DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
This communication is in response to the amendment filed on 13 December 2021.
Claims 1-3, 5, 7-12, and 14-20 are amended.
Claims 1-20 have been examined. 

Response to Arguments
In response to Applicant’s remarks filed on 13 December 2021:
a.	Objections to claims 10 and 12 are withdrawn in view of Applicant’s amendments.
b.	Applicant's arguments with respect to the 35 U.S.C. 102 and 103 rejections of the pending claims are moot in view of new ground(s) of rejection presented hereon, as detailed below.
	In addition, on page 8 of Applicant’s remarks, Applicant asserts that it was discussed and agreed in a previous interview that the cited prior art fails to teach or suggest the following newly-added limitations of amended claim 1: “transforming the ingested event log to a temporal-based journal entry ... wherein the temporal-based 
	The Office respectfully disagrees with the above remarks because no such agreement was reached in the previous interview. Rather, the following is recorded in the interview summary dated 19 November 2021: “The examiner point out that Crabtree teaches these features. See, for example, Crabtree para. 0051, 0072, and 0075.” The cited prior art teaches and suggests the claim limitations at issue, as detailed below in the claim rejections under 35 U.S.C. 103.

Claims 8 and 15 recite limitations similar to those of claim 1 and are unpatentable over the prior art for the same reasons that claim 1 is unpatentable, as set forth above.

Claims 2-7, 9-14, and 16-20 are unpatentable over the prior art for the same reasons that claims 1, 8, and 15 are unpatentable, as set forth above.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1-13 and 15-20 are rejected under 35 U.S.C. 103 as being unpatentable over Singh et al. (U.S. Patent No. 10,419,469 B1, hereinafter referred to as Singh) in view of Crabtree et al. (U.S. Patent Application Publication No. 20180219919 A1, hereinafter referred to as Crabtree).
As to claim 1, Singh teaches a system comprising:
a non-transitory memory storing instructions (see Singh col. 3 L30-47: the invention is embodied as a computer system comprising a memory that provides instructions to a processor); and
one or more hardware processors configured to execute the instructions to cause the system to perform operations comprising (see Singh col. 3 L30-47: the invention is embodied as a computer system comprising a memory that provides instructions to a processor):
receiving an event update associated with a first user account (see Singh col. 39 L35-50 and Fig. 22: at step 2202, data about a user’s network activity is received);
determining a graph mutation on a graph-based model, based in part on the event update (Note: The claimed “graph mutation” is interpreted in light of the instant specification to be a change to the graph.  See instant specification para. 0019, which states (emphasis added): “changes (mutations) from the logging database 208, can be ingested by a graph log ingestion module 210.”
see Singh col. 39 L35-50 and Fig. 22: the received data is data about a user login activity, which is used to update a graph);
ingesting an event log for the graph mutation (see Singh col. 39 L35-50 and Fig. 22: at step 2202, data about a user’s network activity is received);
transforming the ingested event log to a temporal-based journal entry recorded in a temporal-based journal (Note: In accordance with its meaning in the computing arts, “journaling” is interpreted as “Keeping track of events by recording them in a log (the journal)”1. Hence, the claimed “journal entry” is interpreted as a log entry.
see Singh col. 20 L17-27: a graph representing a summary of all activity within a time interval is stored in database 142).
Singh does not appear to explicitly disclose receiving, via a wireless network communication; wherein the temporal-based journal entry represents a change of a first node corresponding to the first user account in the graph-based model based on a relationship between the first node and a second node corresponding to a second user account in the graph-based model; analyzing a transformation of the graph-based model within a time period based on one or more temporal-based journal entries recorded in the temporal-based journal; determining that the first user account has been used to perform a malicious activity based on the analyzing; and performing an action to the first user account based on the determining that the first user account has been used to perform the malicious activity.
However, Crabtree teaches:
receiving, via a wireless network communication (see Crabtree para. 0096 and Fig. 21: client-server communication over a wireless network);
transforming an ingested event log to a temporal-based journal entry recorded in a temporal-based journal (see Crabtree para. 0068: logging service 530 transforms requests and messages into an event log; and see Crabtree para. 0079: events are logged as time-series data), wherein the temporal-based journal entry represents a change of a first node corresponding to the first user account in the graph-based model based on a relationship between the first node and a second node corresponding to a second user account in the graph-based model (see Crabtree para. 0076: cyber-physical system graph (CPG) represents relationships between users, servers,  devices, and other resources in a security infrastructure, and logged events are used to update cyber-physical system graph (CPG) to reflect changes over time; and see Crabtree Fig. 5: an illustrative example of the graph visualization is shown, depicting relationships between actors 512a-d);
analyzing a transformation of the graph-based model within a time period based on one or more temporal-based journal entries recorded in the temporal-based journal (see Crabtree para. 0072: the system performs cybersecurity behavioral analytics to analyze behavior patterns based on a directed computational graph (DCG) 155; and see Crabtree para. 0049: system processing is performed over regular timing intervals);
determining that the first user account has been used to perform a malicious activity based on the analyzing (see Crabtree para. 0072: the cybersecurity behavioral analytics detects malicious activity; and see Crabtree para. 0073: the detected malicious activity may be the result of a human actor or an automated software “bot”); and
performing an action to the first user account based on the determining that the first user account has been used to perform the malicious activity (see Crabtree para. 0072-0073: in response to detecting the malicious activity, the system automatically implements security suggestions to defend against the bad actor).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to have modified Singh to include the teachings of Crabtree because Crabtree’s automated behavioral learning “provides a much more responsive solution than manual intervention, enabling rapid response to threats to mitigate any potential impact” (see Crabtree para. 0073).

