DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

      Information Disclosure Statement
Information disclosure statement(s) (IDS) not submitted before the mailing date of this office action. Accordingly, no information disclosure statement is being considered by the examiner.
Specification
The specification is objected to due to the following informalities, and corrective action is required.
Paragraph 18, line 1, “a internal” should read “an internal”
Paragraph 34, lines 4-5, “external network resources 110 and external network resources 120” should read “external network resources 110 and internal network resources 120”
       Claim Rejections - 35 USC § 103
 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over US-PGPUB No. US 2017/0099311 A1 to Kesin et al. (hereinafter Kesin), US-PGPUB No. US 2020/0285944 A1 to Lee et al. (hereinafter Lee), and further in view of US-PGPUB No. 2019/0081959 A1 to Yadav et al. (hereinafter Yadav)

Regarding claim 1:
Kesin discloses:
A system comprising: 
a non-transitory memory (see ¶07: “… non-transitory storage medium having a computer program stored thereon executable by one or more processors of an anomaly detection system in a network.”); and 
one or more hardware processors coupled with the non-transitory storage medium and configured to execute instructions from the non-transitory storage medium to cause the system to perform operations comprising  (see ¶05: “The system can include one or more computer readable storage devices configured to store one or more software modules including computer executable instructions, and one or more hardware computer processors in communication with the one or more computer readable storage devices”): 
determining an external burst score for an external network resource (see ¶177: “… a speed score can be determined based at least on a minimum theoretical speed of the user based on location and timestamps of consecutive network accesses from the same user”); 
determining an internal burst score for an internal network resource (see ¶176: “… a host score can be determined based at least on the hostname used to access the network.”); 
creating a burst graph based on the internal burst score and external burst score (see ¶179: “… an aggregate score for the network access can be determined. The aggregate score can be a weighted score based on at least two of the hostname score, the speed score, and the location score.” 
¶195: “Based on the logged data, a speed 1644, weighted host score 1648, weighted speed score 1652, weighted location score 1656, aggregate score 1660, and convoluted score 1664 can be determined.”
See Fig. 16A and Fig. 16B data tables for log entries, including aggregate score, and the associated graphs.); 
Kesin fails to explicitly disclose the following limitation taught by Lee:  
determining an interaction pattern between the external network resource and the internal network resource using a graph convolutional neural network (see Lee ¶03: “… a method for making inferences from graph-structured data includes performing operations by one or more processing devices based on a graph convolutional neural network model that includes one or more graph convolutional layers. The operations also include … for each respective node in a set of nodes from the nodes in the graph, selecting one type of motif from multiple types of motifs … “ , Claim 1
¶37: “A motif indicates a particular pattern of interactions between vertices.”);  

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to incorporate the method for making inferences from a graph-structured dataset using graph convolutional neural network to analyze pattern interactions between nodes and infer expectations as disclosed by Lee, such incorporation would provide timely detection and identification of anomalous behavior. 

The combination of Kesin and Lee fail to explicitly disclose the following limitation taught by Yadav:
determining an anomalous traffic event based on a deviation of the interaction pattern from a probability density function (see Yadav ¶281: “A statistical model can be implemented to then detect patterns based on the lineage of the process and identify any anomalies or malicious events.”
¶290: “This disclosure can use a statistical model, such as markov chains, to study the lineage patterns and detect anomalies.”).   

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to incorporate the statistical model of the traffic monitoring system to determine anomalous behavior, as disclosed by Lee, such incorporation would help determine the amount of traffic certain processes send, and establish patterns to provide timely detection and identification of anomalous behavior. 


Regarding claim 2:
The combination of Kesin, Lee and Yadav Disclose:
The system in claim 1, wherein determining the internal burst score comprises: 
determining an internal resource interaction probability based on a number of total internal traffic interactions and a number of internal resource interactions (see Yadav ¶49: “… creating summary statistics related to the datacenter, identifying components or hosts that are at capacity, identifying components or hosts that are under-utilized or incapacitated, comparing current activity to historical or expected activity, etc.”), 
determining a resource interaction cost based on the internal resource interaction probability (see Yadav ¶49: “… the analytics module can modify an access control list, a firewall, subnet assignments, etc. The analytics module can then present a report describing the status of the datacenter (step 324), e.g., to an administrator. Step 324 can include creating charts, graphs, illustrations, tables, notifications, etc.”), and  
determining a difference between a burst state score and a base state score, wherein the burst state score is based on a state transition cost and the internal resource interaction probability, and wherein the base state score is based on the resource interaction cost and the internal resource interaction probability (see Yadav ¶442: “… the differences between attacks when a certain port was open are compared to when the port is closed using historical flow attack data. The vulnerability index for that port would be calculated based on the number of additional attacks that occurred when that port was open versus when it was closed.”).  

