DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 7, 11, 14, 15, and 16 are rejected under 35 U.S.C. 102(a)(1) as being anticipated  by DURAIRAJ (US-10462169-B2).
Regarding claim 7, DURAIRAJ teaches “A method of detecting illicit lateral movement within a computer network, comprising automatically:   correlating at least login data and network traffic data, thereby producing network node sets, each node set identifying: ([DURAIRAJ, Abstract] “A lateral movement application identifies lateral movement (LM) candidates that potentially represent a security threat. Security platforms generate event data when performing security-related functions, such as authenticating a user account. The disclosed technology enables greatly increased accuracy identification of lateral movement (LM) candidates by, for example, refining a population of LM candidates based on an analysis of a time constrained graph in which nodes represent entities, and edges between nodes represent a time sequence of login or other association activities between the entities.”) at least two login times for logins to respective computers of the node set, at least one administrator account on at least one computer of the node set, and at least one data transfer between computers of the node set; ([DURAIRAJ, Col 4. Lines 36-39] “a macro represents a user account logging into a first machine, then changing the privileges of the user account to an administrator account, and then logging into another machine by use of the administrator privileges.”) ([ DURAIRAJ, Col 4. Lines 60-64] “a network intruder steals a user's credentials and uses the credentials to access a computer that the user typically does not access. Upon gaining access to the computer, the intruder performs various network-related activities, which spawn various network-related events.”) building a chain from at least two of the node sets, the chain representing a sequence of events, the sequence of events including a login to a first computer as a first user, followed by a data transfer to the first computer, followed by a login to a second computer from the first computer using an administrator credential; ([DURAIRAJ, Col 4. Lines 40-46] “Macros may be matched with features or feature vectors across entities, and may be ordered in time. Macros may further be combined in sets of macros, with individual macros representing attack phases, and the set of macros representing, further attack phases, or even an entire attack. Macro collections can be matched against a priori known patterns of conducting LM attacks.”) ([DURAIRAJ, Col 4. Lines 36-39] “a macro represents a user account logging into a first machine, then changing the privileges of the user account to an administrator account, and then logging into another machine by use of the administrator privileges.”) and reporting the chain as an illicit lateral movement candidate. ([DURAIRAJ, Col. 21 lines 16-39 ] “At block 1135, the LM security application accesses a data store that includes data associated with a sequence of events that indicate LM or a LM candidate(s). The data associated with a sequence of events, also referred to as a macro, can be data derived from any of event data associated with a sequence of events, event segments derived from the event data, feature vectors derived from the event segments, event data/segments associated with a path, etc. …. The data store includes stored event-related data that indicate LM or LM candidates,”).

Regarding claim 11, DURAIRAJ teaches all limitations of claim 7. DURAIRAJ further teaches “wherein reporting comprises reporting a movement time between logins to adjacent computers in the chain.” ([DURAIRAJ, Col. 3 lines 23-34] “The disclosed technology leverages event data to detect LM candidates, which are entities that indicate or are associated with LM. “Event data” is a discrete set of raw machine data that represents or corresponds to specific network activity, such as data generated by security platform(s) of a network when performing a security-related function, among others. The specific network activity is also referred to as an “event” or “events.” Event data can be generated, e.g., when a security platform facilitates or tracks a network-related event, such as a login, a privilege elevation, an object access, etc.”) ([DURAIRAJ, Col. 6 lines 40-43] “The event data include time-related data, such as timestamp data, which enables some or all of the event data to be sequenced. The LM security application analyzes the timestamp data to sequence the event data”).


Regarding claim 14, DURAIRAJ teaches all limitations of claim 7. DURAIRAJ further teaches “wherein reporting comprises reporting at least one of the following: an indication that more than two node sets are in the chain;  a chain length indicating how many computers more than three are in the chain; or a chain count indicating how many chains have been built, each chain being based on a sequence of logins using or providing administrator account access.” ([DURAIRAJ, Col. 16 lines 1-4] “LM security application determines that, at a time later than an event associated with a feature vector of U701, user1 logs in to a first device, and the LM security application creates node D702 to represent the second device.”) ([DURAIRAJ, Col. 16 lines 23-27] “LM security application detects that user1 next logs into a second device, and the LM security application creates node D703 to represent the second device, and creates F1 of node D703 to indicate the user1 login.”) ([DURAIRAJ, Col.4 lines 20-24] “A graph is created. In some embodiments, the graph is time constrained and is comprised of nodes which represent entities, and edges (also referred to as “connections”) between nodes which represent login or other association activity between entities.”) ([DURAIRAJ, Col. 4 lines 35-39] “In another example, a macro represents a user account logging into a first machine, then changing the privileges of the user account to an administrator account, and then logging into another machine by use of the administrator privileges.”).

