movement path of Maor-Seiver by triggering mitigation action in response to detection of intrusion. This would have been obvious because the person having ordinary skill in the art would have been motivated to automatically change or reduce mitigation action according to potential treat level of intrusion to the secure environment’s operations (Krebs, [Abstract], [0002], [0060], [0073]).

Claims 10, 19 are rejected under 35 U.S.C. 103 as being unpatentable over Maor-Seiver combination as applied above to claim 1, 15 respectively, in further view of Krebs (US20190042737A1, hereinafter, “Krebs”) and Griffin et al (US20180276377A1, hereinafter, “Griffin”).
Regarding claim 10, similarly claim 19, Maor-Seiver combination teaches:
The method of Claim 1, the non-transitory computer readable medium of Claim 15,
While the combination of Maor-Seiver does not expressly teach however in the same field of endeavor Krebs teaches:
wherein said analyzing the modified graph comprises: 37Attorney Docket: 665-105computing a utility of an application of a plurality of mitigation actions, wherein the utility of a mitigation action is (Krebs, discloses triggering mitigation action in response to a violation due to intrusion to secure environment’s operation, see [Abstract]. And [0057] once a potential malicious action is detected, the intrusion detection application 136 can trigger one or more mitigation actions in response. And [0060] In some instances, the determination of the potentially malicious activity can be removed, while in other instances, the potential threat level of the issue may be reduced and/or the corresponding mitigation action changed or reduced (e.g., from launch automatic countermeasures to notify administrator of activity and reason for reduced or lowered threat level) (i.e. reduction in usability of mitigation action in pattern of reduced threat level));
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Krebs in the real-time detection of risky edge in lateral movement path of Maor-Seiver by triggering mitigation action in response to detection of intrusion. This would have been obvious because the person having ordinary skill in the art would have been motivated to automatically change or reduce mitigation action according to potential treat level of intrusion to the secure environment’s operations (Krebs, [Abstract], [0002], [0060], [0073]).
The combination of Maor-Seiver-Krebs does not expressly teach the following limitation(s) however in the same field of endeavor Griffin teaches:
selecting a subset of the plurality of mitigation actions based on the computed utilities; and wherein said providing comprises applying the subset of the plurality of mitigation actions (Griffin, discloses security mitigation action selection based on device usage, see [Title]. And [Abstract] a processor selects a security mitigation action for a device based on information related to usage of the device and associated usage limitations associated with the selected security mitigation action. And [0027] Continuing to 202, the security mitigation system selects a security mitigation action for the detected security event based on a response to the request and the effect on the device usage associated with the selected security mitigation action).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Griffin in the real-time detection of risky edge in lateral movement path of Maor-Seiver-Krebs by selecting mitigation action based on device usage. This would have been obvious because the person having ordinary skill in the art would have been motivated to select mitigation action based on device usage to initiate action on user’s device in response to information indicating that the device has have been compromised (Griffin, [Abstract]).

Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Maor-Seiver-Krebs-Griffin combination as applied above to claim 10, in further view of Zhang (CN110909878A, hereinafter, “Zhang”).
Regarding claim 11, Maor-Seiver-Krebs-Griffin combination teaches:
The method of Claim 10, 
While the combination of Maor-Seiver-Krebs-Griffin does not expressly teach however in the similar field of endeavor Zhang teaches:
(Zhang, discloses method of training neural network model with estimated resource usage quota, see [Title], and [Abstract] obtaining multiple groups of training samples comprising feature information of a user, a first label and a second label, wherein the first label is used for indicating a resource use share of the user in a first time period, and the second label is used for indicating whether the user uses resources or not in the first time period; for the feature information of the users in each group of training samples, obtaining a resource use share estimated value and a resource use probability estimated value by utilizing a neural network model; determining a first loss according to the resource use share estimated value, the first label and a first loss function; determining a second loss according to the resource use probability estimated value, a second label and a second loss function; performing weighted summation on the first loss and the second loss to obtain total loss).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Zhang in the real-time detection of risky edge in lateral movement path of Maor-Seiver-Krebs-Griffin by using loss function with resource usage values to train neural network model. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the loss function to calculate total loss function from Zhang (Zhang, [Abstract]) for utility loss estimation of nodes in the lateral movement graph for security threat monitoring.
Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Joseph Durairaj et al (US20180316704A1). Discloses lateral movement detection that potentially represent a security threat. 
Gordeychik et al (US10873590B2). Discloses method of computer protection module to determine that a computer attack occurred by one or more tags corresponding to signatures in a database of computer attacks.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished 

/MICHAEL M LEE/Examiner, Art Unit 2436                                                                                                                                                                                                        


/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436