Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This is a Final Office action in response to communications received January 28, 2022.  Claim 1 has been amended.  Therefore, claims 1-20 are pending and addressed below. 

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.



Claims 1-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Dichiu et al. (US2020/0186544 A1, file date 12/10/2018).

Claim 1:
With respect to claim 1, Dichiu et al. discloses a non-transitory computer readable medium comprising computer executable instructions stored thereon that (a non-transitory computer-readable medium stores instructions which, when executed by at least one hardware processor of a computer system, 0008), when executed by one or more processing units, causes the one or more processing units (an anomaly detector configured to determine whether a target event occurring on a target client system is indicative of a computer security threat, 0006) (Figures 5, 6) (operation of anomaly detector 62, Figure 13)to: 
create a corpus by receiving a transactions log of network activity (cause the computer system to assign events of a training corpus to a plurality of event categories, the training corpus comprising a collection of events having occurred on a plurality of client systems, 0008); 
create a crafted encoded corpus by selecting a subset of information from the transactions log (A subset of event indicators 20a-b may be collected to form an event corpus further used to derive client profiles, Another subset of event indicators may be used to detect security threat, 0042), wherein the crafted encoded corpus comprises at least a label in clear text and a plurality of content data corresponding to the label that are encrypted to protect personal identifiable information (event encoder 70, is configured to input an event record 26 comprising data characterizing an event that has occurred on a client system, 0060, Figure 6) (For each sequence of events drawn from event corpus 18, an encoder 70a is configured to input a one-hot encoding of central event E.sub.0 and to produce event vector 28c comprising a representation of central event E.sub.0 in the embedding context space., 0064) (Figures 8A-8B);
create a network embeddings model based on the crafted encoded corpus (anomaly detector may instantiate behavior model 86 with parameter values specific to the respective selected client profile, 0082, Figure 13), the network embeddings model including a vector of numbers for each of a plurality of network assets within a network security environment (security server 16 may determine whether the respective event matches a pattern of normality/baseline behavior encoded in the respective client profile, 0042) (to output an event vector 28a comprising a representation of the respective event as a vector in an abstract multi-dimensional space usually deemed embedding space, encoder 70 is configured to represent events as vectors in an embedding space of contexts, 0060) in the crafted encoded corpus based on a presence of each of the plurality of network assets that are proximate to each other in the crafted encoded corpus (Such behavior models are herein deemed client profiles. Parameters of such behavior models are generically represented as profile database 19 in FIG. 1 and may include an output of an event and/or client clustering algorithm, 0039) (encoder 70 is configured to represent events as vectors in an embedding space of contexts, wherein two events that occur predominantly in similar contexts are located relatively close together, 0060) (assign event vectors located within each region to a distinct event cluster, 0070) (comprise determining whether event E.sub.i fits a pattern of normal behavior for the respective client profile according to a position of the respective event within the embedding space. For instance, an event may be deemed normal when it is positioned within a cluster of training events (e.g., closer to a cluster centroid than a pre-determined threshold), 0084); and 
deploy the network embeddings model within the network security environment (further connected to a behavior model 86 configured to determine whether the respective event fits a pattern of normal/baseline behavior represented by the respective profile, 0075, Figure 13) (A typical IDS records information related to observed events, notifies a user or network administrator, and produces reports, 0004).

Claim 2:
With respect to claim 2, Dichiu et al. discloses wherein the network activity includes: network requests to the plurality of network assets; and functions performed by the plurality of the network assets in response to the network requests (to receive an event indicator 20a from client system 10, indicator 20a indicative of the occurrence of a particular type of event during execution of software on client 10.  Examples of such events include: launches an application, a parent process creates a child process, etc.), an attempt to access an input device of the respective client system (e.g., camera, microphone), an attempt to access a local or remote network resource (e.g., a hypertext transfer protocol--HTTP request to access a particular URL, an attempt to access a document repository over a local network), a request formulated in a particular uniform resource identifier scheme (e.g., a mailto: or a ftp: request), an execution of a particular processor instruction (e.g., 
system call), 0036).

Claim 3:
With respect to claim 3, Dichiu et al. discloses wherein the subset of information identifies the plurality of network assets and usernames which sent the network requests to the plurality of network assets (a user indicator may indicate the owner of the parent process, Event indicator 20a may encode other parameters such as a process name, a file system location/path of a process being launched, a network address (e.g., Internet protocol--IP address), a universal resource locator (URL) of an HTTP request, etc. 0037).

Claim 4:
With respect to claim 4, Dichiu et al. discloses wherein the deployment of the network embeddings model within the network security environment is utilized to identify the anomaly events within the network security environment (anomaly detector 62 connected to a behavior model 86 configured to determine whether the respective event fits a pattern of normal/baseline behavior represented by the respective profile, 0075, Figure 13).



