Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
2.	This Office Action is issued in response to the claims filed on 10/31/2019.
Claims 1-20 are pending in this Office Action.	

Information Disclosure Statement
3.	The information disclosure statements (IDS) submitted on 10/31/2019 and 3/24/2020 have been considered by the Examiner.

Specification Objections
4.	In the specification, paragraph [0001]- line 5, paragraph [0024]- line 5, paragraph [0060]- line 9, and paragraph [0077]- line 11 recite: “U.S. Patent Application No. 16/5135122” which should be “U.S. Patent Application No. 16/5135[[1]]22”.  Appropriate corrections are required.

				Claim Objections
5.	a. Claim 13 misses a punctuation at the end of the claim.
b. Claim 15 recites “The method of claim 14, wherein determining that the first network sentence and the second network second network sentence…” which seems 
Appropriate corrections are required.

Claim Rejections - 35 USC § 103
6.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

7.	Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Braunstein et al. (US 2020/0193305), hereinafter “Braunstein”, in view of Wang et al. (US 2021/0124802), hereinafter “Wang” and in view of Modi et al. (US 2019/0028557), hereinafter “Modi”.
	Regarding claim 1, Braunstein discloses a method for analyzing access patterns within a communication network, comprising: 
generating, by a network device, a network sentence embeddings model based on a crafted corpus of sequences of servers associated with a particular user, wherein the network sentence embeddings model includes an embedding space of text that embeds a semantic meaning of each of a plurality of network sentences in the embedding space and embeds each of the plurality of network sentences at a position in the embedding space (Fig. 1 with associated text and paragraph [0026]: analytic system 120-network device-receives and extracts information related to data exchanged between machines 110; A machine 110 may be any server in the network 100; paragraphs [0039]-[0040]: “the received data is parsed into a network language, consisting of elements paralleling a natural language. Specifically, the received data may be parsed into words, sentences, paragraphs, and the like, language features for which NLP techniques are established.”  Paragraphs [0053]-[0055]: word embeddings into dimensional space and grouping words with semantic similarity; paragraph [0067]: natural language corpus; paragraph [0037]: received data set identifies users or user devices; paragraph [0046]: sentences are associated with a user or user’s unique ID.  Note: Machine 110 could be a user when it requests access to other machines 110); 
determining a proximity measure between positions within the embedding space that correspond to two or more network sentences in the embedding space (paragraph [0054]: determining distance between words of the parsed sentences), wherein each of the plurality of network sentences represent an access pattern of the sequences of servers accessed by the particular user within the communication network (paragraphs [0026]-[0027] and [0065]-[0066]: analyzing packet of communications between two  or more machines for anomaly; paragraph [0031]: generating anomaly-detection events based on patterns extracted from the received content and context data.  Note: when a machine communicates with multiple machines, plurality packets of communications will be obtained); 
[identifying whether the two or more network sentences are proximately positioned from each other in the embedding space or distantly positioned from each other in the embedding space based on the proximity measure, wherein proximately positioned network sentences indicate an equivalence of the semantics for the two or more network sentences associated with the particular user and indicates an equivalence of the sequence of servers] accessed by the particular user at various access times (paragraph [0055]: word embedding may be constructed based on chronological ordering which could reflect various communication time between machines-various access times), and 
upon determining that [the two or more network sentences are distantly positioned from each other in the embedding space], detecting a potential security threat associated with [the particular user] within the communication network with respect to network security based on divergent access patterns associated with [the particular user] at various times (paragraphs [0063]-[0065] and [0071]-[0072]: detecting anomaly based on semantic similarity and divergence from expected pattern of data).