Regarding claim 15, DURAIRAJ teaches all limitations of claim 7. DURAIRAJ further teaches “obtaining from a trained machine learning model an anomalousness score which is based at least in part on previous communications between at least two computers in the chain.” ([DURAIRAJ, Col. 9 lines 52-56] “In some embodiments, the method described here can be implemented by a machine learning model. For example, processing logic of a machine learning model can generate the classification metadata, or assign usage similarity scores, or both, as further described below.”) ([DURAIRAJ, Col. 11 65-67 – Col. 12 lines 1-9] “In an alternative embodiment, machine learning model 200 can further calculate an anomaly score for the particular user and decide whether anomaly is detected based on the anomaly score. The anomaly score is indicative of a likelihood that the anomaly relates to a security threat. The anomaly score can be calculated based on, for example, the difference between a similarity score of the particular network device and a statistical measure (e.g., an average) of similarity scores of other devices with which the user has interacted. Machine learning model 200 then detects the anomaly if the model determines that the anomaly score exceeds a threshold value for anomaly scores.”).

Regarding claim 16, this claim defines an article of manufacture comprising a computer readable medium claim that corresponds to method claim 7. Therefore, claim 7 is rejected with the same rational as in the rejection of claim 7. Furthermore, DURAIRAJ discloses ([DURAIRAJ, Col. 23 lines 47-54] “In the illustrated embodiment, the processing device 1200 includes one or more processors 1210, memory 1211, a communication device 1212, and one or more input/output (I/O) devices 1213, all coupled to each other through an interconnect 1214. The interconnect 1214 may be or include one or more conductive traces, buses, point-to-point connections, controllers, adapters and/or other conventional connection devices.”).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 5, 8 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over DURAIRAJ (US-10462169-B2), in view of HERNACKI (US-7475420-B1), hereinafter DURAIRAJ- HERNACKI.
Regarding claim 1, DURAIRAJ teaches “A system configured for automatic detection of illicit lateral movement, the system comprising:  a memory; a processor in operable communication with the memory, the processor configured to perform steps for detecting illicit lateral movement within a network of computers, the steps including ([DURAIRAJ, Abstract] “A lateral movement application identifies lateral movement (LM) candidates that potentially represent a security threat. Security platforms generate event data when performing security-related functions, such as authenticating a user account. The disclosed technology enables greatly increased accuracy identification of lateral movement (LM) candidates by, for example, refining a population of LM candidates based on an analysis of a time constrained graph in which nodes represent entities, and edges between nodes represent a time sequence of login or other association activities between the entities.”) (a) correlating at least login data and network traffic data, thereby producing network node sets, each network node set identifying a login event from a source computer to a target computer and also identifying a data transfer to the target computer, ([DURAIRAJ, Col. 4 lines 20-31] “A graph is created. In some embodiments, the graph is time constrained and is comprised of nodes which represent entities, and edges (also referred to as “connections”) between nodes which represent login or other association activity between entities. Nodes or edges of the graph can be associated with various data, such as event(s), event segments, node(s), feature(s), feature vector(s), etc., and the nodes/edges/various data can have associated weights. A macro may be used to refine a population of LM candidates. A macro is data that can be used to identify various event-related data, e.g., specific tasks associated with a particular phase of an attack, among others.”) (b) building a chain from at least two of the node sets, the chain representing a sequence of events, the sequence of events including: a second-computer-login into a second computer from a first computer, then a second-computer- data-transfer which transferred data from the first computer to the second computer, ([DURAIRAJ, Col. 4 lines 41-46] “Macros may further be combined in sets of macros, with individual macros representing attack phases, and the set of macros representing, further attack phases, or even an entire attack. Macro collections can be matched against a priori known patterns of conducting LM attacks.”) ([DURAIRAJ, Col. 4 lines 35-39] “In another example, a macro represents a user account logging into a first machine, then changing the privileges of the user account to an administrator account, and then logging into another machine by use of the administrator privileges.”) …… and (c) reporting the chain as an illicit lateral movement candidate. ([DURAIRAJ, Col. 21 lines 16-39 ] “At block 1135, the LM security application accesses a data store that includes data associated with a sequence of events that indicate LM or a LM candidate(s). The data associated with a sequence of events, also referred to as a macro, can be data derived from any of event data associated with a sequence of events, event segments derived from the event data, feature vectors derived from the event segments, event data/segments associated with a path, etc. …. The data store includes stored event-related data that indicate LM or LM candidates,”).
However, DURAIRAJ does not teach “then a third-computer-login into a third computer from the second computer, and then a third-computer-data-transfer which transferred data from the second computer to the third computer, wherein a second-computer-data-transfer size of data transferred from the first computer to the second computer and a third-computer-data-transfer size of data transferred from the second computer to the third computer differ by no more than ten percent of the maximum of the two transfer sizes,”.
In analogous teaching HERNACKI teaches “then a third-computer-login into a third computer from the second computer, and then a third-computer-data-transfer which transferred data from the second computer to the third computer, wherein a second-computer-data-transfer size of data transferred from the first computer to the second computer and a third-computer-data-transfer size of data transferred from the second computer to the third computer differ by no more than ten percent of the maximum of the two transfer sizes,” ([HERNACKI, Col. 6 lines 18-46] “That is, if in a given pair of transmissions, the size of the transmitted data is roughly the same or roughly proportional with Some tolerable positive and/or negative error, then the pair of transmissions is considered symmetric with respect to size. For instance, as depicted in FIG.4, the size of data transmitted from Host A to Host B (e.g. 200 bytes) in transmission 402 is similar with some accept able error to the size of data transmitted from Host B to Host C (e.g. 180 bytes) in transmission 404. Therefore, the pair of network data transmissions from Host A to Host Band Host B to Host C exhibit size symmetry as defined in some embodiments ……  In some embodiments, any network data transmission whose size, for instance, falls within an interval whose boundaries are defined by a predetermined error can be considered a candidate for a transmission that satisfies size symmetry. In one embodiment, the maximum allowable error may be determined by a fixed number (e.g. number of bytes) if, for example, the encoding scheme is known. In another embodiment, the maximum allowable error may be prescribed to be a fixed percentage of the size of the network data transmission under consideration.”) [Examiner’s Note: the difference between 200 bytes and 180 bytes is no more than 10% of 200 which is the maximum size of the two transfer sizes].
Thus, given the teaching of HERNACKI, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of monitoring data transfers between multiple computers as taught by HERNACKI into the teaching of a method to detect illicit network activity as taught by DURAIRAJ. One of ordinary skill in the art would have been motivated to do so because HERNACKI recognizes the need to enhance cyber security to prevent unwanted network traffic ([HERNACKI, Col. 1 lines 13-14, 52-54] “Organizations and enterprises maintain network security policies to protect against external and internal threats …. there is a need for a reliable way to detect proxies that is both easy to deploy and is capable of detecting proxies even if various evasion or obfuscation techniques are used.”).

