DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with David H. Judson (Reg. No. 30,467) on 28 February 2022.
The application has been amended as follows: 
Claim 1.	(currently amended) A method for network threat analysis, comprising:
providing a display interface with a two-dimensional (2D) grid, wherein a first axis of the grid represents time, and a second axis of the grid represents space; 
responsive to user inputs received on the display interface, the user inputs specifying one or more entities, one or more events associated with the one or more entities, and attributes associated to the entities and events, recording a graph pattern;
automatically processing the graph pattern into a text-based representation; and
, wherein performing the threat discovery operation includes:
iteratively computing a closure over a set of subgraphs in the graph pattern; and
identifying a subgraph of the set that describes a security threat.

	Cancel claim 5.

Claim 8.	(currently amended) An apparatus, comprising:
	a processor; 
computer memory holding computer program instructions executed by the processor, the computer program instructions configured to perform network threat analysis, the computer program instructions comprising program code configured to:
	provide a display interface with a two-dimensional (2D) grid, wherein a first axis of the grid represents time, and a second axis of the grid represents space; 
responsive to one or more user inputs received on the display interface, the user inputs specifying one or more entities, one or more events associated with the one or more entities, and attributes associated to the entities and events, record a graph pattern;
automatically process the graph pattern into a text-based representation; and
, wherein the program code configured to perform the threat discovery operation includes program code configured to:
iteratively compute a closure over a set of subgraphs in the graph pattern; and
identify a subgraph of the set that describes a security threat.

	Cancel claim 12. 

Claim 15.	(currently amended) A computer program product in a non-transitory computer readable medium for use in a data processing system, the computer program product holding computer program instructions that, when executed by the data processing system, are configured to perform network threat analysis, the computer program instructions comprising program code configured to:
provide a display interface with a two-dimensional (2D) grid, wherein a first axis of the grid represents time, and a second axis of the grid represents space; 
responsive to one or more user inputs received on the display interface, the user inputs specifying one or more entities, one or more events associated with the one or more entities, and attributes associated to the entities and events, record a graph pattern;	automatically process the graph pattern into a text-based representation; and
perform a threat discovery operation using the text-based representation, wherein the program code configured to perform the threat discovery operation includes program code configured to:
iteratively compute a closure over a set of subgraphs in the graph pattern; and
identify a subgraph of the set that describes a security threat.

	Cancel claim 19.

	Allowable Subject Matter
Claims 1-4, 6-11, 13-18, 20, and 21 are allowed.
The following is an examiner’s statement of reasons for allowance:
The prior art does not disclose or make obvious the claimed network threat analysis that records a graph responsive to user inputs received on a two-dimensional grid such that the user inputs specify one or more entities, one or more events associated with the entities, and one or more attributes associated to the entities and events. The graph is automatically processed into a text-based representation wherein a threat discovery operation is performed by iteratively computing a closure over a set of subgraphs in the graph and identifying a subgraph of the set of subgraphs that describes a security threat.
The closest prior art, Coffman US Publication No. 2008/0109730, discloses an anomaly detection system that includes an interface that displays graphs that provide visualizations of SNA metric values gathered over time for an entity ([0044] & [0061] & [0077] & Figures 7A-7B: interface of the SNA-AD system reads on the claimed display interface), which meets the limitation of providing a display interface with a two-dimensional (2D) grid, wherein a first axis of the grid represents time, and a second axis of the grid represents space. User supplied input data is utilized to create a normal graph ([0044] & [0061] & [0066] & Figure 4, 402: user input is performed as part of the SNA-AD system [0061] that is implemented with interfaces for user interaction [0044]), which meets the limitation of responsive to user inputs received on the display interface, recording a graph pattern. The user supplied input includes a social network graph ([0039] & [0041]) that includes multiple entity information ([0033]), which meets the limitation of the user inputs specifying one or more entities. The user supplied social network graph also includes normal function data between the entities over a period of time ([0016] & [0064]-[0066]: time period would read on the claimed attributes associate to the entities and events), which meets the limitation of the user inputs specifying one or more events associated with the one or more entities, and attributes associated to the entities and events. The normal graph is utilized to generate normal clusters ([0067]: normal clusters read on the claimed text-based representation), which meets the limitation of automatically processing the graph pattern into a text-based representation. The normal clusters are then utilized to detection anomalies ([0068]: comparison is a value-based comparison and would therefore be considered text-based), which meets the limitation of performing a threat discovery operating using the text-based representation.
Coffman does not disclose that the threat discovery operation is performed by iteratively computing a closure over a set of subgraphs in the graph and identifying a subgraph of the set of subgraphs that describes a security threat.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Van Beest, U.S. Publication No. 2019/0138542, discloses analysis of graph data that is comprised of behavioral data.
	Arov, U.S. Publication No. 2018/0276375, discloses the detection of cyber attacks on SCADA systems using modeling.
	Tang, WO 2017/176676, discloses reporting anomalous events such that the reports events are clustered and graphed.
	Nickolov, U.S. Publication No. 2017/0034023, discloses vulnerability evaluation using models.
	Vasseur, U.S. Publication No. 2016/0219066, discloses network anomaly detection using graph-based models.
	Barel, U.S. Publication No. 2016/0119365, discloses cyber threat detection performed by categorizing and filtering received information into groups.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BENJAMIN E LANIER whose telephone number is (571)272-3805. The examiner can normally be reached M-Th: 6:20-4:50.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on 5712724063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/BENJAMIN E LANIER/Primary Examiner, Art Unit 2437