As to claim 2, Singh as modified by Crabtree teaches wherein the operations further comprise:
documenting the graph mutation in the event log (Note: The claimed “graph mutation” is interpreted in light of the instant specification to be a change to the graph.  See instant specification para. 0019, which states (emphasis added): “changes (mutations) from the logging database 208, can be ingested by a graph log ingestion module 210.”
see Singh col. 39 L35-50 and Fig. 22: the received data is data about a user login activity, which is used to update a graph; and see Singh col. 37 L3-14 and Fig. 1: user login data is stored in database 142 of platform 102); and
storing the event log (see Singh col. 37 L3-14 and Fig. 1: user login data is stored in database 142 of platform 102).

As to claim 3, Singh as modified by Crabtree teaches wherein the operations further comprise:
ingesting a simulated graph mutation that simulates the determined graph mutation (see Crabtree para. 0050 and Fig. 1: simulation module 125 directs graph module 155 to transform a graph for producing a simulation).

As to claim 4, Singh as modified by Crabtree teaches wherein the simulated graph mutation is created by an external graph builder (see Crabtree para. 0050 and Fig. 1: graph stack service module 145 represents data in graphical form).

As to claim 5, Singh as modified by Crabtree teaches wherein the operations further comprise:
deploying queries simulation using the temporal-based journal entry (see Crabtree para. 0064: simulation capabilities of the system enable a variety of queries).

As to claim 6, Singh as modified by Crabtree teaches wherein the temporal-based journal entry is vertex centric (Note: As is well known to those of ordinary skill in the art, in graph theory the term “vertex” is synonymous with “node.”2
see Singh col. 20 L17-27: a graph representing a summary of all activity within a time interval is stored in database 142; and see Singh col. 49 L58 to col. 50 L2 and Fig. 32: graph 3200 is centered around nodes that represent users; in the illustrative example in Fig. 32, there are nodes for the user “Bill” and the user “root” 3208).

As to claim 7, Singh as modified by Crabtree teaches wherein the graph mutation includes a timestamp associated with the change of the first node (see Singh col. 20 L17-27: a graph representing a summary of all activity within a time interval is stored in database 142; and see Singh col. 5 L43-48: each event has an associated timestamp).

