DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11/13/20, 08/22/19.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 6-7, 9, 11-12, 15-17, are rejected under 35 U.S.C. 103 as being unpatentable over Tan et al(Tan, et al., "Detection of Denial-of-Service Attacks Based on Computer Vision Techniques", IEEE TRANSACTION ON COMPUTERS, Vol. 64, No. 9, 1 September 2015, pp.2519-2533: IDS supplied) in view of Bhattacharya et al(US 7483972 B2) and further in view of Coskun(US 20150135320 A1).

With regards to claim 1, 11, 15 Tan discloses, A method for data breach detection, comprising: 
identifying a plurality of snapshots of a data structure (Page 6 Col2; In this study, for instance, the ordinary network traffic records are converted into a kind of format that is used to represent images….. shown in Section III-A5, need to be rationally transformed from the original one-dimensional feature vector into a new two-dimensional feature miatrix. Two-dimensional feature matrix is the common presentation for generic two dimensional images. Through the transformation, the network traffic record to be recognized by EMD-L1 if it is an image. Then EMD-L-1 can be applied to measure the dissimilarity between the transformed network track records. ); 
identifying a plurality of leaf nodes of the data structure for each of the snapshots (Tan FIG 1, Page 5 col 2; With the new formulation, the computational complexity of EMD can be reduced by one order of magnitude in comparison with the original formation using transportation problem. This is owing to an important property of the L1 distance that any shortest path between two point on a network can be decomposed into a collection of edges between neighboring nodes with a ground distance of one between them. ); 
generating a vector of data attributes for each of the leaf nodes (Page 6 col 2; transformation of network traffic record in two dimensional image matrix ); 
computing a distance metric between each pair of the snapshots based on the corresponding sets of weighted vectors (abstract A multivariate correlation analysis approach introduced to accurately depict network traffic records and to convert the records into the respective images. The images of network traffic records are used as observed objects of our proposed DoS attack detection system, which is developed based on a widely used dissimilarity measure, namely Earth Mover's distance (EMD). EMD takes cross-bin matching into account and provides a more accurate evaluation on the p and x2 statistics. Page 2 col 1; Finally, to improve the detection accuracy, our proposed system adopts the principle of object shape recognition and Earth Mover's Distance (EMU) [14] (a robust distance metric.) in the design of attack detection;  pls see page 6 col 1).and
 detecting an abnormal snapshot among the plurality of snapshots based on the distance metrics (Page 1 col 1; Finally, to improve the detection accuracy, our proposed system adopts the principle of object shape recognition and Earth Mover's Distance (EMU) [14] (a robust distance metric.) in the design of attack detection To the best of om knowledge, it is the first time that EMD has ever been applied to the field of network DoS attack detection ).
Tan does not exclusively but, Bhattacharya teaches, identifying a plurality of event/record of a data structure (FIG 8 801  and associated text; ); 
identifying a plurality of leaf nodes of the data structure for each Event/record(FIG 8 803 , 805 and associated text; );  It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Tan’s method with teaching of Bhattacharya in order to  protecting computer networks from attacks(Bhattacharya col line 10-15;)
Tan in view of Bhattacharya do not but, Coskun teaches, generating a vector of data attributes for each of nodes (FIG 8 820-830; [0047] In some examples, the feature analyzer 460 analyzes k features for the entities 130(A), 130(B), . . . , 130(N) in the first network 120 of FIG. 1. In such examples, each of the entities 130(A), 130(B), . . . , 130(N) has a k--dimensional vector value corresponding to the feature values. ); 
assigning a weight to each of the vectors to produce a set of weighted vectors ([0055] In some examples, the weight adjuster 466 of the feature analyzer 466 adjusts the respective weights of the parameter vector w using a stochastic gradient descent method to reduce the computational complexity of an analysis (e.g., due to a large number entities, features, etc.).); 
computing a distance metric between each pair of the snapshots based on the corresponding sets of weighted vectors ([0047] The example distance function calculator 464 iteratively calculates a distance (e.g., a feature vector value difference) between the selected entities using a distance function (e.g., a weighted Euclidean distance function) to identify which of the features (e.g., which ones of the example overall aggregate features 600, the example per-type aggregate features 700, and/or the example extended features) are indicative of malicious activity. The example weight adjuster 466 assigns weights (w.sub.i) of the distance function for each generated feature i, which may be preprocessed to have zero mean and unit variance. During analysis of the features, the example weight adjuster 466 iteratively adjusts the weights (w.sub.i) of the distance function (e.g., based on stochastic gradient descent), as disclosed herein, to distinguish suspected malicious entities in the first network 120 from other entities in the first network 12 ) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Tan in view of Bhattacharya’s method with teaching of Coskun in order to identifying malicious behavior in a network from network log records. (Coskun[0001])

wherein: each of the plurality of snapshots corresponds to a backup of the data structure at a different point in time (Coskun FIG 8810-820, log records are from stored backups). Motivation would be same as stated in claim 1.

With regards claim 3, 12, 17 Tan in view of Bhattacharya and Coskun discloses, identifying a tree structure on the data structure, wherein the leaf nodes of the data structure correspond to a bottom level of the tree structure (Bhattacharya FIG 9A-(C and associated text;). Motivation would be same as stated in claim 1.