Claim 5:
With respect to claim 5, Dichiu et al. discloses wherein the corpus is automatically created based on input parameters submitted by an administrator (Software executing on a computer system may be used to automatically detect and/or prevent unauthorized intrusion and other malicious activities, 0004) (Software executing on a computer system may be used to automatically detect and/or prevent unauthorized intrusion and other malicious activities. , 0039) (Event encoder 70 automated data processing, 0061) (he disclosed systems and methods implement a behavioral approach to computer security, wherein a normal/baseline user behavior is automatically inferred by the system according to a training corpus of events, and wherein a departure from a baseline behavior pattern may indicate a threat, 0086).

Claim 6:
With respect to claim 6, Dichiu et al. discloses wherein the network embeddings model reflects the relationships between each of the plurality of network assets within the network security environment The anomaly detector is configured to determine whether the target event is indicative of the computer security threat according to a behavior model trained on a client-cluster-specific sub-corpus of events, the client-cluster-specific sub-corpus selected from the training corpus to include only events that have occurred on a plurality of members of a target cluster of the plurality of client clusters, 0006) (or instance profiles attached to each individual user, may require unreasonable computational resources and may therefore be impractical, 0089).

Claims 7, 20:
With respect to claims 7, 20, Dichiu et al. discloses further comprising instructions stored thereon that, when executed by the one or more processing units, cause the one or more processing units to display a semantic visualization map which indicates the relationships between each of the plurality of network assets within the network security environment (event embedding space and a set of exemplary event clusters, Figure 10) (each client system is represented in a multi-dimensional profile space according to the respective event profile , 0073) (client profile space and a set of client clusters, Figure 11).

Claim 8:
With respect to claim 8, Dichiu et al. discloses wherein the network embeddings profile is generated from a corpus of sequences with DHCP responses and DNS resolutions
(Dynamic Host Configuration Protocol—DHCP, 0034) (DHCPDISCOVER, 0052).

Claim 9:
With respect to claim 9, Dichiu et al. discloses wherein the crafted encoded corpus includes tags and headings which are used to create the network embeddings model (Parameters of such behavior models are generically represented as profile database 19 in FIG. 1 and may include an output of an event and/or client clustering algorithm, parameters of the respective profile may include coordinates of a cluster centroid and a set of numbers indicating a range of the respective cluster along various axes, 0039).

Claim 10:
With respect to claim 10, Dichiu et al. discloses further comprising instructions stored thereon that, when executed by the one or more processing units, causes the one or more processing units to train a network security system to detect activity anomalies within a network (security server 16, an anomaly detector 62, Figure 5) (anomaly detector 62, Figure 13).

Claim 11:
With respect to claim 11, Dichiu et al. discloses further comprising instructions, when executed, causes the one or more processing units to encode the transactions log (a process creation, a user indicator may indicate the owner of the parent process.  Event indicator 20a may encode other parameters, 0037) (security server 16 may determine whether the respective event matches a pattern of normality/baseline behavior encoded in the respective client profile, 0042).

Claim 12:
With respect to claim 12, Dichiu et al. discloses a semantic visualization map (event embedding space and a set of exemplary event clusters, Figure 10) (each client system is represented in a multi-dimensional profile space according to the respective event profile, 0073) (client profile space and a set of client clusters, Figure 11), comprising:
a plurality of network assets which are in various proximities from each other, the proximities between the plurality of network assets being based on network activity of network assets and indicating relationships between the plurality of network assets (Such behavior models are herein deemed client profiles. Parameters of such behavior models are generically represented as profile database 19 in FIG. 1 and may include an output of an event and/or client clustering algorithm, 0039) (encoder 70 is configured to represent events as vectors in an embedding space of contexts, wherein two events that occur predominantly in similar contexts are located relatively close together, 0060) (assign event vectors located within each region to a distinct event cluster, 0070) (comprise determining whether event E.sub.i fits a pattern of normal behavior for the respective client profile according to a position of the respective event within the embedding space. For instance, an event may be deemed normal when it is positioned within a cluster of training events (e.g., closer to a cluster centroid than a pre-determined threshold), 0084); and
at least one cluster of the plurality of network assets (users and machines are grouped into profiles is in itself based on behavioral criteria, to ensure that 
such grouping preserves specificity, 0089), the at least one cluster indicating a closer relationship amongst the network assets of the plurality of network assets which are within the at least one cluster than the network assets of the plurality of network assets which are not within the at least one cluster (a cluster comprises a plurality of events that are relatively close together in embedding space, or stated otherwise, a plurality of events characterized by a relatively small inter-event distance in embedding space., 0069) (each client profile comprises a selected subset (cluster) of the protected client systems 10a-h, 0071) (Figure 11) (comprise determining whether event E.sub.i fits a pattern of normal behavior for the respective client profile according to a position of the respective event within the embedding space. For instance, an event may be deemed normal when it is positioned within a cluster of training events (e.g., closer to a cluster centroid than a pre-determined threshold), 0084) (may require unreasonable computational resources, group multiple users and/or machines into a single client profile, thus ensuring a useful trade-off between specificity, robustness, and computational costs, 0089) (Figures 10, 11)

