Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The present Office Action is responsive to communication received 8/31/2020. Claims 1-16 are pending.

Examiner’s Amendments 
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a communication with Attorney of Record Brian Boon on 3/4/2022.
Please amend claims 1 and 9 as follows:


1. (currently amended) A system for privilege assurance protection of computer networks, comprising: 
an interrogation agent comprising a first plurality of programming instructions stored in a memory of, and operating on a processor of, a first computing device within a computer network operating a directory access protocol, wherein the first plurality of programming instructions, when operating 
query a plurality of devices on the computer network for network information relevant to privilege assurance, the network information comprising device identifiers and configuration parameters;
receive responses from the plurality of devices, the responses comprising the network information;
send the responses to a graph engine;
a graph engine comprising a second plurality of programming instructions stored in a memory of, and operating on a processor of, a second computing device, wherein the second plurality of programming instructions, when operating on the processor of the second computing device, cause the second computing device to:
receive the responses; 
create and store a cyber-physical graph of the computer network using the responses, wherein 
perform a plurality of queries over time on the cyber-physical graph for a cyberattack parameter of interest;
receive results of the plurality of queries; and
send the results to a time-series rule comparator;
the time-series rule comparator comprising a third plurality of programming instructions stored in a memory of, and operating on a processor of, a computing device, wherein the third plurality of programming instructions, when operating on the processor, cause the computing device to:
receive the results from the graph engine; 
measure changes over time in the results;
if the measurement of changes over time exceeds a threshold, send the results to a user interface; and
[[a]]the user interface comprising a fourth plurality of programming instructions stored in a memory of, and operating on a processor of, a computing device, wherein the fourth plurality of programming instructions, when operating on the processor, cause the computing device to:
receive the results; 
identify the directory access protocol objects and relationships which caused the measurement of changes to exceed the threshold; and 
display a portion of the cyber-physical graph comprising the vertices and edges corresponding to the identified directory access protocol objects and relationships. 


9. (currently amended) A method for privilege assurance protection of computer networks, comprising the steps of:  querying, using a software agent installed on a first computing device on a computer network, a plurality of devices on the computer 
receiving responses from the plurality of devices, the responses comprising the network information;
sending the responses to a graph engine;
creating and storing a cyber-physical graph of the computer network using the responses, wherein 
performing a plurality of queries over time on the cyber-physical graph a cyberattack parameter of interest;
receiving results of the plurality of queries;
measuring changes over time in the results;
if the measurement of changes over time exceeds a threshold, sending the results to a user interface;
identifying the directory access protocol objects and relationships which caused the measurement of changes to exceed the threshold; and
displaying, on the user interface, a portion of the cyber-physical graph comprising the vertices and edges corresponding to the identified directory access protocol objects and relationships.



Information Disclosure Statement
The information disclosure statement (IDS) submitted on 8/31/2020 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Allowed Claims
Claims 1-16 are allowed, in view of the examiner’s amendments above.

Reasons for allowance
The closest prior art of record, US 20180152468 to Nor et al, alone or in combination with other prior art of records, fails to teach all limitations of the claims. Nor et al disclose:
A system for privilege assurance protection of computer networks, comprising: an interrogation agent comprising a first plurality of programming instructions stored in a memory of, and operating on a processor of, a first computing device within a computer network operating a directory access protocol, wherein the first plurality of programming instructions, when operating on the processor of the first computing device, cause the first computing device to ([0038]): query a plurality of devices on the computer network for network information relevant to privilege assurance, the network information comprising device identifiers and configuration parameters; receive responses from the plurality of devices, the responses comprising the network information; send the responses to a graph engine; a graph engine comprising a second plurality of ([[0040] obtain data indicative of communication); create and store a cyber-physical graph of the computer network using the responses, wherein the vertices of the cyber-physical graph represent directory access protocol objects and the edges of the cyber-physical graph represent the relationships between those objects ([0026] Fig. 2A-B time varying graph); 
Nor et al.  alone or combined with other prior arts of the records fails to teach: perform a plurality of queries over time on the cyber-physical graph a cyberattack parameter of interest; receive results of the plurality of queries; and send the results to a time-series rule comparator;  a time-series rule comparator comprising a third plurality of programming instructions stored in a memory of, and operating on a processor of, a computing device, wherein the third plurality of programming instructions, when operating on the processor, cause the computing device to: receive the results from the graph engine; measure changes over time in the results; if the measurement of changes over time exceeds a threshold, send the results to a user interface; and a user interface comprising a fourth plurality of programming instructions stored in a memory of, and operating on a processor of, a computing device, wherein the fourth plurality of programming instructions, when operating on the processor, cause the computing device to: receive the results;  identify the directory access protocol 
Therefore claim 1 and substantially claim 9 are allowable. Claims 2-8 and 10-16 respectively depending on claims 1 and 9 are also allowable.

Other relevant prior art of the record teaches:
Phillips et al 1998 “A graph-based system for network vulnerability analysis” p.1-78, ACM, disclose an attack graph in which nodes represent machines and users, edges represent changes of states between nodes; Phillips also discloses determining based on the graph a cyberattack parameter such as cost of defenses that are increased in a case of attacks. 
Gill et al 20120224057  disclose capabilities to monitor both users’ access and behavior events within the network. Users’ access events are displayed on a geo-spatial map. 
Muddu et al 20170063896 disclose detecting security related anomalies and threats in a computer network environment. A graphical user interface displays unusual user behavior including unusual sequence in Active Directory, anomalies indicative of malware are graphed into a network security graph including nodes representing network entities and edges representing the relationships between the entities.
Boyadjiev et al 20170048270 disclose the network security system can generate and display graphical visualizations of the groups of network devices to provide a  visual analysis of network devices in the groups.
Kenttala et al 8654127 disclose  tapping of the examined communication network to probe which communication packets flowing in the communication network and searches for identities and their relations from their header information. Identities and relations between them are used to create an identity flow which is used to create an identity graph for describing the operation of the communication network. The identifty graph describe the state of the communication at different points in time, presented on a user interface.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CATHERINE B THIAW whose telephone number is (571)270-1138. The examiner can normally be reached Monday-Friday 7am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, CARL G COLIN can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.






/Catherine Thiaw/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        2/7/2022