DETAILED ACTION
Claims 1-15 are presented for examination.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Drawings
The drawings were received on 06/29/2020.  These drawings are acceptable.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 12/30/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-15 is/are rejected under 35 U.S.C. 103 as being unpatentable over in Milajerdi et al., (hereinafter Milajerdi), NPL “HOLMES: Real-time APT Detection through Correlation of Suspicious Information Flows” (IDS 12/30/2020), view of Muddu et al., (hereinafter Muddu), U.S. Publication No. 2017/0063886.

As per claim 1, Milajerdi discloses a system [Abstract, page 4, a system], comprising: 
a log receiving module [fig. 6, page 1140, Section IV (A. Data Collection and Representation), page 1143, a log receiving module (Stream Processor)] configured to receive a first plurality of network-level authentication logs having unique identifiers associated with users and services in a network and source Internet-Protocol addresses of a plurality of requesting entities, and a second plurality of network-level authentication logs having unique identifiers associated with a plurality of authentication events subject to an anomaly detection [fig. 2, 6, table 4, page 1137, Section I “Introduction”, page 1139, Section III, page 1140, Section IV (A. Data Collection and Representation), page 1141, (B. TTP Specification), page 1145, Section VI (A. Datasets), page 1146, (D. Attack Scenarios), a log receiving module configured to receive a first plurality of network-level authentication logs having unique identifiers associated with users and services in a network and source Internet-Protocol addresses of a plurality of requesting entities (benign audit data; collect log events and alerts; hundreds of APT reports; low-level audit events), and a second plurality of network-level authentication logs having unique identifiers associated with a plurality of authentication events subject to an anomaly detection (collect log events and alerts; hundreds of APT reports; low-level audit events and high-level APT; IP Addresses; trusted/untrusted IP addresses)]; 
an authentication graph module [fig. 2, 6, page 1143, an authentication graph module (provenance graph)] configured to generate, according to the first plurality of network-level authentication logs, an authentication graph, wherein the authentication graph is a graph with a node type mapping and an edge type mapping [fig. 2, 6, page 1138, Section II, page 1140, Section III, Section IV (A. Data Collection and Representation),  page 1147,  Section VI (F. Performance), generate, according to the first plurality of network-level authentication logs, an authentication graph, wherein the authentication graph is a graph with a node type mapping and an edge type mapping (construct a provenance graph; nodes and edges in the provenance graph)]; 
a sampling module configured to sample the authentication graph to generate a plurality of node sequences each including a sequence of nodes [fig. 6, page 1138, page 1139, page 1143, (F. Signal Correlation and Detection), page 1147, (E. Finding the Optimal Threshold Value), a sampling module configured to sample the authentication graph to generate a plurality of node sequences each including a sequence of nodes (information flows between entities; relationships and information flows; a small subset of activities in the audit log)]; and 
an embedding module configured to tune a plurality of node embeddings according to the plurality of node sequences, wherein each node embedding is a vector representation for a node [fig. 3, 5, 6, page 1140, page 1143, table 11, table 8, page 1144, an embedding module configured to tune a plurality of node embeddings according to the plurality of node sequences, wherein each node embedding is a vector representation for a node (entry in the converted threat tuple; attack vectors)]; 
an anomaly detection module [fig. 6, an anomaly detection module (detection engine)] configured to perform anomaly detection according to the link prediction [fig. 6, page 1138, page 1139, page 1143, page 1145, page 1147, page 1148, Section  VII, an anomaly detection module configured to perform anomaly detection according to the link prediction (detection engine; audit logs for attack detection)].
Milajerdi discloses events subject to the anomaly detection [page 1138, 1148, events subject to the anomaly detection (detecting low-level events associated with APT steps and linking them using information flow)]. Milajerdi does not explicitly a training module configured to train a link predictor according to the plurality of node embeddings and ground-truth edge information from the authentication graph; a link prediction module configured to apply the link predictor to perform a link prediction on each of the plurality of authentication events subject to the anomaly detection.
However, Muddu teaches a training module configured to train a link predictor according to the plurality of node embeddings and ground-truth edge information from the authentication graph [fig. 10, 16, paragraphs 0233, 0234, 0294, 0352, 0521, a training module configured to train a link predictor according to the plurality of node embeddings and ground-truth edge information from the authentication graph (training phase; model … better trained about the probability of association between the user and the machine identifiers…creates a probabilistic graph … can include peripheral nodes, a center node, and edges)]; a link prediction module configured to apply the link predictor to perform a link prediction on each of the plurality of authentication events subject to the anomaly detection [paragraphs 0149, 0151, 0519, 0521, 0524, 0528, 0640, a link prediction module configured to apply the link predictor to perform a link prediction on each of the plurality of authentication events subject to the anomaly detection (anomalies and threats detected; prediction model, which may be customized for detecting abnormal entity behaviors)].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to improve upon the system described in Milajerdi by performing a link prediction on each of the plurality of authentication events subject to the anomaly detection as taught by Muddu because it would provide the Milajerdi's system with the enhanced capability of detecting malware efficiently [Muddu, paragraphs 0363, 0524, 0545, 0644].