Regarding claim 2, DURAIRAJ-HERNACKI teaches all limitations of claim 1. HERNACKI further teaches “The system of claim 1, further characterized by a pattern of short computer-to-computer movement times in at least one of the following ways: a movement time between the second-computer-login and the third- computer-login is less than a time between another login to the second computer and a subsequent login to the third computer; a movement time between the second-computer-login and the third- computer-login is less than an average time between at least some logins into computers of the network; a movement time between the second-computer-login and the third- computer-login is less than a predetermined threshold; or a movement time between the second-computer-login and the third- computer-login is less than five minutes. ([HERNACKI, Col. 7 lines 58-67 Col. 8 lines 1-8] “In some embodiments, pairs of transmissions that are close in time are compared when detecting symmetric relationships (e.g. reflexivity, size symmetry, port re-use, etc.) among a set of network data transmissions. Specifically, in order for a pair of network data transmissions to be a part of the same unidirectional flow, the individual transmissions that constitute the pair should occur within a prescribed interval of one another. As illustrated in FIG. 4, if the time interval A between transmission 402 from Host A to Host Band transmission 404 from Host B to Host C is less than or equal to a prescribed threshold interval Art, the pair of transmissions is considered possibly part of the same unidirectional flow, i.e., transmissions 402 and 404 are considered a “reflexive” pair which in some embodiments results in the pair being analyzed further, e.g., to determine if the transmissions are “symmetric', for example if the later transmission is the same size as (or within a prescribed error of the size of) the earlier transmission.”).
The same motivation to modify DURAIRAJ with HERNACKI as in the rejection of claim 1 applies. 