As to claim 8, Singh teaches a method comprising:
receiving, by one or more hardware processors (see Singh col. 3 L30-47: the method of the invention is performed by a computer comprising a processor),  an event update associated with a first user account (see Singh col. 39 L35-50 and Fig. 22: at step 2202, data about a user’s network activity is received);
determining a change of a first node corresponding to the first user account in a graph (see Singh col. 39 L35-50 and Fig. 22: the received data is data about a user login activity, which is used to update a graph) based on the event log (see Singh col. 39 L35-50 and Fig. 22: at step 2202, data about a user’s network activity is received; and see Singh col. 45 L31-45 and Fig. 26: the received data is log data);
determining a timestamp and a characteristic associated with the change based on a relationship between the first node and a second node corresponding to a second user account in the graph (see Singh col. 49 L58 to col. 50 L2 and Fig. 32: in graph 3200, edge 3206 represents a relationship between the node for user “Bill” and the node for user “root”; based on this relationship, the system determines than an anomalous privilege escalation occurred at the time 3202; Note: Singh’s privilege escalation corresponds to the claimed  “change,” and Singh’s determination of anomalous privilege escalation corresponds to the claimed “property for the change”);
generating a temporal graph-based journal entry representing the change of the first node in association with the second node, the timestamp, and the characteristic (Note: In accordance with its meaning in the computing arts, the claimed “journaling” is interpreted as “Keeping track of events by recording them in a log (the journal)”3.
see Singh col. 20 L17-27: a graph representing a summary of all activity within a time interval is stored in database 142);
storing the temporal graph-based journal entry in a temporal-based journal within a physical datastore (see Singh col. 20 L17-27: a graph representing a summary of all activity within a time interval is stored in database 142).
Singh does not appear to explicitly disclose analyzing, by one or more hardware processors, a transformation of a graph within a time period based on one or more temporal-based journal entries from a temporal-based journal; determining, by the one or more hardware processors, that a first user account has been used to perform a malicious activity based on the analyzing; and performing, by the one or more hardware processors, an action to the first user account based on the determining that the first user account has been used to perform the malicious activity.
However, Crabtree teaches:
generating a temporal graph-based journal entry (Note: In accordance with its meaning in the computing arts, the claimed “journaling” is interpreted as “Keeping track of events by recording them in a log (the journal)”4.
see Crabtree para. 0068: logging service 530 transforms requests and messages into an event log; and see Crabtree para. 0079: events are logged as time-series data) representing a change of a first node in association with a second node, a timestamp, and a characteristic (see Crabtree para. 0076: cyber-physical system graph (CPG) represents relationships between users, servers,  devices, and other resources in a security infrastructure, and logged events are used to update cyber-physical system graph (CPG) to reflect changes over time; and see Crabtree Fig. 5: an illustrative example of the graph visualization is shown, depicting relationships between actors 512a-d);
storing the temporal graph-based journal entry in a temporal-based journal within a physical datastore (see Crabtree para. 0068: logging service 530 transforms requests and messages into an event log; and see Crabtree para. 0079: events are logged as time-series data);
analyzing, by one or more hardware processors (see Crabtree para. 0092: the method of the invention is performed by a computer comprising a processor), a transformation of a graph within a time period based on one or more temporal-based journal entries from a temporal-based journal (see Crabtree para. 0072: the system performs cybersecurity behavioral analytics to analyze behavior patterns based on a directed computational graph (DCG) 155; and see Crabtree para. 0049: system processing is performed over regular timing intervals);
determining, by the one or more hardware processors, that a first user account has been used to perform a malicious activity based on the analyzing (see Crabtree para. 0072: the cybersecurity behavioral analytics detects malicious activity; and see Crabtree para. 0073: the detected malicious activity may be the result of a human actor or an automated software “bot”); and
performing, by the one or more hardware processors, an action to the first user account based on the determining that the first user account has been used to perform the malicious activity (see Crabtree para. 0072-0073: in response to detecting the malicious activity, the system automatically implements security suggestions to defend against the bad actor).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to have modified Singh to include the teachings of Crabtree because Crabtree’s automated behavioral learning “provides a much more responsive solution than manual intervention, enabling rapid response to threats to mitigate any potential impact” (see Crabtree para. 0073).

As to claim 9, Singh as modified by Crabtree teaches further comprising: 
simulating a graph mutation based on the event log (see Crabtree para. 0050 and Fig. 1: simulation module 125 directs graph module 155 to transform a graph for producing a simulation).

As to claim 10, Singh as modified by Crabtree teaches further comprising:
in response to a query comprising a particular time that corresponds to the
timestamp, accessing the stored temporal graph-based journal entry from the physical datastore (see Singh col. 50 L50-67 and Fig. 33: a user queries the dataset for events during a given time period and the system dynamically generates structured query language (SQL) queries to retrieve the requested data).

As to claim 11, Singh as modified by Crabtree teaches further comprising:
generating a journal entry snapshot for the event log (see Singh col. 18 L57 to col. 19 L8: ongoing hourly snapshots are created for activities in a datacenter).

As to claim 12, Singh as modified by Crabtree teaches further comprising:
generating a simulated graph mutation based on the simulating (see Crabtree para. 0050 and Fig. 1: simulation module 125 directs graph module 155 to transform a graph for producing a simulation).

As to claim 13, Singh as modified by Crabtree teaches wherein the temporal graph-based journal entry is node centric and based on the second node (see Singh col. 49 L58 to col. 50 L2 and Fig. 32: graph 3200 is centered around nodes that represent users; in the illustrative example in Fig. 32, there are nodes for the user “Bill” and the user “root” 3208).