With regards claim 6, Tan in view of Bhattacharya and Coskun discloses, wherein: the weight assigned to each of the vectors corresponds to a number of files associated with a corresponding leaf node (Bhattacharya FIG 8 803 And associated text; Note: vector value set for Event ID of leaf node). Motivation would be same as stated in claim 1.

With regards claim 7, Tan in view of Bhattacharya and Coskun discloses,, wherein: the weight assigned to each of the vectors corresponds to a cybersecurity risk associated with a corresponding leaf node (Bhattacharya Col 8 line 0-10; then in step 621 the leaf node invokes its parent node such that this incoming event message will be correlated with other event messages that previously registered at other leaf nodes, in order to detect the existence of a high-level network attack.). Motivation would be same as stated in claim 1.

With regards to claim 9, Tan further discloses, wherein: the distance metric comprises an earth mover's distance, a Kantorovich-Mallows distance, a Wasserstein distance, or any combination thereof (Tan Abstract)).

Claims 4 is rejected under 35 U.S.C. 103 as being unpatentable over Tan et al(Tan, et al., "Detection of Denial-of-Service Attacks Based on Computer Vision Techniques", IEEE TRANSACTION ON COMPUTERS, Vol. 64, No. 9, 1 September 2015, pp.2519-2533: IDS supplied) in view of Bhattacharya et al(US 7483972 B2) and further in view of Coskun(US 20150135320 A1) and in view of Bedhapudi  et al(US 20190108341 A1).

With regards to claim 4, Tan in view of Bhattacharya and Coskun do not but Bedhapudi  discloses, wherein: the tree structure corresponds to a file directory of the data structure (Bedhapudi [0079]; In general, primary data 112 can include files, directories, file system volumes, data blocks, extents, or any other hierarchies or organizations of data objects. As used herein, a “data object” can refer to (i) any file that is currently addressable by a file system or that was previously addressable by the file system (e.g., an archive file), and/or to (ii) a subset of such a file (e.g., a data block, an extent, etc.). Primary data 112 may include structured data (e.g., database files), unstructured data (e.g., documents), and/or semi-structured data. See, e.g., FIG. 1B.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Tan in view of Bhattacharya and Coskun’s method with 

Claims 5 is rejected under 35 U.S.C. 103 as being unpatentable over Tan et al(Tan, et al., "Detection of Denial-of-Service Attacks Based on Computer Vision Techniques", IEEE TRANSACTION ON COMPUTERS, Vol. 64, No. 9, 1 September 2015, pp.2519-2533: IDS supplied) in view of Bhattacharya et al(US 7483972 B2) and further in view of Coskun(US 20150135320 A1) and in view Kapoor et al(US 20070192863 A1).

With regards to claim 5, Tan in view of Bhattacharya and Coskun do not but Kapoor discloses, wherein: each of the vectors comprises values corresponding to a path depth attribute, a file size, a file count, a file extension attribute, a file modification attribute, or any combination thereof (Kapoor [0554] This artificial neuron approach, optionally embodied in a self organizing map architecture or neural net, may be used to detect viruses, including, but not limited to, ones associated with network shares, software vulnerabilities, mass-mailers, worms, internet relay chat, shared drives, instant messages, infected files, peer-to-peer networks, physical drives, removable drives, floppy drives, spammed email, wireless (e.g., Bluetooth), and other infection vectors. This flow processing facility architecture may be used to analyze virus vectors, including, but not limited to, Trojan horses, Windows networking shares, worms, scripts, email spoofing, hidden text file extensions, chat clients, packet sniffing, root kits, bots, and other means of virus delivery.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Tan in view of .

Claims 10, 14, 19 are rejected under 35 U.S.C. 103 as being unpatentable over Tan et al(Tan, et al., "Detection of Denial-of-Service Attacks Based on Computer Vision Techniques", IEEE TRANSACTION ON COMPUTERS, Vol. 64, No. 9, 1 September 2015, pp.2519-2533: IDS supplied) in view of Bhattacharya et al(US 7483972 B2) and further in view of Coskun(US 20150135320 A1) and Boettecher et al(US 7885791 B2).

With regards to claim 10, 14, 19 Tan in view of Bhattacharya and Coskun further teaches, computing a local reachability density for each of the snapshots based on the computed distance metrics (Tan Page 4 and col 2; ); and 
Tan in view of Bhattacharya and Coskun do not but Boettecher discloses, determining whether the local reachability density for each of the record is below a threshold based on neighboring records, wherein the abnormal record is identified based on the determination (Boettecher col 2 line 55-67; The present invention allows small and moving patterns in very noisy data to be detected. The present invention allows the development of clusters to be tracked over time and, more importantly, to distinguish tiny local structures from incidental data agglomerations. If data agglomerates by chance, it is very unlikely that this coincidence will happen over and over again. It is shown below that the present invention is capable of identifying very small local patterns, even in cases where there is much more noise than substantial data points, with only a very small number of false positives being flagged.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Tan in view of Bhattacharya and Coskun’s method with teaching of Boettecher in order for detecting patterns in data and in particular to the detection of formation and evolution of clusters of data points. (Boettecher col1 line 5-15).

Allowable Subject Matter
Claims 8, 13, 18 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMED WALIULLAH whose telephone number is (571)270-7987. The examiner can normally be reached 8.30 to 430 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 1-571-272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.






/MOHAMMED WALIULLAH/Primary Examiner, Art Unit 2498