Regarding claim 5, DURAIRAJ- HERNACKI teach all limitations of claim 1. DURAIRAJ further teaches “wherein correlating at least login data and network traffic data comprises correlating a firewall traffic log with a security log of at least one of the computers of the network.” ([DURAIRAJ, Col. 8 lines 51-61] “The endpoint application can log the events at the endpoint device on which the endpoint application is installed, at file server 117, or at any other device to which the endpoint application has access. Security system 118 is a computer system that includes a security platform that identifies LM candidates. Firewall 160 logs events which it monitors or facilitates. In some embodiments, the event data logged by AD, by the endpoint application, or by the firewall can, instead or in addition to being logged, be streamed to recipients, such as to security system 118 or to other systems or applications.”).

Regarding claim 8, DURAIRAJ-HERNACKI teaches all limitations of claim 7. DURAIRAJ further teaches “wherein reporting the chain as an illicit lateral movement candidate includes reporting an illicitness score, and wherein the method further comprises computing the illicitness score based at least in part on at least two of the following listed grounds: ([DURAIRAJ, Col. 6 lines 66-67 – Col. 7 lines 1-2] “The LM security application calculates a score for each entity based on the defined event data associated with the entity and the associated weight factor(s). All entities with a score above a certain threshold are identified as LM candidates.”). a movement time between logins to adjacent computers in the chain; ([DURAIRAJ, Col. 6 lines 40-43] “The event data include time-related data, such as timestamp data, which enables some or all of the event data to be sequenced. The LM security application analyzes the timestamp data to sequence the event data”) …... a chain length indication indicating that more than three computers are in the chain; ([DURAIRAJ, ] “As shown in FIG. 2, the usage relationships 230 between the users and the network devices can be captured in a bipartite graph including a first set of nodes representing users (nodes 241, 242, 243 and 244) and a second set of nodes representing network devices (nodes 251, 252, 253 and 254). In some embodiments, the graph is a tripartite graph that additionally includes a third set of nodes representing applications.”) a presence of multiple chains which share at least one computer; ([DURAIRAJ, ] “Based on the usage relationships 230, machine learning model 200 assigns usage similarity scores 260 (also referred to as “similarity scores”) to the network devices represented by the device nodes. The usage similarity scores 260 indicate which of the devices have been used by the same or similar group of users. The details of the process of assigning usage similarity scores 260 are illustrated in FIG. 4.”).
However, DURAIRAJ does not teach “a difference between a transfer size of data transferred to a computer in the chain and a transfer size of data transferred from that computer; at least two protocol choices of how to transfer data to at least two of the computers in the chain; …… or  an anomalousness score based at least in part on previous communications between at least two computers in the chain”.
In analogous teaching HERNACKI  teaches “a difference between a transfer size of data transferred to a computer in the chain and a transfer size of data transferred from that computer; at least two protocol choices of how to transfer data to at least two of the computers in the chain; …… or  an anomalousness score based at least in part on previous communications between at least two computers in the chain ([HERNACKI, Col. 6 lines 18-46] “That is, if in a given pair of transmissions, the size of the transmitted data is roughly the same or roughly proportional with Some tolerable positive and/or negative error, then the pair of transmissions is considered symmetric with respect to size. For instance, as depicted in FIG.4, the size of data transmitted from Host A to Host B (e.g. 200 bytes) in transmission 402 is similar with some accept able error to the size of data transmitted from Host B to Host C (e.g. 180 bytes) in transmission 404. Therefore, the pair of network data transmissions from Host A to Host Band Host B to Host C exhibit size symmetry as defined in some embodiments ……  In some embodiments, any network data transmission whose size, for instance, falls within an interval whose boundaries are defined by a predetermined error can be considered a candidate for a transmission that satisfies size symmetry. In one embodiment, the maximum allowable error may be determined by a fixed number (e.g. number of bytes) if, for example, the encoding scheme is known. In another embodiment, the maximum allowable error may be prescribed to be a fixed percentage of the size of the network data transmission under consideration.”).
The same motivation to modify DURAIRAJ with HERNACKI  as in the rejection of claim 1 applies. 

Regarding claim 12, DURAIRAJ teaches all limitations of claim 7. Furthermore, this claim recites features similar to those in claim 8. Therefore, claim 12 is rejected with a similar rational as in the rejection of claim 8. 

Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over DURAIRAJ-HERNACKI, in view of LIU ("Latte: Large-scale lateral movement detection.").

