DETAILED ACTION


1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

2.	Claims 1-20 are pending.  Claims 1, 12 and 20 are independent.  

3.	The IDS submitted on 9/10/2019 and the IDS submitted on 2/25/2020 have been considered.

Claim Rejections - 35 USC § 102
4.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

5.	The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


s 1-20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Patterson (US PG Pub. 2018/0069885).
	As regarding claim 1, Patterson discloses A method for implementing dynamic graph analysis (DGA) to detect anomalous network traffic, comprising: 
processing communications and profile data associated with a plurality of devices to determine at least one dynamic graph [para. 40-41 and 53-54; generating a dynamic graph based on log data collected in a time-series]; 
generating, by a processor device, at least one feature to model temporal behaviors of network traffic generated by the plurality of devices based on the at least one dynamic graph [para. 59-60; generating graph time series features for the graphical model]; and 
formulating a list of prediction results for sources of anomalous network traffic from the plurality of devices based on the temporal behaviors [para. 19, 54 and 61; determining abnormal/anomalous behavior].  

As regarding claim 2, Patterson further discloses The method as recited in claim 1, wherein the at least one feature comprises a plurality of features selected from a group including static one-hop features, dynamic one-hop features, static multi-hop features and dynamic multi-hop features [para. 73 and 84].  

As regarding claim 3, Patterson further discloses The method as recited in claim 1, wherein the at least one feature comprises a plurality of features, further comprising: 
concatenating the plurality of features [para. 20, 42, 60-61 and 73].  

4, Patterson further discloses The method as recited in claim 2, wherein the static one-hop features further comprise at least one of:  18066Page 24 of 30a degree-based feature, a weighted degree-based feature and an aggregated feature [para. 40 and 80].  

As regarding claim 5, Patterson further discloses The method as recited in claim 4, wherein the static one-hop features further comprise at least one of: a yearly based ratio feature and a monthly based ratio feature [para. 54 and 69].  

As regarding claim 6, Patterson further discloses The method as recited in claim 2, wherein the dynamic one-hop features further comprise at least one of: an ego-net-based feature [para. 42 and 59], a clustering feature, a pagerank-based feature and an aggregated feature [para. 40 and 80].  

As regarding claim 7, Patterson further discloses The method as recited in claim 6, wherein the dynamic one-hop features further comprise at least one of: a degree-based feature, a weighted degree-based feature and an aggregated feature [para. 40 and 80].  

As regarding claim 8, Patterson further discloses The method as recited in claim 2, wherein the static multi-hop features further comprise at least one of: at least one degree-based feature, at least one weighted degree-based feature and at least one aggregated feature [para. 40 and 80].  

9, Patterson further discloses The method as recited in claim 8, wherein the at least one degree-based feature further comprises at least one of: a maximal value of at least one feature of monthly snapshots in each year, a minimal value of at least one feature of monthly snapshots in each year, a mean value of at least one feature of monthly snapshots in each year, a variance of at least one feature of monthly snapshots in each year, and a sum of at least one feature of monthly snapshots in each year [para. 54 and 69].  

As regarding claim 10, Patterson further discloses The method as recited in claim 2, wherein the dynamic multi-hop features further comprise at least one of: an ego-net-based feature [para. 42 and 59], a clustering feature, and a pagerank-based feature [para. 40 and 80].
  
As regarding claim 11, Patterson further discloses The method as recited in claim 1, wherein outputting the list of prediction results based on the at least one feature further comprises: detecting at least one anomalous device using a trained model based on the at least one feature [para. 19, 54 and 60-61].  

As regarding claim 12, Patterson discloses A computer system for implementing dynamic graph analysis (DGA) to detect anomalous network traffic, comprising: 
a processor device operatively coupled to a memory device [para. 32, 93 and 95], the processor device being configured to: 
process communications and profile data associated with a plurality of devices to determine at least one dynamic graph [para. 40-41 and 53-54; generating a dynamic graph based on log data collected in a time-series];  
18066Page 26 of 30generate at least one feature to model temporal behaviors of network traffic generated by the plurality of devices based on the at least one dynamic graph [para. 59-60; generating graph time series features for the graphical model]; and 
formulate a list of prediction results for sources of anomalous network traffic from the plurality of devices based on the temporal behaviors [para. 19, 54 and 61; determining abnormal/anomalous behavior].  

As regarding claim 13, Patterson further discloses The system as recited in claim 12, wherein the at least one feature comprises a plurality of features selected from a group including static one-hop features, dynamic one-hop features, static multi-hop features and dynamic multi-hop features [para. 73 and 84].  

As regarding claim 14, Patterson further discloses The system as recited in claim 13, wherein the at least one feature comprises a plurality of features and wherein the processor device is further configured to: 
concatenate the plurality of features [para. 20, 42, 60-61 and 73].  

As regarding claim 15, Patterson further discloses The system as recited in claim 13, wherein the static one-hop features further comprise at least one of: a degree-based feature. a weighted degree-based feature and an aggregated feature [para. 40 and 80].  
16, Patterson further discloses The system as recited in claim 15, wherein the static one-hop features further comprise at least one of: a yearly based ratio feature and a monthly based ratio feature [para. 54 and 69].  

As regarding claim 17, Patterson further discloses The system as recited in claim 13, wherein the dynamic one-hop features further comprise at least one of: an ego-net-based feature, a clustering feature, a pagerank-based feature and an aggregated feature [para. 42 and 59].  

As regarding claim 18, Patterson further discloses The system as recited in claim 17, wherein the dynamic one-hop features further comprise at least one of: a degree-based feature, a weighted degree-based feature and an aggregated feature [para. 40 and 80].  

As regarding claim 19, Patterson further discloses The system as recited in claim 12, wherein, when outputting the list of prediction results based on the at least one feature, the processor device is further configured to: detect at least one anomalous device using a trained model based on the at least one feature [para. 19, 54 and 60-61].  

As regarding claim 20, Patterson discloses A computer program product for implementing dynamic graph analysis (DGA) to detect anomalous network traffic, the computer program product comprising a non- transitory computer readable storage medium having program instructions embodied [para. 33 and 93] therewith, the program instructions executable by a computing device to cause the computing device to perform the method comprising: 
processing communications and profile data associated with a plurality of devices to determine at least one dynamic graph [para. 40-41 and 53-54; generating a dynamic graph based on log data collected in a time-series];  
18066Page 28 of 30generating, by the computing device, at least one feature to model temporal behaviors of network traffic generated by the plurality of devices based on the at least one dynamic graph [para. 59-60; generating graph time series features for the graphical model]; and 
formulating a list of prediction results for sources of anomalous network traffic from the plurality of devices based on the temporal behaviors [para. 19, 54 and 61; determining abnormal/anomalous behavior].








Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THONG P TRUONG whose telephone number is (571)270-7905.  The examiner can normally be reached on M-F 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 57127267986798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).  If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/THONG TRUONG/
Examiner, Art Unit 2433

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433