Braunstein does not explicitly disclose identifying whether the two or more network sentences are proximately positioned from each other in the embedding space or distantly positioned from each other in the embedding space based on the proximity measure, wherein proximately positioned network sentences indicate an equivalence of the semantics for the two or more network sentences associated with the particular user and indicates an equivalence of the sequence of servers accessed by the particular user and the potential security threat associated with the particular user.  However, determining sentence similarity based on proximity and distance is known in the art and Wang’s teaching is an example (paragraph [0020]).  Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Braunstein’s teaching of utilizing semantic similarity in detection of anomalies with Wang’s teaching of determining sentence similarity based on proximity and distance because the result would be predictable and resulted in identifying whether the two or more network sentences are proximately positioned from each other in the embedding space or distantly positioned from each other in the embedding space based on the proximity measure, wherein proximately positioned network sentences 
Braunstein and Wang do not explicitly disclose the potential security threat associated with the particular user.  However, detecting potential security threat associated with a particular user is known in the art and Modi’s teaching is an example (paragraphs [0006], [0014]-[0015]: identifying suspicious user interactions).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Braunstein and Wang’s teachings of utilizing semantic similarity in detection of anomalies and determining sentence similarity based on proximity and distance with Modi’s teaching of detecting potential security threat associated with a particular user.  The motivation to do so would be to prevent unauthorized access to computers and computer networks as taught by Modi (paragraphs [0002]-[0004] and [0050]).  
Regarding claim 2, Braunstein, Wang and Modi disclose the method of claim 1, further comprising: 
receiving, by the network device, a plurality of transaction records associated with network interactions amongst a plurality of network entities in the communication network (Braunstein, paragraphs [0026]-[0027]: receiving and analyzing communications of two or  more machines;  paragraph [0029]: communications with plurality of packets-plurality of interactions);
analyzing, by the network device, the plurality of transaction records to identify the sequences of servers that are accessed by the particular user at various access times within the network, wherein the servers are identified as text strings using text (Braunstein, paragraph [0035]: source IP-accessing user and destination IP-accessed server in text strings.  Fig.1 with associated text: a machine could communicate with plural machines.  Note: it is known that a machine could communicate with plurality machines at the same of different time and accordingly, plurality of communication packets could be obtained); and 
upon determining that the two or more network sentences are proximately positioned from each other in the embedding space, detecting nominal network activity within the communication network with respect to network security based on equivalent access patterns associated with the particular user (The combination of Braunstein’s teaching of analyzing semantic similarity of network sentences associate with user and access pattern and Wang’s teaching of determining sentence similarity based on proximity from claim 1 presented above and distance would result in an obvious and predictable result that the two or more network sentences are proximately positioned from each other in the embedding space, detecting nominal network activity within the communication network with respect to network security based on equivalent access patterns associated with the particular user).
Regarding claim 3, Braunstein, Wang and Modi disclose the method of claim 2, wherein determining that the two or more network sentences are proximately positioned from each other in the embedding space indicates an equivalence of semantics for the sequences of servers accessed by the particular user at various access times that are accessed within the same communication network (Braunstein, Fig. 1 with associated text machines 110 are in the same network 100.  Wang, paragraph [0029]: smaller distance or proximity increases similarity of sentences and accordingly, increases semantic equivalent of sentences).
Regarding claim 4, Braunstein, Wang and Modi disclose the method of claim 3, wherein determining that the two or more network sentences are distantly positioned from each other in the embedding space indicates a divergence of the semantics for the two or more network sentences associated with the particular user (Braunstein, Fig. 1 with associated text machines 110 are in the same network 100.  Wang, paragraph [0029]: bigger distance or proximity decreases similarity of sentences and accordingly, indicates divergence of the semantics for sentences).
Regarding claim 5, Braunstein, Wang and Modi disclose the method of claim 4, wherein the divergence of the semantics for the two or more network sentences associated with the particular user further indicates a divergence of the sequence of servers accessed by the particular user at various access times (Braunstein, paragraph [0053]: data is parsed into groups.  Paragraph [0066]: word embedding could determine destination IP-accessed server.  Paragraph [0055]: word embedding may be constructed in chronological ordering.  Wang, paragraph [0029]: sentence similarity with word vector space.  The combination of Braunstein and Wang’s teachings would have an obvious and predictable result that the divergence of the semantics for the two or more network sentences associated with the particular user indicates a divergence of the sequence of servers accessed by the particular user at various access times).