Regarding claim 3, DURAIRAJ-HERNACKI teach all limitations of claim 1. However, DURAIRAJ-HERNACKI does not teach “further characterized by a pattern of administrator logins, in that during the second-computer-login a first user logged into the second computer as an administrator from the first computer, and during the third-computer-login a second user logged into the third computer as an administrator from the second computer.”.
In analogous teaching, LIU teaches “further characterized by a pattern of administrator logins, in that during the second-computer-login a first user logged into the second computer as an administrator from the first computer, and during the third-computer-login a second user logged into the third computer as an administrator from the second computer.” ([LIU, Page 4 Section III] “Once an attacker has obtained the credentials to a privileged account, such as a domain administrator, remote file execution can be used to infect other computers on the network at will.”) ([LIU, Page 6 Case Study 1] “As depicted in Figure 4, the cybercriminal first logged on to Computer1, i.e., a computer in a meeting room, then to another computer, i.e., Computer2, in a different meeting room. The attacker next moves to Computer3, and finally to Computer4. Afterwards, the attacker explores the network by jumping back and forth among the four compromised computers. The entire lateral movement process lasts for 1 hour and 8 minutes.”).
Thus, given the teaching of LIU, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of a compromised Administrator credential being used to login into multiple computers across a network as taught by LIU into the teaching of a method to detect illicit network activity as taught by DURAIRAJ-HERNACKI. One of ordinary skill in the art would have been motivated to do so because LIU recognizes the importance of detecting and stopping lateral movements across a network ([LIU, Page 1 Section I] “Attackers are successfully penetrating governmental and corporate computer networks with the intent of exfiltrating sensitive data at an alarming rate. ….. we propose Latte, a new graph-based, lateral movement detection system to discover malicious lateral movement paths. Latte analyzes large-scale event logs collected from operational networks. In our system, we model computers and accounts as nodes, and computer-to-computer connections or user logon events as directed edges.”).

Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over DURAIRAJ-HERNACKI, in view of MUDDU (US-20170063897-A1).


Regarding claim 4, DURAIRAJ-HERNACKI teach all limitations of claim 1. However, DURAIRAJ-HERNACKI does not teach “further characterized by a pattern of consistent protocol choices in that a to-second-computer protocol used to transfer data from the first computer to the second computer and a to-third-computer protocol used to transfer data from the second computer to the third computer are the same protocol.”.
In analogous teaching, MUDDU teaches “further characterized by a pattern of consistent protocol choices in that a to-second-computer protocol used to transfer data from the first computer to the second computer and a to-third-computer protocol used to transfer data from the second computer to the third computer are the same protocol.” ([MUDDU, Paragraph 0264] “if the user actually uses remote desktop protocol (RDP) to login from the first machine to the second machine, then an RDP event is received. This RDP event can be used by the sessionization technique introduced here to discover that these two seemingly unrelated sessions are actually initiated by the same user and should be correlated. This is because, using the aforementioned mechanisms and assuming the RDP event's time is within the valid range, the RDP event would have a match with the first session in its “from-session-link-context”, and have a match with the second session in its “to-session-link-context.””).
Thus, given the teaching of MUDDU, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of using consistent protocol choices throughout the network as taught by MUDDU into the teaching of a method to detect illicit network activity as taught by DURAIRAJ-HERNACKI. One of ordinary skill in the art would have been motivated to do so because MUDDU recognizes the need to detect and block anomalous activity ([MUDDU, Paragraph 0137] “Introduced here, therefore, is a data processing and analytics system (and, as a particular example, a security platform) that employs a variety of techniques and mechanisms for anomalous activity detection in a networked environment in ways that are more insightful and scalable than the conventional techniques.”).

Claim 6 is rejected under 35 U.S.C. 103 as being obvious over DURAIRAJ-HERNACKI, in view of DAS (WO-2016044359-A1).

Regarding claim 6, DURAIRAJ-HERNACKI teaches all limitations of claim 1. However, DURAIRAJ-HERNACKI does not teach “wherein the network of computers comprises at least one of the following: a cloud network, a local area network, a software-defined network, a client-server network, or a network having at least one trust domain.”.
In analogous teaching DAS teaches “wherein the network of computers comprises at least one of the following: a cloud network, a local area network, a software-defined network, a client-server network, or a network having at least one trust domain.” ([DAS, Paragraph 0023] “User machines 110, server machines 120, and domain machines 130 may be configured to communicate via any type of network or combination of networks including, without limitation: a wide area network (WAN) such as the Internet, a local area network (LAN), a private network, a public network, a packet network, a circuit-switched network, a wired network, and/or a wireless network.”).
Thus, given the teaching of DAS, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of various different type of networks as taught by DAS into the teaching of a method to detect illicit network activity as taught by DURAIRAJ-HERNACKI. One of ordinary skill in the art would have been motivated to do so because DAS recognizes that lateral movement attack can occur in various types of networks and it is important to detect it and stop the intrusion. ([DAS, Paragraph 0004] “If lateral movement is not detected, a local compromise may spread and become a global intrusion. As such, it is important to be able to detect the lateral movement of an attacker as soon as possible so that the scope of a breach can be determined and appropriate containment and remediation can be performed.”).

