DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .  

Applicant(s) Response to Official Action
The after final response filed on 2/23/2022 has been entered and made of record.  
Priority
Applicant’s priority claim is hereby acknowledged of Chinese Application 201811061492.X filed on 09/12/2018, which papers submitted under 35 U.S.C. § 119(a)-(d) have been placed of record in the file.  

Information Disclosure Statement PTO-1449
The Information Disclosure Statement(s) submitted by applicant on 2/23/2022 has/have been considered. The submission is in compliance with the provisions of 37 CFR § 1.97. Form PTO-1449 signed and attached hereto. 

Response to Amendment/Remarks
In the response filed Claims 1, 8, and 15, were amended.  Claims 5-6, 12-13, and 19 were canceled.  Claims 1-4, 7-11, 14-18 and 20 were presented for examination.  

Applicants’ amendments/remarks regarding rejections under 35 USC 101 to their respective pending claims have been fully considered, are persuasive, and 

Allowable Subject Matter
Claims 1-4, 7-11, 14-18 and 20 are allowed.  

The following is an Examiner's statement of reasons for allowance:

The independent claims generally describe a method to detect security events using security graphs. Various examples have been found in the art describe aspects of the claimed invention.  Puri et al. (US 2016/0253232 A1) ¶ 24, ¶ 30, and ¶ 32, teaches an anomaly detection system that is used for security event detection and the log information contains various fields.  Puri, ¶ 30, ¶ 57-58 teaches matching graphs created from log data to detect an anomaly event.  Puri, ¶ 55 teaches determining and sorting weights for graphs.  
Puri does not, but in related art, Hassanzadeh et al. (US 2019/0141058 A1) ¶ 24, teaches security sensors are deployed at various points of a network and host-based intrusion detection system in multiple domains.  Hassanzadeh, Figs. 6-7, ¶ 68-78 discloses searching through a plurality of alerts and creating a correlation graph 600 to determine various kill chains of linked alerts.  Hassanzadeh, ¶ 76, dependency is determined for each of the one or more pairs 
Puri in view of Hassanzadeh does not, but in related art, Teverovsky et al. (US 2019/0281010 A1) ¶ 26 and ¶ 61 teaches a correlation engine that matches cause and effect security events.
Puri in view of Hassanzadeh does not, but in related art, Hogg et al. (US 2019/0236661 A1) ¶ 125 and ¶ 130 teaches an event risk measuring system which applies a specific weight to different security domain levels for calculating the overall vulnerability score.
However, as applicant notes, “Puri does not teach removing random events by determining a relationship among linked security events by searching, for a first security event of the plurality of security-related security events, one or more second security events related to the first security event from the plurality of security-related security events according to one or more fields of the plurality of fields of the first security event, wherein the one or more second security events and the first security event, form event graphs, and the searching is performed until no new event is correlated into an event graph; calculating weights of the event graphs; sorting the event graphs according to the weights calculated; and determining a security threat to the operational environment based on the weighted event graphs of the linked security events thereby reducing a rate of false security threat reports”. 
Hence, while various art tangentially discusses aspects of the claimed invention none of the prior individually or in reasonable combination discloses the claimed invention.  


Any comments considered necessary by Applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments to Statement of Reasons for Allowance.”  

Additionally, the closest prior art has been supplied in the record.  

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:  See PTO-892.  

Any inquiry concerning this communication or earlier communications from the examiner should be directed to STEPHEN GUNDRY whose telephone number is (571)270-0507.  The examiner can normally be reached on Monday - Friday 8:30 AM - 5PM EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-273-3685.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.  	Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published 



/STEPHEN T GUNDRY/Examiner, Art Unit 2435  

/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435