DETAILED ACTION
This action is in response to the claims filed 5/9/2019.  Claims 1-20 are pending.  Independent claims 1, 11 and 17, and corresponding dependent claims are directed towards a method, device and system for lateral movement path detection.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Drawings
The drawings are objected to because:  Fig. 1 item 106 is not disclosed in the specification; Fig. 2 and Fig. 3 are not properly separated on the same page (recommend movement of “Fig. 3” label to below drawing of Fig. 2.  Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the 
Specification
The disclosure is objected to because of the following informalities: [013] the acronyms CD-ROM and EEPROM are not expanded; [016] l. 5 “ach” should be “each”; [032] item 510 is not shown in the drawings; and [032] “400” should be “500”.	Appropriate correction is required.
Claim Objections
Claims 1, 13-14, 16  and 20 are objected to because of the following informalities, shown with suggested amendments:  Claim 1 the acronym “REST API” is not expanded; Claim 13 l. 2 “authentication protocol[[s]]” for grammar; Claim 14 ll. 2-3 “users, groups and applications of a cloud tenant” for grammar; Claim 16 l. 1 “wherein the data grabber” for grammar; and Claim 20 l. 2 “users, groups and applications of a cloud tenant” for grammar.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

Claim 20 is rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.
Claim 20 l. 1 recites the limitation “wherein the management service applies” which lacks proper antecedent basis as there is no prior recitation of a “management service.  For purposes of applying prior art the limitation has been construed as “wherein the management service directory applies”.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Swiler et al. (US 7,013,395 B1), issued Mar. 14, 2006, in view of Thake et al. “Overview of Microsoft Graph”, published Jan. 29, 2019.
As to claim 1, Swiler substantially discloses a method of detecting a lateral movement path (Swiler [Abstract]), the method comprising:	gathering data (Swiler col. 7 ll. 20-26 scan by searching network elements for information including processes, utilities running and vulnerabilities);	grouping the data into a graph (Swiler Fig. 2) having nodes of users (Swiler Fig. 2 showing nodes with user information “Attacker on Internet”, bottom right “Plaintext Password of user on Machines B, C), groups (Swiler Fig. 2 showing acquired privilege levels (i.e. access groups) in nodes (e.g. “Root”, “Normal”); col. 6 l. 67 – col. 7 l. 3 user classes “none, guest, normal, system administrator, root”), and devices (Swiler Fig. 2 showing Machine A, B, and C in the nodes), the nodes coupled together via edges (Swiler Fig. 2 showing edges connecting nodes; col. 4 ll. 38-42 edges represent change of state (relationship between nodes)); and	providing a visualization of the graph to illustrate lateral paths of the management service directory (Swiler Fig. 2; col. 7 l. 65 – col. 8 l. 4 display generated graph).	Swiler fails to explicitly disclose gathering data via programmatic access to a management service directory through a REST API endpoint.	Thake describes an overview of Microsoft Graph API.	With this in mind, Thake discloses gathering data via programmatic access to a management service directory through a REST API endpoint (Thake pg. 1 ¶1 Microsoft Graph is unified programmability model; pg. 1 ¶2 via single endpoint; pg. 1 ¶3 Microsoft Graph exposes REST API for access to data).  It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to combine the data accessing of Thake with the network scanning of 
As to claim 2, Swiler and Thake disclose the invention as claimed as described in claim 1, including wherein the management service directory is included in a cloud-based identity and access management service (Thake pg. 1 ¶3 Azure Active Directory - Azure Active Directory is a cloud-based identity and access management service).
As to claim 3, Swiler and Thake disclose the invention as claimed as described in claim 2, including wherein the cloud-based identity and access management service manages web-based services (Thake pg. 1 ¶3 Azure Active Directory - Azure Active Directory is a cloud-based identity and access management service that manages access to web based applications including SAAS applications).
As to claim 4, Swiler and Thake disclose the invention as claimed as described in claim 3, including wherein the web-based services include software as a service applications (Thake pg. 1 ¶3 Azure Active Directory - Azure Active Directory is a cloud-based identity and access management service that manages access to web based applications including SAAS applications).
As to claim 5, Swiler and Thake disclose the invention as claimed as described in claim 1, including wherein the edges represent relationships between the nodes (Swiler showing edges connecting nodes; col. 4 ll. 38-42 edges represent change of state (relationship between nodes)).
