Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This action is responsive to amendment filed on 12/8/2021. Claims 1, 8 and 15 are independents. Claims 1-3, 5, 8, 10, 12, 15, 17 and 19 are amended. Claims 1-20 are currently pending.

Response To Argument
Objection to claims 1, 3, 5, 8, 10, 12, 15, 17 and 19 are withdrawn, in view of amendment.
With respect to the previous 103 rejection, the proposed amendment to the independent claims seem to overcame the combination of Choudhury and Bindu. However, upon further consideration of the amendment and an update search, a new 103 rejection is given below in view of Choudhury, AlEroud and Bindu.

Claim Rejections-35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103(a) are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

This application currently names joint inventors. In considering patentability of the claims, the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Choudhury et al. (US 20180329958 A1), hereinafter Choudhury, in view of AlEroud et al. (Queryable Semantics to Detect Cyber-Attacks: A Flow-Based Detection Approach, IEEE, FEBRUARY 2018), hereinafter AlEroud, further in view of  Bindu, Graph Feature Based Multi-Layer Social Network Analysis for Anomaly Detection, Thesis, Department of Computer Science and Engineering, National Institute of Technology Kamataka, March, 2018.

Regarding claims 1, 8 and 15, Choudhury teaches a method for detecting a source of malicious activity in a computer system (FIG. 2 and para. 0014), comprising:
Gathering, by a hardware processor, information related to the objects of the computer system (FIG. 1 #110, central processing unit (CPU) [hardware processor]; FIG. 3 and para. 0014, vertices of the data graph represent network entities selected from the group consisting of machines (having IP addresses or other network addresses), services, and applications, and the edges of the data graph represent communications between the network entities);
determining, by the hardware processor, one or more relations between the objects based on an analysis of the gathered information (FIG. 1 #110, central processing unit (CPU) [hardware processor]; para. 0048, set of edges in a data graph represents communications, interactions, or relationships between entities [objects] represented by the vertices of the data graph; para. 0225, [f]or example, to indicate the frequency of partial matches for different query subgraphs in the progress graphic, the visualization tool can change the size and/or line weights [data shows communication frequency] for vertices and edges of the query graph);
forming, by the hardware processor, a graph based on the information gathered on the objects (FIG. 1 #110, central processing unit (CPU) [hardware processor]; FIG. 3 and para. 0088, a graph G is an ordered pair G=(V,E)) and based on an assigned degree of reliability of a relation between two objects (para. 0047, network analysis tool can determine which query subgraphs to prioritize for so-called "lazy searching" based on collected statistics about the frequency of different vertices and edges of a query graph. Confidence scores can be computed for partial matches of query subgraphs 
selecting, by the hardware processor, at least two induced subgraphs from the resulting graph (FIG. 3, para. 0014 and 0089, subgraph isomorphism 330. FIG. 4 and 0089, plurality of query graph 410 and plurality of subgraph isomorphism);
determining, by the hardware processor, coefficient of harmfulness for each selected subgraph, the coefficient of harmfulness representing a numerical characteristic describing strength of the relations between the vertices of that subgraph (FIG. 3, para. 0078 and 0089, Statistics (266) for the query graph (230) and/or its query subgraphs can be compared or juxtaposed against normative patterns. This may help a user determine which of the query subgraphs has the most discriminatory strength and/or assess how many false positives are likely with the query graph (230) [under the BRI, statistics and scores as described in paragraphs [0047], [0049], [0054], [0168], [0221], [0226], meet the coefficient of harmfulness representing a numerical 
Choudhury does not explicitly disclose (and wherein) the degree of reliability of a relation between a first object and a second object is a numerical value characterizing probability that the first object has a logical or functional relation to the second object. However, in an analogous art, AlEroud teaches the degree of reliability of a relation between a first object and a second object is a numerical value characterizing probability that the first object has a logical or functional relation to the second object (p.213 right column, para. 3, [a]fter the similarity values are calculated, an SRM N is generated. The matrix N expresses links among, for example five nodes n1, . . . , n5. ∪nj)/Pr(ni)), where Pr(ni ∪nj) is the probability that two nodes co-occur and it is calculated in terms of feature co-occurrence. The value of AC is equivalent to rs and it is used to expand the initial prediction. Therefore, we reran our experiments using the AC score to expand the initial prediction. The initial prediction is also expanded using the typical similarity values (SIM) calculated using the AD and PC measures. The results of this experiment are shown in Fig. 8. The symbols AC, and SIM refer to the AC and the typical similarity values).
 Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Choudhury and AlEroud because it would make intrusion detection approach take advantage of contextual information to identify relationships between suspicious activities discovered in flows (p.207, right column, last para.).
The combination of Choudhury and AlEroud does not explicitly disclose determining, by the hardware processor, from the selected subgraphs, a subgraph whose coefficient of harmfulness is a minimum among the determined coefficients of 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Choudhury, AlEroud and Bindu because it solved the difficulty to develop a general-purpose anomaly detection system (Bindu page 4, list of challenges that are encountered while detecting anomalies).