Regarding claim 6, Braunstein, Wang and Modi disclose the method of claim 5, further comprising: generating, by the network device, the crafted corpus of the plurality of network sentences corresponding to the plurality of transaction records, wherein the network sentences comprise the sequence of servers that are accessed by the particular user within the communication network at various access times (Braunstein, Fig. 1 with associated text: machines 110 communicate with each other.  A machine could communicate with other machines at the same or different time.  Paragraphs [0026]-[0027]: receiving and analyzing communications of two or more machines;  paragraph [0029]: communications with plurality of packets-plurality of interactions.  Paragraph [0055]: word embedding may be constructed in chronological ordering. Note: a machine could be considered as a user; packet of communication between two machines is transaction record.  When a machine communicates with plurality machines-servers- at the same of different time, plurality of communication packets could be obtained.  When plurality of communication packets of a machine with multiple machines are constructed in chronological ordering sentences, a corpus is formed.)
Regarding claim 7, Braunstein, Wang and Modi disclose the method of claim 1, further comprising: adding to the crafted corpus a second plurality of network sentences associated with a second particular user at a second communication network; adding the second plurality of network sentences to the network sentence embeddings model (Braunstein, Fig. 1 with associated text: machines 110 communicate with each other.  A machine could communicate with other machines at the same or different time.  Paragraphs [0026]-[0027]: receiving and analyzing communications of two or more machines;  paragraph [0029]: communications with plurality of packets-plurality of interactions.  Note: each machine could have a corpus of sentence of its communication with other machines, so multiple machines-second users- will result in multiple corpuses of network sentences); and determining a proximity measure between positions within the embedding space that correspond to a first network sentence associated with a first particular user at a first communication network and a second network sentence associated with the second particular user at the second communication network in the embedding space (When a machine communicates with a certain numbers of other machines, it creates its own communication network with those other machine; in other words, each machine will create a communication network with the machines that it communicates.  The teachings in claim 1 is obviously applicable to all machines 110 of Braunstein; therefore, a second plurality of network sentences associated with a second particular user at a second communication network is an obvious and predictable result).
Regarding claim 8, Braunstein, Wang and Modi disclose the method of claim 7, further comprising: identifying whether the first network sentence associated with the first particular user at the first communication network and the second network sentence associated with the second particular user at the second communication network are proximately positioned from each other in the embedding space or distantly positioned from each other in the embedding space based on the proximity measure, wherein proximately positioned network sentences indicate an equivalence of the semantics of the network sentences across the first communication network and the second communication network and indicates an equivalence of the sequence of servers accessed by the first particular user at the first communication network and the sequence of servers accessed by the second particular user at the second communication network (From claim 1 and 7 above, the combination of Braunstein’ teaching of constructing network sentences for machines with Examiner’s interpretation that each machine will create a communication network with the machines that it communicates, Wang’s teaching of determining sentence similarity based on proximity and distance and Modi’s teaching that users having similar roles expect to have similar behaviors (paragraph [0170]) would result in an obvious and predictable result of identifying whether the first network sentence associated with the first particular user at the first communication network and the second network sentence associated with the second particular user at the second communication network are proximately positioned from each other in the embedding space or distantly positioned from each other in the embedding space based on the proximity measure, wherein proximately positioned network sentences indicate an equivalence of the semantics of the network sentences across the first communication network and the second communication network and indicates an equivalence of the sequence of servers accessed by the first particular user at the first communication network and the sequence of servers accessed by the second particular user at the second communication network).