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over  DURAIRAJ-HERNACKI, in view of DAS (WO-2016044359-A1).


Regarding claim 9, DURAIRAJ-HERNACKI teaches all limitations of claim 8. However, DURAIRAJ- HERNACKI does not teach “wherein computing the illicitness score is based at least in part on at least three of the listed grounds.”.
In analogous teaching, DAS teaches “wherein computing the illicitness score is based at least in part on at least three of the listed grounds.” ([DAS, Paragraph 00118] “Different detection models 161-163 may include a logon model, an event sequence model, and an inter-event time model. Detection models 161-163 may be defined and/or implemented in terms of counts 154 generated from security event data with respect to variables such as account/account type, machine role, logon type, event type, event sequence, event time, and so forth.”).
The same motivation to modify DURAIRAJ-HERNACKI with DAS, as in the rejection of claim 6, applies. 

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over DURAIRAJ (US-10462169-B2), in view of MARWAH (US-20200380117-A1), and further in view of MIZRACHI (US-20180359272-A1).

Regarding claim 10, DURAIRAJ teaches all limitations of claim 7. However, DURAIRAJ does not teach “further comprising at least one of the following responses to the reporting:   isolating one of the computers from communication with the network; preventing exfiltration of data from at least one of the computers; inspecting at least one of the computers for malware; inspecting at least one of the computers for a data integrity violation;  obtaining a forensic image of volatile memory of at least one of the computers; obtaining a forensic image of non-volatile memory of at least one of the computers; or hardening at least one of the computers against a cyberattack.”. 
In analogous teaching, MARWAH teaches “further comprising at least one of the following responses to the reporting:   isolating one of the computers from communication with the network; preventing exfiltration of data from at least one of the computers; inspecting at least one of the computers for malware; inspecting at least one of the computers for a data integrity violation;” ([MARWAH, Paragraph 0045] “A “countermeasure” can refer to a remedial action, or a collection of remedial actions, that can be performed to address an anomaly. Examples of countermeasures that can be performed include any of the following: causing a firewall to allow certain communications while blocking other communications, causing an intrusion detection system to detect unauthorized intrusion of a system and to disable access in response to the intrusion detection, causing a disabling system to shut down a device, cause a system to prevent communication by a device within a network, cause a device to shut down or stop or pause a program in the device, cause an anti-malware tool to scan a device or a network for identifying malware and to either remove or quarantine the malware, and so forth.”).
Thus, given the teaching of MARWAH, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of a response to an infected computer as taught by MARWAH into the teaching of a method to detect illicit network activity as taught by DURAIRAJ. One of ordinary skill in the art would have been motivated to do so because MARWAH recognizes the need to monitor networks in order to detect malicious activity. ([MARWAH, Paragraph 0001] “Issues can arise in the computing environment due to behaviors of various entities. Monitoring can be performed to detect such issues, and to take remedial actions to address the issues.”).
However, DURAIRAJ-MARWAH does not teach “obtaining a forensic image of volatile memory of at least one of the computers; obtaining a forensic image of non-volatile memory of at least one of the computers; or hardening at least one of the computers against a cyberattack.”.
In analogous teaching, MIZRACHI teaches “obtaining a forensic image of volatile memory of at least one of the computers; obtaining a forensic image of non-volatile memory of at least one of the computers; or hardening at least one of the computers against a cyberattack.” ([MIZRACHI, Paragraph 0006] “The invention focuses on specific outcomes—threat detection, with 24/7 monitoring and alerting, remote incident investigation, and automated malware responses included as parts of an end-to-end service. According to an aspect, the focus is on advanced or targeted attacks that have bypassed existing perimeter controls (e.g., next-generation firewalls [NGFWs], secure web gateways [SWGs], network intrusion detection systems [NIDSs], and the like). According to an aspect, advanced security forensics and analysis that utilizes advanced data analytics is provided, but not exclusively, at the core of the MDR service. Also provided are incident validation and remote remediation services; these may include, but are not limited to, reverse malware engineering, advanced memory forensics, and remediation actions.”).
Thus, given the teaching of MIZRACHI, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of a detailed inspection of an infected computer as taught by MIZRACHI into the teaching of a method to detect illicit network activity as taught by DURAIRAJ. One of ordinary skill in the art would have been motivated to do so because MIZRACHI recognizes the need to enhance cyber security in a network. ([MIZRACHI, Paragraph 0003-0004] “Cybersecurity is a huge challenge for large enterprises and other organizations (government agencies, non-profits, and so forth). The current approach entails using many point solutions in an attempt to keep up with rapid changes in the threat environment ……  What is needed a next-generation enhanced comprehensive cybersecurity platform that provides cloud-connected, agent-based next-generation endpoint protection.”).

