Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 4-22-2020 was in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Objections
Claims 1 and 7 are objected to because of the following informalities:  Claims 1 and 7 are objected as vagueness of terms in the limitation, the applicant regards as the invention. Evidence that claims 1 and 7 fail(s) to correspond in scope with that which the inventor or a joint inventor specifies in specification. The specification or drawings do not explain or exemplify when and/or how a formation or extension of tree or branch is carried out and therefore the claim is vague and unclear as the term “form/extend” in claims 1 and 7 is used by the claim to mean “either form a branch or a new tree or shall extend a formed tree from the root to create a branch or extend a formed branch or whether the formation or extension is added to a given node or to/from an edge” for instance: an email access may be a set of nodes and edges and a related email may be a new tree (formation) or opening an attachment from the related email may be an extension of already created tree, while the accepted meaning is 

Claim Rejections - 35 USC § 112
Claims 1 and 7 recite the limitation "linking cyber-event(s) to subsequent cyber-event(s) into branches to form/extend a cyber-event tree;".  It is not clear if the term “cyber-event(s)” refers to the detected cyber-event(s) in the previous limitation or is it a new term. If refers to the previous one, then it is suggested to recite “linking detected cyber-event(s) to subsequently detected cyber-event(s)”.  There is insufficient antecedent basis for this limitation in the claim. Therefore the corresponding dependent claims 2 – 6 and 8 are also rejected for the same rationale.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1 - 8 is/are rejected under 35 U.S.C. 103 as being unpatentable over Coffman; Thayne (US 20070209074), hereafter Coff and Riedel et al (US 20170336061), hereafter Rie.
Claim 1: Coff teaches a method of monitoring a computer network, said method comprising: providing a plurality of sensors, wherein [said sensors form a meshed network of sensors] which monitor cyber-event(s); ([0013] the enhanced graph matching intrusion detection system (eGMIDS) comprises multiple sensors, located at different remote devices of the network and utilized to detect specific types of activity occurring at the respective devices);
detecting, by the plurality of sensors, cyber-event(s); ([013] specific events/activities at the device are detected by the sensors);
linking cyber-event(s) to subsequent cyber-event(s) into branches to form/extend a cyber-event tree; ([096] the constructed events are transmitted to the eGMIDS control server, which uses sensor data fusion to integrate them into the activity graph as nodes and edges);
comparing said cyber-event tree to a baseline cyber-event tree; ([015] ...the eGMIDS utility initiates a graphical matching algorithm by which pre-established threat patterns representing known or suspected intrusion methods (threat patterns) are compared within the activity graph and [041] eGMIDS performs signature-based intrusion detection... to distinguish threatening activity from benign activity (i.e., baseline));
determining if there is any differences in said cyber-event tree to said baseline cyber-event tree to identify said cyber-event tree or a branch thereof as anomalous and thereby identify potential anomalous event(s) and/or a cyber-attack. ([019] when a match is found by the search conducted at the first layer however, the eGMIDs utility issues a request for secondary layer information associated with the particular devices (nodes) and/or activity… A match at both layers indicates the existence of a threat or an activity of special interest).
Coff teaches the concept but is silent on said sensors form a meshed network of sensors.
But the analogous art Rie teaches said sensors form a meshed network of sensors. ([046]  the sensor platforms connected to one another by a mesh network).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Coff to include the idea of sensor forming mesh network as taught by Rie so that the central management system makes decisions regarding changing an operating mode of one or more equipments in network, informing an authority of the existence of a particular event or condition ([046]).
Claim 7: Coff teaches a method of monitoring a computer network, said method comprising: providing a plurality of sensors, wherein [said sensors form a meshed network of sensors] which monitor cyber-event(s); detecting, by the plurality of sensors, cyber-event(s); linking cyber-event(s) to subsequent cyber-event(s) into branches to form/extend a cyber-event tree; and scoring probability that said cyber-event tree or a branch thereof is anomalous. ([0013] the enhanced graph matching intrusion detection system (eGMIDS) comprises multiple sensors, located at different remote devices of the network and utilized to detect specific types of activity occurring at the respective devices; [013] specific events/activities at the device are detected by the sensor; [096] the constructed events are transmitted to the eGMIDS control server, which uses sensor data fusion to integrate them into the activity graph as nodes and edges; [015] ...the eGMIDS utility initiates a graphical matching algorithm by which pre-established threat patterns representing known or suspected intrusion methods (threat patterns) are compared within the activity graph and [041] eGMIDS performs signature-based intrusion detection... to distinguish threatening activity from benign activity; [019] When a match is found by the search conducted at the first layer however, the eGMIDs utility issues a request for secondary layer information associated with the particular devices (nodes) and/or activity… A match at both layers indicates the existence of a threat or an activity of special interest… [021] candidate matches are scored according to how well they match a threat pattern being searched for).
