Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION 
2.	The request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for Continued Examination under 37 CFR 1.114, the fee set forth in 37 CFR 1.17(e) has been paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant’s submission filed 11/30/2021 has been entered.  An action on the RCE follows.

Summary of claims

3.	Claims 1-2, 8-9, 15-16 and 21-33 are pending, 
	Claims 1, 8 and 15 are amended,
	Claims 3-7, 10-14 and 17-20 are cancelled,
	Claims 29-33 are newly added,
	Claims 1, 8 and 15 are independent claims,
Claims 1-2, 8-9, 15-16 and 21-33 are rejected.

Response to Arguments
4.	Regarding to 103 rejections, Applicant’s arguments, see Remarks p. 6-16, filed 11/30/2021, have been fully considered but are not persuasive in view of new rejection ground(s).
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to 

5.	Claims 1-2, 8-9, 15-16, 21-33 are rejected under 35 U.S.C. 103 as being unpatentable over Michael Beck et al (US Publication 20190260804 A1, hereinafter Beck), and in view of Georgios Apostolopoulos (US Publication 20180219888 A1, hereinafter Apostolopoulos).

As for independent claim 1, Beck discloses: A method, in a data processing system, for displaying cyber threat data in a narrative format (Abstract, a user interface module can present a threat-tracking graphical user interface and a query interface component integrated into the threat-tracking graphical user interface to a system user belonging to a client team to review a potential cyber threat and receive a query for assistance), the method comprising: receiving a cyber threat information file ([0042], assess whether the anomalous network activity has previously appeared in lists of malicious files; [0110], the cyber threat defense system initially ingests data from multiple source, the raw data sources include machine generated log files), wherein the cyber threat information file comprises cyber threat data in a serialized format ([0062], determine periodicity in multiple time series data and identify changes across single and multiple time series data for the purpose of anomalous behavior detection, a large number of metrics can be derived, each producing time series data for the given ; generating a tree data structure representing relationships between objects in the cyber threat data, wherein each node of the tree data structure represents an object in the cyber threat data ([0140], the threat-tracking graphical user interface may have a topology map displaying a two-dimensional or three-dimensional representation of the network, the topology map can have one or more network nodes acting as a visual data container for a network entity on the network, the topology map can illustrate each connection between a network node and any other network node in contact with that network node, a network node can be marked to indicate an issue with the represented network entity, the user analyst can select a network node with the cursor to reveal more information about the represented network entity); generating a user interface presenting the cyber threat data in a narrative format based on the tree data structure ([0140], the threat-tracking graphical user interface may have a topology map displaying a two-dimensional or three-dimensional representation of the network, the topology map can have one or more network nodes acting as a visual data container for a network entity on the network, the topology map can illustrate each connection between a network node and any other network node in contact with that network node, a network node can be marked to indicate an issue with the represented network entity, the user analyst can select a network node with the cursor to reveal more information about the represented network entity); and extracting context information pertinent to the relationships between the objects ([0045], the system securely communicates a query constructed from cybersecurity information in a multimedia format (for example, connection logs, graphical representations, triaged incidents, analyst comments, etc.) extracted from the threat-tracking graphical user , wherein the narrative format presents the objects in the cyber threat data in a hierarchical format indicative of the relationships between parent objects and child objects based on the tree data structure, presents a relationship type for each child object, and presents the extracted information for each object in the cyber threat data ([0099], cyber threat detection system recognize the relationships among its different entities; [0127], a topology of the network under scrutiny is projected automatically as a graph based on device communication relationships via an interactive user interface; [0140], the threat-tracking graphical user interface may have a topology map displaying a two-dimensional or three-dimensional representation of the network, the topology map can have one or more network nodes acting as a visual data container for a network entity on the network, the topology map can illustrate each connection between a network node and any other network node in contact with that network node, a network node can be marked to indicate an issue with the represented network entity, the user analyst can select a network node with the cursor to reveal more information about the represented network entity); and presenting the user interface to an analyst ([0140], the threat-tracking graphical user interface may have a topology map displaying a two-dimensional or three-dimensional representation of the network, the topology map can have one or more network nodes acting as a visual data .
Beck discloses an expert interface presenting a threat-tracking graphical user interface to a user to review a potential cyber threat including displaying nodes in a hierarchical format but does not expressly disclose each edge in the tree data structure represents a relationship type between a parent object and a child object, in an analogous art of receiving and analyzing event data and generating graph including nodes and edges for identifying security threats in a computer network, Apostolopoulos discloses: wherein each node of the tree data structure represents an object in the cyber threat data and each edge in the tree data structure represents a relationship type between a parent object and a child object ([0135], a graph in the context of this description includes a number of nodes and edges, each node in the relationship graph represents one of the entities involved in the event, and each edge represents a relationship between two of the entities); presents a relationship type for each child object ([0189], assigns combined network activities into different projections of the composite relationship graph, depending on the type of activity, each projection represents a subset of the composite relationship graph that relates to a certain type or types of user action or other category; [0199], for each edge (relationship) in the composite relationship graph, the graph library component examines the edge’s type to determine the projection to which the edge belongs; [0206], the process identifies one or more 
In addition, Beck does not expressly disclose performing a depth-first search of relationships between objects in the tree data structure, Apostolopoulos discloses: wherein generating the user interface comprises performing a depth-first search of relationships between objects in the tree data structure ([0234], breadth-first search or depth-first search);
Beck and Apostolopoulos are analogous arts because they are in the same field of endeavor, collecting, analyzing and displaying cybersecurity threat information in hierarchical format. Therefore, it would have been obvious to one with ordinary skill, in the art before the effective filing date of the claimed invention, to modify the invention of Beck using the teachings of Apostolopoulos to clearly include indicating relationships between nodes with edge in the graph, and performing a depth-first search of relationships between objects. It would provide Beck’s method with the enhanced capability of providing more contextual information associated with cybersecurity entities in network so user may conduct review and query with the cybersecurity information user interface.