As to claim 15, Singh teaches a non-transitory machine-readable medium having stored thereon machine-readable instructions executable to cause a machine to perform operations comprising (see Singh col. 3 L30-47: a memory provides instructions to a processor):
receiving an event update associated with a first user account (see Singh col. 39 L35-50 and Fig. 22: at step 2202, data about a user’s network activity is received);
determining a graph mutation on a graph-based model, based in part on the event update (Note: The claimed “graph mutation” is interpreted in light of the instant specification to be a change to the graph.  See instant specification para. 0019, which states (emphasis added): “changes (mutations) from the logging database 208, can be ingested by a graph log ingestion module 210.”
see Singh col. 39 L35-50 and Fig. 22: the received data is data about a user login activity, which is used to update a graph);
ingesting an event log for the graph mutation (see Singh col. 39 L35-50 and Fig. 22: at step 2202, data about a user’s network activity is received);
transforming the ingested event log to a temporal-based journal entry recorded in a temporal-based journal (Note: In accordance with its meaning in the computing arts, “journaling” is interpreted as “Keeping track of events by recording them in a log (the journal)”5. Hence, the claimed “journal entry” is interpreted as a log entry.
see Singh col. 20 L17-27: a graph representing a summary of all activity within a time interval is stored in database 142).
Singh does not appear to explicitly disclose wherein the temporal-based journal entry represents a change of a first node corresponding to the first user account in the graph-based model based on a relationship between the first node and a second node corresponding to a second user account in the graph-based model; analyzing a transformation of the graph-based model within a time period based on one or more temporal-based journal entries recorded in the temporal-based journal; determining that the first user account has been used to perform a malicious activity based on the analyzing; and performing an action to the first user account based on the determining that the first user account has been used to perform the malicious activity.
However, Crabtree teaches
transforming an ingested event log to a temporal-based journal entry recorded in a temporal-based journal (see Crabtree para. 0068: logging service 530 transforms requests and messages into an event log; and see Crabtree para. 0079: events are logged as time-series data), wherein the temporal-based journal entry represents a change of a first node corresponding to the first user account in the graph-based model based on a relationship between the first node and a second node corresponding to a second user account in the graph-based model (see Crabtree para. 0076: cyber-physical system graph (CPG) represents relationships between users, servers,  devices, and other resources in a security infrastructure, and logged events are used to update cyber-physical system graph (CPG) to reflect changes over time; and see Crabtree Fig. 5: an illustrative example of the graph visualization is shown, depicting relationships between actors 512a-d);
analyzing a transformation of the graph-based model within a time period based on one or more temporal-based journal entries recorded in the temporal-based journal (see Crabtree para. 0072: the system performs cybersecurity behavioral analytics to analyze behavior patterns based on a directed computational graph (DCG) 155; and see Crabtree para. 0049: system processing is performed over regular timing intervals);
determining that the first user account has been used to perform a malicious activity based on the analyzing (see Crabtree para. 0072: the cybersecurity behavioral analytics detects malicious activity; and see Crabtree para. 0073: the detected malicious activity may be the result of a human actor or an automated software “bot”); and
performing an action to the first user account based on the determining that the first user account has been used to perform the malicious activity (see Crabtree para. 0072-0073: in response to detecting the malicious activity, the system automatically implements security suggestions to defend against the bad actor).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to have modified Singh to include the teachings of Crabtree because Crabtree’s automated behavioral learning “provides a much more responsive solution than manual intervention, enabling rapid response to threats to mitigate any potential impact” (see Crabtree para. 0073).

As to claim 16, see the rejection of claim 3 above.

As to claim 17, see the rejection of claim 4 above.

As to claim 18, see the rejection of claim 5 above.

As to claim 19, see the rejection of claim 6 above.

As to claim 20, Singh as modified by Crabtree teaches wherein the graph mutation includes and includes a timestamp associated with the event update (see Singh col. 20 L17-27: a graph representing a summary of all activity within a time interval is stored in database 142; and see Singh col. 5 L43-48: each event has an associated timestamp).

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Singh and Crabtree as applied to claim 8 above, and further in view of Choudhury et al. (U.S. Patent Application Publication No. 20180329958 A1, hereinafter referred to as Choudhury).
As to claim 14, Singh as modified by Crabtree does not appear to explicitly disclose wherein the change of the first node includes a removal of the first node.
However, Choudhury teaches wherein the change of the first node includes a removal of the first node (see Choudhury para. 0076: changes to the graph include removal of a vertex).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to have modified Singh as modified by Crabtree to include the teachings of Choudhury because it provides an interactive way for users to detect events of interest (see Choudhury para. 0053).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Contact Information                                                                                                                                                                                                     Any inquiry concerning this communication or earlier communications from the examiner should be directed to UMAR MIAN whose telephone number is (571) 270-3970.  The examiner can normally be reached on Monday to Friday, 10 am to 6:30 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Tony Mahmoudi can be reached on (571) 272-4078.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/UM/Examiner, Art Unit 2163                                                                                                                                                                                            

/TONY MAHMOUDI/Supervisory Patent Examiner, Art Unit 2163                                                                                                                                                                                                        


    
        
            
        
            
        
            
    

    
        1 See https://www.computerlanguage.com/results.php?definition=journaling
        2 See https://mathworld.wolfram.com/GraphVertex.html
        3 See https://www.computerlanguage.com/results.php?definition=journaling
        4 See https://www.computerlanguage.com/results.php?definition=journaling
        5 See https://www.computerlanguage.com/results.php?definition=journaling