Coff teaches the concept but is silent on said sensors form a meshed network of sensors.
But the analogous art Rie teaches said sensors form a meshed network of sensors. ([046]  the sensor platforms connected to one another by a mesh network).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Coff to include the idea of sensor forming mesh network as taught by Rie so that the central management system makes decisions regarding changing an operating mode of one or more equipments in network, informing an authority of the existence of a particular event or condition ([046]).
Claim 2: the combination of Coff and Rie teaches the method of claim 1, wherein said baseline cyber-event tree evolves over time. (Coff: [0143]  new members are added to the population by combining aspects of each parent. Other new matches are created through stochastic variation, or mutation, of an individual "parent", in which a node in the match is randomly altered. Finally, the algorithm ranks the new population, consisting of all the previous members plus newly generated children).
Claim 3: the combination of Coff and Rie teaches the method of claim 2, where evolution of the baseline cyber-event tree is in response to user context specific behaviour changes, legitimate modifications to the operating system and/or applications. (Coff: [0166] a new eGMIDS threat pattern is built that requires one or more of these reconnaissance events in close association with a subsequent threat event. This entire set of activity is represented succinctly as a hierarchical eGMIDS threat pattern. As a result, eGMIDS represents the complex sets of activity that allow detection of insider and coordinated attacks).
Claim 4: the combination of Coff and Rie teaches the method of claim 1, wherein a probability score that a cyber-event connected to said cyber-event tree, a branch of said cyber-event tree and/or said cyber-event tree is malicious is determined. (Coff: [0057] the eGMIDS utility performs signature-based intrusion detection where the structure and between multiple events is a key part of the information used to distinguish threatening activity from benign activity. Compared to conventional intrusion detection systems, eGMIDS provides lower false positive rates, higher true positive rates, and improved situational awareness for network defenders).
Claim 5: the combination of Coff and Rie teaches the method of claim 1, wherein said meshed network is self-healing. (Rie: [046] The mesh network is self-forming and/or self-healing).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Coff to include the idea of self-healing mesh network as taught by Rie so that the central management system makes decisions regarding ([046]).
Claim 6: the combination of Coff and Rie teaches the method of claim 4, wherein scoring probability that said cyber-event tree or a branch thereof is malicious based on context, a comparison with the baseline cyber-event tree, internal/external sources of information and/or cyber intelligence. (Coff: [021] at each level of the construction, candidate matches are scored according to how well they match a threat pattern being searched for. This score is based on the presence or absence of nodes and edges along with their attributes and constraints and [0162] candidate matches are scored at each level of the construction, according to how well the candidate matches a threat pattern being searched for. This score is based on the presence or absence of nodes and edges along with their attributes and constraints).
Claim 8: the combination of Coff and Rie teaches the method of claim 7, wherein the scoring probability that a cyber-event tree or a branch thereof is anomalous based on the conditional probability that the last added cyber-event to the event tree is normal or anomalous, a comparison with a baseline/established cyber-event tree, internal/external sources of information and/or cyber intelligence. (Coff: [021] at each level of the construction, candidate matches are scored according to how well they match a threat pattern being searched for. This score is based on the presence or absence of nodes and edges along with their attributes and constraints and [0162] candidate matches are scored at each level of the construction, according to how well the candidate matches a threat pattern being searched for. This score is based on the presence or absence of nodes and edges along with their attributes and constraints).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867. The examiner can normally be reached M-F: 8:30am-5pm (EST). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on 5712727624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/BADRINARAYANAN /Examiner, Art Unit 2496.