As for claim 2, Beck-Apostolopoulos further discloses: wherein generating the tree data structure comprises identifying objects in the cyber threat data and mapping relationships between objects in the cyber threat data (Apostolopoulos: [0135], a graph in the context of this description includes a number of nodes and edges, each .

Claims 3-7      canceled

As for claims 8-9, it recites features that are substantially same as those features claimed by Claims 1-2, thus the rationales for rejecting Claims 1-2 are incorporated herein.

Claims 10-14       canceled

As for claims 15-16, it recites features that are substantially same as those features claimed by Claims 1-2, thus the rationales for rejecting Claims 1-2 are incorporated herein.

Claims 17-20       canceled

As for claim 21, Beck-Apostolopoulos further discloses: wherein the extracted information includes a risk score represented as a graphical indicator (Apostolopoulos: abstract, the riskiest days of activity can be found by computing a risk score for each day and according to the features in the day; [0035], presenting analytical results scored with risk ratings and supporting evidence).

wherein the parent object represents a process and the child object represents a file run by the process (Beck: [0042], assess whether the anomalous network activity has previously appeared in lists of malicious files; [0110], the cyber threat defense system initially ingests data from multiple source, the raw data sources include machine generated log files; Apostolopoulos: [0136], identifiable relationship may be customizable and provides the flexibility to the administrator to tailor the system to his data sources, possible relationships can include, for example, “connects to,” “uses,” “runs on,” “visits,” “uploads,” “successfully logs onto,” “restarts,” “shuts down,” “unsuccessfully attempts to log onto,” “attacks,” and “infects”).

As for claim 23, Beck-Apostolopoulos further discloses: wherein the parent object represents a first process and the child object represents a second process created by the first process (Apostolopoulos: [0136], identifiable relationship may be customizable and provides the flexibility to the administrator to tailor the system to his data sources, possible relationships can include, for example, “connects to,” “uses,” “runs on,” “visits,” “uploads,” “successfully logs onto,” “restarts,” “shuts down,” “unsuccessfully attempts to log onto,” “attacks,” and “infects”).