Regarding claim 9, Braunstein, Wang and Modi disclose the method of claim 7, wherein distantly positioned network sentences indicate a distinction between the first communication network and the second communication network (Braunstein, paragraph [0053]: data is parsed into groups.  Paragraph [0066]: word embedding could determine destination IP-accessed server. Wang, paragraph [0029]: sentence similarity with word vector space; smaller distance or proximity increases similarity of sentences and accordingly, increases semantic equivalent of sentences and vice versa.  Modi, paragraph [0170]:  users having similar roles expect to have similar behaviors.  The combination of Braunstein, Wang and Modi’s teaching makes it obvious that when sentences have accessed servers as word vector space, similarity of sentences would be based on the distance or proximity of the servers-communication network- that a machine communicates.  Since users with similar role would have similar behavior, the users would access similar servers and accordingly, divergence of network sentences should be based on the servers that these users access).
Regarding claim 10, Braunstein, Wang and Modi disclose the method of claim 1, wherein the network sentence embeddings model captures the semantic meaning of each of the plurality of network sentences within the embedding space such that the semantic meaning for the network sentence corresponds to a position of the network sentence within the embedding space (Wang, paragraph [0029]: sentence similarity with word vector space; smaller distance or proximity increases similarity of sentences and accordingly, increases semantic equivalent of sentences and vice versa.)
Regarding claim 11, Braunstein, Wang and Modi disclose the method of claim 10, wherein the network sentence embeddings model captures the semantic meaning of each of the plurality of network sentences in the embedding space such that network sentences with equivalent semantic meanings have positions that are proximately located within the embedding space (Wang, paragraph [0029]: paragraph [0029]: sentence similarity with word vector space; smaller distance or proximity increases similarity of sentences and accordingly, increases semantic equivalent of sentences and vice versa.)
Regarding claim 12, Braunstein, Wang and Modi disclose the method of claim 11, wherein measuring proximity between network sentences in the embedding space comprises determining whether the network sentences are proximately located within the embedding space indicating that the network sentences are semantically equivalent (Wang, paragraph [0029]: sentence similarity with word vector space; smaller distance or proximity increases similarity of sentences and accordingly, increases semantic equivalent of sentences and vice versa.)
Regarding claim 13, Braunstein discloses a method for analyzing access patterns across communication networks, comprising: 
generating, by a network device, a first crafted corpus of a plurality of network sentences corresponding to a plurality of transaction records, wherein the network sentences comprise sequences of network entities that are accessed within a first communication network (Fig. 1 with associated text and paragraph [0026]: analytic system 120-network device-receives and extracts information related to data exchanged between machines 110; paragraphs [0039]-[0040]: “the received data is parsed into a network language, consisting of elements paralleling a natural language. Specifically, the received data may be parsed into words, sentences, paragraphs, and the like, language features for which NLP techniques are established.”  Paragraph [0067]: natural language corpus; paragraph [0037]: received data set identifies users or user devices; paragraph [0046]: sentences are associated with a user or user’s unique ID.  Note: communication between a machine with other machines is a network for that machine. When a machine communicates with plurality machines at the same of different time, plurality of communication packets could be obtained and plurality of sentences are constructed accordingly, a corpus is formed); 
generating, by the network device, a second crafted corpus of a plurality of network sentences corresponding to a plurality of transaction records, wherein the network sentences comprise sequences of network entities that are accessed within a second communication network (Fig. 1 with associated text: each machine could have a corpus of sentence of its communication with other machines, so multiple machines-second users- will result in multiple corpuses of network sentences.  In the group of machines 110, one machine could have a corpus of sentences relating to machines that it communicates with and any other machine could a second corpus relating to machines that it communicates with); 
generating, by the network device, a network sentence embeddings model based on the first crafted corpus of sequences of network entities and the second crafted corpus of sequences of network entities, wherein the network sentence embeddings model includes an embedding space of text that embeds a semantic meaning of each of the plurality of network sentences in the embedding space and embeds each of the plurality of network sentences at a position in the embedding space (Paragraphs [0053]-[0055]: word embeddings into dimensional space and grouping words with semantic similarity); 
determining a proximity measure between positions within the embedding space that correspond to a first network sentences associated with the first network in the embedding space and a second network sentence associated with the second network (paragraph [0054]: determining distance between words of the parsed sentences); 
[identifying whether the first network sentence and the second network sentence are proximately positioned from each other in the embedding space or distantly positioned from each other in the embedding space based on the proximity measure, wherein proximately positioned network sentences indicate an equivalence of the semantics for the network sentences]; and 
upon determining that [the first network sentence and the second network sentence are distantly positioned from each other in the embedding space], detecting a potential security threat [across the first communication network and the second communication network with respect to network security based on divergent access patterns across the networks] (paragraphs [0063]-[0065] and [0071]-[0072]: detecting anomaly based on semantic similarity and divergence from expected pattern of data).