Regarding claims 2, 9 and 16, the combination of Choudhury, AlEroud and Bindu teaches all of the limitations of claims 1, 8 and 15, as described above. Choudhury further teaches determining, by the hardware processor, the coefficient of harmfulness of the subgraph based on a degree of similarity of that subgraph with at least one subgraph from a database of graphs containing previously formed graphs of malicious activity of the computer system, each of which is associated with a coefficient of harmfulness (para. 0078, Statistics (266) for the query graph (230) and/or its query subgraphs can be compared or juxtaposed against normative patterns. This may help a user determine which of the query subgraphs has the most discriminatory strength and/or assess how many false positives are likely with the query graph).

Regarding claims 3, 10 and 17, the combination of Choudhury, AlEroud and Bindu teaches all of the limitations of claims 1, 8 and 15, as described above. Bindu further teaches wherein the coefficient of harmfulness of a subgraph is a coefficient of harmfulness characterizing probability that at least one object of those associated with the vertices of the mentioned subgraph is malicious (FIG 2.2, anomaly detection on dynamic networks and nodes [nodes are equivalent to vertices of subgraph] and probability-based. page 29 para. 01, An anomalous subgraph has many low-probability or unexpected edges and lacking many high-probability or expected edges within itself, and between itself and its neighborhood).
Therefore, it would have been obvious to one of ordinary skill in the art before the Bindu because it solved the difficulty to develop a general-purpose anomaly detection 

Regarding claims 4, 11 and 18, the combination of Choudhury, AlEroud and Bindu teaches all of the limitations of claims 1, 8 and 15, as described above. Choudhury further teaches wherein only subgraphs related to other subgraphs by graph edges associated with a cause and effect relationship are analyzed (para. 0014, graph represents a target pattern of links in a set of documents (e.g., Web pages, blog posts), the vertices of the data graph represent the respective documents, and the edges of the data graph represent links between the documents).

Regarding claims 5, 12 and 19, the combination of Choudhury, AlEroud and Bindu teaches all of the limitations of claims 1, 8 and 15, as described above. Bindu further teaches wherein subgraphs whose diameters are less than a predetermined threshold value are analyzed (page 104 table 5.4, spammer community statistics, diameter (largest shortest path) is 9).
Therefore, It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Choudhury and Bindu because it solved the difficulty to develop a general-purpose anomaly detection system (Bindu page 4, list of challenges that are encountered white detecting anomalies).

Regarding claims 6, 13 and 20, the combination of Choudhury and Bingu teaches all of the limitations of claims 1, 8 and 15, as described above. Choudhury further teaches wherein previously unknown objects are selected from the objects found as being the source of the malicious activity (para. 0014, the query graph represents a target pattern of intrusion or attack in a computer network).

Regarding claims 7 and 14, the combination of Choudhury, AlEroud and Bindu teaches all of the limitations of claims 1 and 8, as described above. Choudhury further teaches wherein the objects comprise at least one of files, folders, applications, registry entries, or web sites (para. 0014, the vertices of the data graph represent network entities selected from the group consisting of machines (having IP addresses or other network addresses), services, and applications, and the edges of the data graph represent communications between the network entities ... graph represents a target pattern of links in a set of documents (e.g., Web pages, blog posts), the vertices of the data graph represent the respective documents, and the edges of the data graph represent links between the documents).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHU CHUN GAO whose telephone number is (571)270-5999. The examiner can normally be reached on Monday -Thursday 6:00-4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KRISTINE KINCAID can be reached on 571-272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For 

/SHU CHUN GAO/Examiner, Art Unit 2437 


/MATTHEW SMITHERS/Primary Examiner, Art Unit 2437