Claim 13:
With respect to claim 13, Dichiu et al. discloses wherein the at least one cluster of the plurality of network assets may be modified by a network administrator (A typical IDS records information related to observed events, notifies a user or network administrator, and produces reports, 0004) (sending security alerts 22a-b to the respective client system and/or to an administrator of the respective client system, protective action to block communications, 0042) (a user or administrator of security server 16 may tune the sensitivity of the method by adjusting the value of the threshold, 0083).


Claim 14:
With respect to claim 14, Dichiu et al. discloses wherein the plurality of network assets includes servers (Server 16, server storage devices 142 and a set of server network adapters 144, Server processors 132, 0046, Figure 3B).

Claim 15:
With respect to claim 15, Dichiu et al. discloses wherein the at least one cluster of the plurality of network assets represents servers assigned to a first group (group multiple users and/or machines into a single client profile, 0089) (Server 16, server storage devices 142 and a set of server network adapters 144, Server processors 132, 0046, Figure 3B).

Claim 16:
With respect to claim 16, Dichiu et al. discloses wherein the at least one cluster includes one or more clusters (users and machines are grouped into profiles is in itself based on behavioral criteria, to ensure that such grouping preserves specificity, 0089) (Clusters Figures 10, 11).

Claim 17:
With respect to claim 17, Dichiu et al. discloses a method for providing remote network security (an anomaly detector configured to determine whether a target event occurring on a target client system is indicative of a computer security threat, 0006) (Figures 5, 6) (operation of anomaly detector 62, Figure 13), comprising: 
retrieving a corpus of network activity data associated with a first network (Event corpus, Figures 5, 6), the network activity data being generated at least from users within the first network submitting network requests for network assets to service the network requests (to receive an event indicator 20a from client system 10, indicator 20a indicative of the occurrence of a particular type of event during execution of software on client 10.  Examples of such events include: launches an application, a parent process creates a child process, etc.), an attempt to access an input device of the respective client system (e.g., camera, microphone), an attempt to access a local or remote network resource (e.g., a hypertext transfer protocol--HTTP request to access a particular URL, an attempt to access a document repository over a local network), a request formulated in a particular uniform resource identifier scheme (e.g., a mailto: or a ftp: request), an execution of a particular processor instruction (e.g., system call), 0036);
creating a crafted encoded corpus by selecting a subset of the corpus of network activity data (A subset of event indicators 20a-b may be collected to form an event corpus further used to derive client profiles, Another subset of event indicators may be used to detect security threat, 0042);
creating a network embeddings model based on the crafted encoded corpus (anomaly detector may instantiate behavior model 86 with parameter values specific to the respective selected client profile, 0082, Figure 13), the network embeddings model including a vector of numbers for each of a plurality of network assets within a network security environment (security server 16 may determine whether the respective event matches a pattern of normality/baseline behavior encoded in the respective client profile, 0042) (to output an event vector 28a comprising a representation of the respective event as a vector in an abstract multi-dimensional space usually deemed embedding space, encoder 70 is configured to represent events as vectors in an embedding space of contexts, 0060) in the crafted encoded corpus based on a presence of each of the plurality of network assets that are proximate to each other in the crafted encoded corpus (Such behavior models are herein deemed client profiles. Parameters of such behavior models are generically represented as profile database 19 in FIG. 1 and may include an output of an event and/or client clustering algorithm, 0039) (encoder 70 is configured to represent events as vectors in an embedding space of contexts, wherein two events that occur predominantly in similar contexts are located relatively close together, 0060) (assign event vectors located within each region to a distinct event cluster, 0070) (comprise determining whether event E.sub.i fits a pattern of normal behavior for the respective client profile according to a position of the respective event within the embedding space. For instance, an event may be deemed normal when it is positioned within a cluster of training events (e.g., closer to a cluster centroid than a pre-determined threshold), 0084); 
deploying the network embeddings model within a network security system (further connected to a behavior model 86 configured to determine whether the respective event fits a pattern of normal/baseline behavior represented by the respective profile, 0075, Figure 13) (A typical IDS records information related to observed events, notifies a user or network administrator, and produces reports, 0004); and 
generating an alert in an event that the network security system identifies an anomaly associated with the crafted encoded corpus of network activity data (the respective event may indicate suspicious activity, in which case some embodiments may take protective action, for instance sending security alerts 22a-b to the respective client system and/or to an administrator of the respective client system, 0042, security alert, Figure 5).