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over DURAIRAJ (US-10462169-B2) , in view of MUDDU (US-20170063897-A1).

Regarding claim 13, DURAIRAJ teaches all limitations of claim 7. However, DURAIRAJ does not teach “wherein reporting comprises identifying a particular data protocol as being used to transfer data to at least two of the computers in the chain”.
In analogous teaching, MUDDU teaches “wherein reporting comprises identifying a particular data protocol as being used to transfer data to at least two of the computers in the chain” ([MUDDU, Paragraph 0264] “Now, if the user actually uses remote desktop protocol (RDP) to login from the first machine to the second machine, then an RDP event is received. This RDP event can be used by the sessionization technique introduced here to discover that these two seemingly unrelated sessions are actually initiated by the same user and should be correlated.”).
Thus, given the teaching of MUDDU, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of using consistent protocol choices throughout the network as taught by MUDDU into the teaching of a method to detect illicit network activity as taught by DURAIRAJ. One of ordinary skill in the art would have been motivated to do so because MUDDU recognizes the need to detect and block anomalous activity ([MUDDU, Paragraph 0137] “Introduced here, therefore, is a data processing and analytics system (and, as a particular example, a security platform) that employs a variety of techniques and mechanisms for anomalous activity detection in a networked environment in ways that are more insightful and scalable than the conventional techniques.”).

Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over DURAIRAJ (US-10462169-B2), in view of LIU ("Latte: Large-scale lateral movement detection.").

Regarding claim 17, DURAIRAJ teaches all limitations of claim 16. However, DURAIRAJ does not teach “wherein building the chain comprises determining that a movement time between two login times is less than two minutes.”.
In analogous teaching, LIU teaches “wherein building the chain comprises determining that a movement time between two login times is less than two minutes.” ([LIU,  Page 4] “To further prune the graph, Latte includes an optional time constraint for each pair of edges. This constraint is motivated by discussions with analysts who believe that attackers do not typically remain active on the network for an extended period of time to avoid detection. Formally, this constraint requires that each pair of edges in a path must be created within a certain period of time, |time(ei) − time(ei−1)| < T, where |· | represents the absolute value, and T is a user-defined input threshold representing the maximum amount of time the attacker uses to make a pair of consecutive lateral movement hops on the network.”).
Thus, given the teaching of LIU, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of a compromised Administrator credential being used to login into multiple computers across a network as taught by LIU into the teaching of a method to detect illicit network activity as taught by DURAIRAJ. One of ordinary skill in the art would have been motivated to do so because LIU recognizes the importance of detecting and stopping lateral movements across a network ([LIU, Page 1 Section I] “Attackers are successfully penetrating governmental and corporate computer networks with the intent of exfiltrating sensitive data at an alarming rate. ….. we propose Latte, a new graph-based, lateral movement detection system to discover malicious lateral movement paths. Latte analyzes large-scale event logs collected from operational networks. In our system, we model computers and accounts as nodes, and computer-to-computer connections or user logon events as directed edges.”).

Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over  DURAIRAJ (US-10462169-B2), in view of FREITAS ("D2m: Dynamic defense and modeling of adversarial movement in networks.").