Regarding claim 3:
The combination of Kesin, Lee and Yadav Disclose:
The system of claim 1, wherein determining the external burst score comprises: 
determining a normal external interaction range based on an average number of external resource interactions and an external resource standard deviation (see Yadav ¶484: “Anomaly detection—Detect when stats for a particular host, host-pair or flows are outside the normal range.” 
¶487: “… we would aggregate anomalies from a lower granularity, along with stats to more confidently detect DDOS.” 
¶489: “… a traits table … would include following features: (1) packets: a. mean and std of num packets …”), and 
determining a difference between the number of external network resource interactions and the normal external interaction range (see Yadav ¶479: “Irregular traffic can be discovered by developing a signature of normal traffic … and comparing it to current traffic. The signature can include packet count, byte count, service/host connection counts, TCP flags, port, protocol, port count, geo-location, user (of a process), process ID, etc. The signature can be created using statistics and analytics.”).  

Regarding claim 4:
The combination of Kesin, Lee and Yadav Disclose:
The system for claim 1, wherein the operations further comprise: 
determining one or more external burst scores for each of one or more external network resources (see Kesin ¶177: “… a speed score can be determined based at least on a minimum theoretical speed of the user based on location and timestamps of consecutive network accesses from the same user”); 
determining one or more internal burst scores for each of one or more internal network resources (see Kesin ¶176: “… a host score can be determined based at least on the hostname used to access the network.”); and 
wherein creating the burst graph is further based on the one or more external burst scores and the one or more internal burst scores, and wherein the burst graph further comprises one or more edges between each of the one or more external network resources and each of the one or more internal network resources (see Yadav ¶39: “Leaf switches 204 can reside at the edge of network fabric 212, and can thus represent the physical network edge.”
¶556: “… for each observed edge (communication) from a node in cluster A to a node in cluster B, on server port C, a … policy is introduced such that any node in cluster A can communicated with any node in cluster B on server port C.”
¶576: “… an edge is a communication from source (client) node to destination (server) node using a (server) port. See Fig. 2 for edges and network resources”).  

Regarding claim 5:
The combination of Kesin, Lee and Yadav Disclose: 
The system for claim 4 wherein determining the interaction pattern further comprises: 
determining an embedding for each internal network resource based on the one or more edges of the burst graph between the internal network resource and each external network resource (see Yadav ¶562: “vector types can be based solely on server ports …The set of vectors can then be post-processed, such as (frequent) feature pruning, TF-IDF re-weighting, and 12-normalization.”
¶613: “A TF-IDF computation (TF-IDF is an information retrieval technique) can be performed to reweight attributes by a measure of their informativeness for a node. A similar algorithm can be performed on clusters (each cluster can be represented by a single vector, then TF-IDF post-processing can be performed on such set of vectors).”).
and determining an embedding for each external network resource based on the one or more edges of the burst graph between the external network resource and each internal network resource (see Yadav ¶562: “vector types can be … solely based on destination addresses (IPs). The set of vectors can then be post-processed, such as (frequent) feature pruning, TF-IDF re-weighting, and 12-normalization.”). 

Regarding claim 6:
The combination of Kesin, Lee and Yadav Disclose:
The system for claim 1, wherein the probability density function comprises a deep gaussian mixture model (see Kesin ¶202: “… convolution can be used to generate a convoluted score reflecting the anomalous probability … convolution curves can be … a pulse, impulse, sawtooth, triangle, Gaussian, or other shape.”, and see Yadav ¶489: “… the distribution of log(packets) looks Gaussian …”).  

Regarding claim 7:
The combination of Kesin, Lee and Yadav Disclose:
The system for claim 1, wherein the operations further comprise: in response to determining the anomalous traffic event, performing a corrective action comprising at least one of: blocking the external network resource from accessing the internal network resource, disabling the internal network resource, limiting connections to the internal network resource, and sending a notification to one or more users (see Yadav ¶481: “When irregular traffic is discovered, a system administrator can be notified and presented with appropriate actions that should correct the irregular traffic. Actions can include shutting down the process or virtual machine, blocking traffic from the virtual machine (via the hypervisor), or blocking the port/protocol/subnet corresponding to the traffic”, and 
see Kesin ¶52: “If the analysis engine 111 detects anomalous user activity, the warning generator 113 can generate a warning to a system administrator 115. In some embodiments, the warning generator can take other measures to secure the network, such as revoking access from an individual suspected of anomalous activity, taking resources offline, etc.”).  

Regarding claims 8-14:
Claims 8-14 recite substantially the same limitations as claims 1-7, respectively, in the form of a system implementing the corresponding method, therefore, they are rejected under the same rationale. 


Regarding claims 15-20:
Claims 15-19 and 20 recite substantially the same limitations as claims 1-5 and 7, respectively, in the form of a non-transitory computer readable medium storing instructions for implementing the corresponding method, therefore, they are rejected under the same rationale.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 

Harris et al.  (US-PGPUB No. 2018/0332064 A1)- disclosed a method of computing a risk score for a user using a device based on a peer group identifier
Wu et al. (US-PGPUB No. 2020/0104426 A1)- disclosed data graph similarity analytics based on graph embedding.
Apostolopoulos. (US-PGPUB No. 2018/0219888 A1)- disclosed techniques related to graph-based network security analytic framework to combine multiple sources of information and security knowledge in order to detect risky behaviors and potential threats. 
Rossi (US-PGPUB No. 2021/0014124 A1)- disclosed how to determine network embeddings that describe the underlying characteristics of nodes in a network.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Matthias Habtegeorgis whose telephone number is (571)272-1916. The examiner can normally be reached on 8:00am - 4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Ashok B Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through

Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491