As to claim 6, Swiler and Thake disclose the invention as claimed as described in claim 1, including wherein the nodes include users (Swiler Fig. 2 showing nodes with user information “Attacker on Internet”, bottom right “Plaintext Password of user on Machines B, C), groups (Swiler Fig. 2 showing acquired privilege levels (i.e. access groups) in nodes (e.g. “Root”, “Normal”); col. 6 l. 67 – col. 7 l. 3 user classes “none, guest, normal, system administrator, root”), and devices (Swiler Fig. 2 showing Machine A, B, and C in the nodes) in the management service directory (Thake pg. 1 ¶1 Microsoft Graph is unified programmability model; pg. 1 ¶2 via single endpoint; pg. 1 ¶3 Microsoft Graph exposes REST API for access to data).
As to claim 7, Swiler and Thake disclose the invention as claimed as described in claim 6, including wherein edges between the nodes of users and groups include a user's connection to a group (Swiler Fig. 2 traversal between “Machine A: Root User” to “Machines B, C: Normal User” has edges with descriptions of connections “Install Sniffer”, “Acquire Plaintext PW” and “Gain Normal User” – this is user gaining new privilege (i.e. group)).
As to claim 8, Swiler and Thake disclose the invention as claimed as described in claim 6, including wherein edges between the nodes of users or groups and devices include a user's or group's connection to a device (Swiler Fig. 2 traversal between A: Root User” to “Machines B, C: Normal User” has edges with descriptions of connections “Install Sniffer”, “Acquire Plaintext PW” and “Gain Normal User” – this is user gaining access to new devices B and C).
As to claim 9, Swiler and Thake disclose the invention as claimed as described in claim 1, including wherein the visualization depicts lateral paths between sensitive accounts and non-sensitive accounts (Swiler Fig. 2 showing attacker on internet traversing to root user on machines A,B and C via different lateral paths).
As to claim 10, Swiler and Thake disclose the invention as claimed as described in claim 9, including wherein the visualization depicts a lateral path from a non-sensitive user (Swiler Fig. 2 Attacker on Internet) to a device (Swiler Fig. 2 Machine A) to a group (Swiler Fig. 2 Machine A: Root User – group is root privilege) to a sensitive user (Swiler Fig. 2 Normal User on machines B, C – acquired password).
As to claim 11, Swiler substantially discloses a computer readable storage device (Swiler claim 12 storage system) to store computer executable instructions (Swiler col. 5 l. 55 – col. 6 l. 21 graph generator C++ program) to control a processor to:	gather data (Swiler col. 7 ll. 20-26 scan by searching network elements for information including processes, utilities running and vulnerabilities); 	group the data into a graph(Swiler Fig. 2) having nodes of users (Swiler Fig. 2 showing nodes with user information “Attacker on Internet”, bottom right “Plaintext Password of user on Machines B, C), groups (Swiler Fig. 2 showing acquired privilege levels (i.e. access groups) in nodes (e.g. “Root”, “Normal”); col. 6 l. 67 – col. 7 l. 3 user classes “none, guest, normal, system administrator, root”), and devices (Swiler Fig. 2 showing Machine A, B, and C in the nodes), the nodes coupled together via edges (Swiler Fig. 2 showing edges connecting nodes; col. 4 ll. 38-42 edges represent change of state (relationship between nodes)); and	provide a visualization of the graph to illustrate lateral paths of the management service directory (Swiler Fig. 2; col. 7 l. 65 – col. 8 l. 4 display generated graph).	Swiler fails to explicitly disclose gathering data via programmatic access to a management service directory through a REST API endpoint.	Thake discloses gathering data via programmatic access to a management service directory through a REST API endpoint (Thake pg. 1 ¶1 Microsoft Graph is unified programmability model; pg. 1 ¶2 via single endpoint; pg. 1 ¶3 Microsoft Graph exposes REST API for access to data).  It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to combine the data accessing of Thake with the network scanning of Swiler, such that an Azure Active Directory is scanned to acquire the lists and information regarding network elements, as it would advantageously allow for access to data via a single endpoint (Thake pg. 1 ¶1).
As to claim 12, Swiler and Thake disclose the invention as claimed as described in claim 11, including wherein the management service directory is included in a management service (Thake pg. 1 ¶3 Azure Active Directory is a cloud-based identity and access management service).
As to claim 13, Swiler and Thake disclose the invention as claimed as described in claim 12, including wherein the management service applies an authentication protocols of Security Assertion Markup Language (SAML) or Open Authorization (OAuth) (Thake pg. 1. Azure Active Directory – Azure Active Directory supports both SAML and OAuth2 authentication protocols (see “An Updated Look At Choosing Between OAuth2 and SAML” p. 4 ¶5 for support).
As to claim 14, Swiler and Thake disclose the invention as claimed as described in claim 11, including wherein the management service directory applies identity and access management of users, groups and applications of a cloud tenant (Thake pg. 1. Azure Active Directory – Azure Active Directory manages users, groups and applications, a single instance of Azure AD is considered a tenant).