Regarding claim 18, DURAIRAJ teaches all limitations of claim 16. However, DURAIRAJ does not teach “wherein building the chain comprises determining that a pattern of consistent computer-to-computer data transfer sizes ends at a computer which contained at least one of the following: a domain administrator credential, or a root user credential.”.
In analogous teaching, FREITAS teaches “wherein building the chain comprises determining that a pattern of consistent computer-to-computer data transfer sizes ends at a computer which contained at least one of the following: a domain administrator credential, or a root user credential.” ([FREITAS, Section 3.1] “To verify that a remote connection between two machines can be established, authentication information is passed using cached credentials. In an enterprise network, these credentials typically follow a hierarchical scheme: user (c1) at the bottom, local admin (c2) and network admin in the middle (c3), and domain admin (c4) at the top (c1 < c2 < c3 < c4).”) ([FREITAS, Section 3.2] “Finally, we incorporate the concept of privilege escalation by allowing the attacker to connect to a machine that is one credential level higher. That is, if the attacker has collected credentials c1 and c2, they can connect to a c1, c2, or c3 machine.”).
Thus, given the teaching of FREITAS, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of a using credentials to spread across the network as taught by FREITAS into the teaching of a method to detect illicit network activity as taught by DURAIRAJ. One of ordinary skill in the art would have been motivated to do so because FREITAS recognizes the importance to prevent lateral attack movements. ([FREITAS, Section 1] “Unfortunately, once an attacker has compromised a single credential for an enterprise machine, the whole network becomes vulnerable to lateral attack movements, allowing the adversary to eventually gain control of the network (i.e., escalating privileges via credential stealing”) …. We propose D2M, the first framework that systematically quantifies network vulnerability to lateral attack and identifies at-risk devices”).

Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over  DURAIRAJ (US-10462169-B2).

Regarding claim 19, DURAIRAJ teaches all limitations of claim 16. DURAIRAJ does not explicitly teach “wherein building the chain comprises determining that a computer X at an end of the chain did not contain any credential which has a higher privilege than a credential used by a previous computer in the chain to login to the computer X.” however DURAIRAJ teaches that a computer at the beginning of the chain obtains higher administrative privileges used to login to least one other computer  ([DURAIRAJ Col. 4 lines 29-39] “A macro is data that can be used to identify various event-related data, e.g., specific tasks associated with a particular phase of an attack, among others. In an example, a macro comprises one or more features of one or more feature vectors associated with an entity. Some macros may have features that occur in a time-ordered sequence, while other macros may not have such sequencing. In another example, a macro represents a user account logging into a first machine, then changing the privileges of the user account to an administrator account, and then logging into another machine by use of the administrator privileges.”) ([DURAIRAJ Col. 5 lines 1-8] “The intruder next elevates privileges (which may also mask his identity, such as when he elevates his privileges to an administrative account) in order to access critical systems that store sensitive data, such as AD data, shares, databases, etc., and the associated event data is logged by AD. The intruder next runs a number of applications to further compromise the network, spawning a number of processes whose associated event data are logged by AD.”).
Thus, given the teaching of DURAIRAJ, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention that DURAIRAJ renders the claimed feature obvious because, as cited above, DURAIRAJ teaches that the user logs into a first computer then escalates privileges to an administrator and from then on compromises other computers on the network. The privilege escalation is happening at the beginning of the chain and no further escalation of privileges is taught by DURAIRAJ after the initial escalation;  therefore the claimed feature “wherein building the chain comprises determining that a computer X at an end of the chain did not contain any credential which has a higher privilege than a credential used by a previous computer in the chain to login to the computer X” is an expected result. 

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over  DURAIRAJ (US-10462169-B2), in view of LI (US-20210029193-A1).


Regarding claim 20, DURAIRAJ teaches all limitations of claim 16. However, DURAIRAJ does not teach “wherein building the chain comprises determining that a login between two computers utilized a server message block protocol.”.
In analogous teaching LI teaches “wherein building the chain comprises determining that a login between two computers utilized a server message block protocol.” ([LI, 0028] “the user name and the password that are entered by the user for login authentication, and sending the access request information to the first electronic device by using the Wi-Fi hotspot; receiving, by the first electronic device, the access request information from a first port, where the first port is a serving port for the server message block SMB protocol;”).
Thus, given the teaching of LI, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of a using credentials to spread across the network as taught by LI into the teaching of a method to detect illicit network activity as taught by DURAIRAJ. One of ordinary skill in the art would have been motivated to do so because LI recognizes the benefits of utilizing server message block protocol over other means to access different computers on a local network. ([LI, Paragraph 0018] “In this way, there is no need to install any software on the first electronic device and the second electronic device, there is no need to connect the first electronic device and the second electronic device by using a USB cable, and the data stored in the first electronic device can be accessed quickly and conveniently from the second electronic device, provided that the first electronic device and the second electronic device are connected to the same local area network.”).

The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
CHIU (US-20170099306-A1) discloses a system to detect and prevent a cyber attack on a private computer network. By analyzing incoming network traffic to prevent malicious access events from compromising critical assets. 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AFAQ ALI whose telephone number is (571)272-1571. The examiner can normally be reached Mon - Fri 7:30am - 5:30pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AFAQ ALI/Examiner, Art Unit 2434                                                                                                                                                                                                        
/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434