As for claim 24, Beck-Apostolopoulos further discloses: wherein the parent object represents a process and the child object represents a connection opened by the process (Apostolopoulos: [0136], identifiable relationship may be customizable and provides the flexibility to the administrator to tailor the system to his data sources, .

As for claim 25, Beck-Apostolopoulos further discloses: wherein the parent object represents a connection and the child object represents a source address or a destination address (Beck: [0072], same destination Internet Protocol addresses; Apostolopoulos: [0169], a detected anomaly in the activity on a computer network is often associated with one or more entities of the computer network, such as one or more physical computing devices, virtual computing devices, users, software modules, accounts, identifiers, and/or addresses).

As for claim 26, Beck-Apostolopoulos further discloses: wherein the parent object represents a first process and the child object represents a user account that created the process (Apostolopoulos: [0136], identifiable relationship may be customizable and provides the flexibility to the administrator to tailor the system to his data sources, possible relationships can include, for example, “connects to,” “uses,” “runs on,” “visits,” “uploads,” “successfully logs onto,” “restarts,” “shuts down,” “unsuccessfully attempts to log onto,” “attacks,” and “infects”; [0169], a detected anomaly in the activity on a computer network is often associated with one or more entities of the computer network, such as one or more physical computing devices, virtual computing devices, users, software modules, accounts, identifiers, and/or addresses).


As for claim 28, it recites features that are substantially same as those features claimed by Claim 21, thus the rationales for rejecting Claim 21 are incorporated herein.

As for claim 29, Beck-Apostolopoulos further discloses: wherein the parent object represents a process and the child object represents a file run by the process (Beck: [0042], assess whether the anomalous network activity has previously appeared in lists of malicious files; [0110], the cyber threat defense system initially ingests data from multiple source, the raw data sources include machine generated log files; Apostolopoulos: [0136], identifiable relationship may be customizable and provides the flexibility to the administrator to tailor the system to his data sources, possible relationships can include, for example, “connects to,” “uses,” “runs on,” “visits,” “uploads,” “successfully logs onto,” “restarts,” “shuts down,” “unsuccessfully attempts to log onto,” “attacks,” and “infects”).

As for claim 30, Beck-Apostolopoulos further discloses: wherein the parent object represents a first process and the child object represents a second process created by the first process (Apostolopoulos: [0136], identifiable relationship may be customizable and provides the flexibility to the administrator to tailor the system to his data sources, possible relationships can include, for example, “connects to,” “uses,” .

As for claim 31, Beck-Apostolopoulos further discloses: wherein the parent object represents a first process and the child object represents a connection opened by the process (Apostolopoulos: [0136], identifiable relationship may be customizable and provides the flexibility to the administrator to tailor the system to his data sources, possible relationships can include, for example, “connects to,” “uses,” “runs on,” “visits,” “uploads,” “successfully logs onto,” “restarts,” “shuts down,” “unsuccessfully attempts to log onto,” “attacks,” and “infects”).

As for claim 32, Beck-Apostolopoulos further discloses: wherein the parent object represents a connection and the child object represents a source address or a destination address (Beck: [0072], same destination Internet Protocol addresses; Apostolopoulos: [0169], a detected anomaly in the activity on a computer network is often associated with one or more entities of the computer network, such as one or more physical computing devices, virtual computing devices, users, software modules, accounts, identifiers, and/or addresses).

As for claim 33, Beck-Apostolopoulos further discloses: wherein the parent object represents a process and the child object represents a user account that created the process (Apostolopoulos: [0136], identifiable relationship may be customizable and provides the flexibility to the administrator to tailor the system to his data sources, .

Conclusion
	Any inquiry concerning this communication or earlier communications from the examiner should be directed to Hua Lu whose telephone number is 571-270-1410 and fax number is 571-270-2410.  The examiner can normally be reached on Mon-Fri 7:30 am to 5:00 pm EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Matthew Ell can be reached on 571-270-3264.  The fax phone number for the organization where this application or proceeding is assigned is 703-273-8300.  
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).  If you would like assistance from a 
/HUA LU/
Examiner, Art Unit 2171