Claim 18:
With respect to claim 18, Dichiu et al. discloses wherein the retrieved corpus of network activity data is anonymized such that identities of the users submitting the network requests and the network assets employed to service the network requests are concealed (detecting malicious software and/or an intrusion into a computer system and/or communication network, 0001) (using a backdoor installed on a corporate computer by malicious software, prevent unauthorized intrusion and other malicious activities, 0003-0004) (Detected events may or may not be indicative of malice per se; some events may be malice-indicative when occurring together with other events and/or when occurring in a particular sequence, 0036).

Claim 19:
With respect to claim 19, Dichiu et al. discloses further comprising sending the generated alert to the first network (the respective event may indicate suspicious activity, in which case some embodiments may take protective action, for instance sending security alerts 22a-b to the respective client system and/or to an administrator of the respective client system, 0042, security alert, Figure 5).



Response to Remarks/Arguments
Applicant's arguments filed on January 28, 2022 have been fully considered but they are not persuasive.  In the remarks, Applicant argues that:

Claim 1:
(1) Dichiu fails to teach or suggest at least creating a network embeddings model “including a vector of numbers for each of a plurality of network assets within a network security environment in the crafted encoded corpus based on a presence of each of the plurality of network assets that are proximate to each other in the crafted encoded corpus” (emphasis added). In fact, there is no discussion in Dichiu of any proximity relationship between network assets.  None of the cited portions of Dichiu (See Dichiu, [0083] and Figure 16), nor any other portion of Dichiu, describes creating a model including a vector of numbers “based on a presence of each of the plurality of network assets that are proximity to each other in the crafted encoded corpus.”  See Dichiu, [0059]. Thus, the cited event vector has no bearing or relationship being included in the network embeddings model “based on a presence of each of the plurality of network assets that are proximate to each other in the crafted encoded corpus.” 
Claim 12:
(2) Dichiu fails to teach or suggest a map comprising network assets, where “proximities between the plurality of network assets [is] based on network activity of network assets and indicating relationships between the plurality of network assets” and a “cluster indicating a closer relationship amongst the network assets which are within ... than the network assets ... which are not within....” In fact, there is no discussion in Dichiu of any visualization map that depicts network assets proximities, where proximities between the network assets are based on network activity and depict relationships between network assets.  The cited portions of Dichiu relate to illustrations of an embedding space that depicts a cluster of “events which occur primarily within a similar event context,” where “the same cluster may include events occurring on various client systems and/or representing the activity of various users.” See Dichiu, [0069]. Thus, Dichiu’s visualizations depict relationships between events. This is not the same as the claimed visualization map that depicts clusters of network assets with proximities that indicate relationships amongst the network assets and where clusters indicate closer relationships amongst the network assets.  

In response to remark/arguments (1), Examiner respectfully disagrees.  Dichiu et al. discloses “Such behavior models are herein deemed client profiles. Parameters of such behavior models are generically represented as profile database 19 in FIG. 1 and may include an output of an event and/or client clustering algorithm” (0039), “encoder 70 is configured to represent events as vectors in an embedding space of contexts, wherein two events that occur predominantly in similar contexts are located relatively close together” (0060), “assign event vectors located within each region to a distinct event cluster” (0070), “comprise determining whether event E.sub.i fits a pattern of normal behavior for the respective client profile according to a position of the respective event within the embedding space. For instance, an event may be deemed normal when it is positioned within a cluster of training events (e.g., closer to a cluster centroid than a pre-determined threshold)” (0084). Therefore, Examiner maintains that Dichiu et al. does teach and suggest this limitation. 


In response to remark/arguments (2), Examiner respectfully disagrees.  Dichiu et al. discloses “Such behavior models are herein deemed client profiles. Parameters of such behavior models are generically represented as profile database 19 in FIG. 1 and may include an output of an event and/or client clustering algorithm” (0039), “encoder 70 is configured to represent events as vectors in an embedding space of contexts, wherein two events that occur predominantly in similar contexts are located relatively close together” (0060), “assign event vectors located within each region to a distinct event cluster” (0070), “comprise determining whether event E.sub.i fits a pattern of normal behavior for the respective client profile according to a position of the respective event within the embedding space. For instance, an event may be deemed normal when it is positioned within a cluster of training events (e.g., closer to a cluster centroid than a pre-determined threshold)” (0084). Therefore, Examiner maintains that Dichiu et al. does teach and suggest this limitation. 

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Helai Salehi whose telephone number is 571-270-7468.  The examiner can normally be reached on Monday - Friday from 9 am to 5 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Jeff Pwu, can be reached on 571-272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/HELAI SALEHI/
Examiner, Art Unit 2433

/JEFFREY C PWU/           Supervisory Patent Examiner, Art Unit 2433