As to claim 15, Swiler and Thake disclose the invention as claimed as described in claim 11, including wherein the instructions to gather data are configured as a data grabber (Swiler col. 7 ll. 20-26 scan by searching network elements for information including processes, utilities running and vulnerabilities).
As to claim 16, Swiler and Thake disclose the invention as claimed as described in claim 15, including wherein data grabber employs REST calls (Thake pg. 1 ¶3 Microsoft Graph exposes REST API for access to data) and security permissions with Azure Active Directory – Azure Active Directory supports both SAML and OAuth2 protocols (see “An Updated Look At Choosing Between OAuth2 and SAML” p. 4 ¶5 for support).
As to claim 17, Swiler substantially discloses a system, comprising:	a memory device (Swiler claim 12 storage system) to store a set of instructions (Swiler col. 5 l. 55 – col. 6 l. 21 graph generator C++ program); and	a processor to execute the set of instructions (Swiler claim 12 processing unit) to:		gather data (Swiler col. 7 ll. 20-26 scan by searching network elements for information including processes, utilities running and vulnerabilities);		group the data into a graph(Swiler Fig. 2) having nodes of users (Swiler Fig. 2 showing nodes with user information “Attacker on Internet”, bottom right “Plaintext Password of user on Machines B, C), groups (Swiler Fig. 2 showing acquired privilege levels (i.e. access groups) in nodes (e.g. “Root”, “Normal”); col. 6 l. 67 – col. 7 l. 3 user classes “none, guest, normal, system administrator, root”), and devices (Swiler Fig. 2 showing Machine A, B, and C in the nodes), the nodes coupled together via edges (Swiler Fig. 2 showing edges connecting nodes; col. 4 ll. 38-42 edges represent change of state (relationship between nodes)); and	provide a visualization of the graph to illustrate lateral paths of the management service directory (Swiler Fig. 2; col. 7 l. 65 – col. 8 l. 4 display generated graph).	Swiler fails to explicitly disclose gathering data via programmatic access to a management service directory through a REST API endpoint.Microsoft Graph is unified programmability model; pg. 1 ¶2 via single endpoint; pg. 1 ¶3 Microsoft Graph exposes REST API for access to data).  It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to combine the data accessing of Thake with the network scanning of Swiler, such that an Azure Active Directory is scanned to acquire the lists and information regarding network elements, as it would advantageously allow for access to data via a single endpoint (Thake pg. 1 ¶1).
As to claim 18, Swiler and Thake disclose the invention as claimed as described in claim 17, including wherein the instructions are implemented with a security service of a cloud environment (Thake pg. 1 ¶3 Azure Active Directory is a cloud-based identity and access management service).
As to claim 19, Swiler and Thake disclose the invention as claimed as described in claim 18, including wherein the security service protects cloud-based assets and resources (Thake pg. 1 ¶3 Azure Active Directory is a cloud-based identity and access management service).
As to claim 20, Swiler and Thake disclose the invention as claimed as described in claim 17, including wherein the management service applies identity and access management of users, groups and application of a cloud tenant (Thake pg. 1. Azure Active Directory – Azure Active Directory manages users, groups and applications, a single instance of Azure AD is considered a tenant).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Mutually Human, “An Updated Look At Choosing Between OAuth2 and SAML” is related to Azure Active directory's use of SAML and OAuth2.
Fender, Sarah “The Microsoft Graph Security API is now generally available” is related to a REST API used to access a cloud-based management service directory.
Xiaohong et al., “Approach to Attack Path Generation based on Vulnerability Correlation” is related to attack path generation.
Sela et al. (US 2019/0334928 A1) is related to organization attack surface management.
Joesph Durairaj et al. (US 2018/0316704 A1) is related to lateral movement detection through graph-based candidate selection.
Hutchinson et al. (US 2017/0353453 A1) is related to principle access determination in an environment, with a graph display having users, devices and groups and paths between them.
Lambert et al. (US 8,020,194 B2) is related to analyzing cross-machine privilege elevation pathways.
Gong et al. (US 2016/0065601 A1) is related to detection of lateral movement.
Noel et al. (US 2010/0192226 A1) is related to graphical representation of network exploits between devices.
Liu (US 2014/0359776 A1) is related to determining a vulnerability taint path in an application.
Jajodia et al. (US 2010/0058456 A1) is related to IDS sensor placement based on an attack graph.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ERIC W SHEPPERD whose telephone number is (571)270-5654.  The examiner can normally be reached on Monday - Thursday, Alt. Friday, 7:30AM - 5:00PM, EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571)272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.