Braunstein does not explicitly disclose identifying whether the two or more network sentences are proximately positioned from each other in the embedding space or distantly positioned from each other in the embedding space based on the proximity measure, wherein proximately positioned network sentences indicate an equivalence of the semantics for the two or more network sentences associated with the particular user and indicates an equivalence of the sequence of servers accessed by the particular user and a potential security threat across the first communication network and the second communication network with respect to network security based on divergent access patterns across the networks.  However, determining sentence similarity based on proximity and distance is known in the art and Wang’s teaching is an example (paragraph [0020]).  Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Braunstein’s teaching of utilizing semantic similarity in detection of anomalies with Wang’s teaching of determining sentence similarity based on proximity and distance because the result would be predictable and resulted in identifying whether the two or more network sentences are proximately positioned from each other in the embedding space or distantly positioned from each other in the embedding space based on the proximity measure, wherein proximately positioned network sentences indicate an equivalence of the semantics for the two or more network sentences associated with the particular user and indicates an equivalence of the sequence of servers accessed by the particular user.
Braunstein and Wang do not explicitly disclose detecting the potential security threat across the first communication network and the second communication network with respect to network security.  However, internetwork security threat is known in the art and Modi’s teaching is an example (paragraph [0172]: a harmful action of a user would impact other organizations). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Braunstein and Wang’s teachings of utilizing semantic similarity in detection of anomalies and determining sentence similarity based on proximity and distance with Modi’s teaching of internetwork security threat to detect a potential security threat across the first communication network and the second communication network.  The motivation to do so would be to prevent unauthorized access to computers and computer networks as taught by Modi (paragraphs [0002]-[0004] and [0050]).  

Regarding claim 14, Braunstein, Wang and Modi disclose the method of claim 13, further comprising: upon determining that the first network sentence and the second network sentence are proximately positioned from each other in the embedding space, detecting nominal network activity within the communication network with respect to network security based on equivalent access patterns across the networks, and wherein equivalence of the semantics for the first network sentence and the second network sentence further indicates an equivalence of semantics for the corresponding sequences of network entities that are accessed within the first communication network and the second communication network (From claim 13 above, the combination of Braunstein’ teaching of constructing network sentences for machines, Wang’s teaching of determining sentence similarity based on proximity and distance and Modi’s teaching that users having similar roles expect to have similar behaviors (paragraph [0170]), it is obvious that analyzing network sentences of users with similar role, one would expect their access behaviors are similar, so their network sentences are proximately positioned from each other in the embedding space and they should have semantic equivalence- nominal network activity).
Regarding claim 15, Braunstein, Wang and Modi disclose the method of claim 14, wherein determining that the first network sentence and the second network second network sentence are distantly positioned from each other in the embedding space indicates a divergence of the semantics for the first network sentence and the second network sentence and further indicates a divergence of semantics for the corresponding sequences of network entities that are accessed within the first communication network and the second communication network (Wang, paragraph [0029]: sentence similarity with word vector space; smaller distance or proximity increases similarity of sentences and accordingly, increases semantic equivalent of sentences and vice versa.)
Claims 16-20 claim similar subject matters to claims 1-5 respectively; therefore, claims 16-20 are rejected at least for the same reasons as claims 1-5 respectively.  

Conclusion	
8.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to THANH T. LE whose telephone number is (571)270-0279.  The examiner can normally be reached on Monday-Thursday 8:00 am - 4:00 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).  If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.