As per claim 2, Milajerdi discloses the system of claim 1, Milajerdi does not explicitly wherein the log receiving module is configured to: receive the first plurality of network-level authentication logs in an offline stage; and receive the second plurality of network-level authentication logs in an online stage.
However, Muddu teaches wherein the log receiving module is configured to: receive the first plurality of network-level authentication logs in an offline stage; and receive the second plurality of network-level authentication logs in an online stage [paragraphs 0233, 0260, 0269, wherein the log receiving module is configured to: receive the first plurality of network-level authentication logs in an offline stage; and receive the second plurality of network-level authentication logs in an online stage (track the user sessions based on login/logout events; login/logout events or events that indicate possible connection between two sessions)].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to improve upon the system described in Milajerdi by performing a link prediction on each of the plurality of authentication events subject to the anomaly detection as taught by Muddu because it would provide the Milajerdi's system with the enhanced capability of detecting malware efficiently [Muddu, paragraphs 0363, 0524, 0545, 0644].

As per claim 3, Milajerdi discloses the system of claim 1, 
wherein the authentication graph includes nodes that represent authenticating entities, and edges that represent authentication events [fig. 2, 3, 6, page 1138, page 1140, Section IV,  page 1142, page 1145, page 1146, wherein the authentication graph includes nodes that represent authenticating entities, and edges that represent authentication events (trusted entitites; benign activities in the audit log; nodes and edges in the provenance graph)].

As per claim 4, Milajerdi discloses the system of claim 3, 
wherein the authenticating entities include machines, users, and/or software [fig. 2, 3, 6, page 1138, page 1140, Section IV,  page 1142, page 1145, page 1146, wherein the authenticating entities include machines, users, and/or software (wherein the authenticating entities include machines, users, and/or software; Entity types are shown by the characters: P=Process, F=File, S=Socket, M=Memory, U=User)].

As per claim 5, Milajerdi discloses the system of claim 1, 
wherein the vector representation for each node captures degree of behavior of each node within the network as a whole [table 10, table 11, page 1140, 1143, wherein the vector representation for each node captures degree of behavior of each node within the network as a whole (assign weights to nodes and paths in the graph based on their severity; analysis of whole-system provenance)].

As per claim 6, Milajerdi discloses the system of claim 1, 
wherein the plurality of node embeddings are in a high-dimensional embedding space having the number of dimensions equal to or greater than 128 [fig. 9, 15, page 1142, 1143, 1147, wherein the plurality of node embeddings are in a high-dimensional embedding space having the number of dimensions equal to or greater than 128 (graph size ratio measured in edges is 1875:1, i.e., an 1875-fold reduction is achieved in the process of mapping from the provenance graph)].

As per claim 7, Milajerdi discloses the system of claim 1, 
wherein the training module is configured to train the link predictor according to a dataset of true edge embeddings and a dataset of false edge embeddings from the ground-truth edge information [fig. 6, page 1139, 1140, 1142, 1148, 1149, wherein the training module is configured to train the link predictor according to a dataset of true edge embeddings and a dataset of false edge embeddings from the ground-truth edge information (successfully detects APT campaigns with high precision and low false alarm rates)].

As per claim 8, Milajerdi discloses the system of claim 1, 
wherein the link prediction module is configured to apply the link predictor to each of the plurality of authentication events subject to an anomaly detection to obtain a probability value of each of the plurality of the authentication event [page 1141, page 1143, page 1145-page 1148, wherein the link prediction module is configured to apply the link predictor to each of the plurality of authentication events subject to an anomaly detection to obtain a probability value of each of the plurality of the authentication event (mapping between low-level audit events and high-level APT steps; detection threshold)].

As per claim 9, Milajerdi discloses the system of claim 8, Milajerdi does not explicitly wherein the plurality of authentication events subject to an anomaly detection are extracted and parsed into a set of edges between authenticating entities.
However, Muddu teaches wherein the plurality of authentication events subject to an anomaly detection are extracted and parsed into a set of edges between authenticating entities [paragraphs 0166, 0167, 0209, 0218, wherein the plurality of authentication events subject to an anomaly detection are extracted and parsed into a set of edges between authenticating entities (connector can parse the file with a parser that corresponds to the file's data format, and extract only the time from the even)].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to improve upon the system described in Milajerdi by including an anomaly detection are extracted and parsed into a set of edges as taught by Muddu because it would provide the Milajerdi's system with the enhanced capability of detecting malware efficiently [Muddu, paragraphs 0363, 0524, 0545, 0644].

As per claim 10, Milajerdi discloses the system of claim 9, further comprising 
a lookup module configured to perform an embedding lookup for the node embeddings for the authenticating entities [page 1142, 1147, a lookup module configured to perform an embedding lookup for the node embeddings for the authenticating entities (respond to attacks embedded within a predominantly benign stream of events, we evaluated it as a live detection system)].

As per claim 11, Milajerdi discloses the system of claim 8, the anomaly detection module is configured to: 
in response to the probability value being less than a threshold, determine that an anomaly is detected; and in response to the probability value being equal to or greater than the threshold, determine that the anomaly is not detected [page 1141, page 1143, page 1145-page 1148, in response to the probability value being less than a threshold, determine that an anomaly is detected; and in response to the probability value being equal to or greater than the threshold, determine that the anomaly is not detected (mapping between low-level audit events and high-level APT steps; detection threshold)].

As per claim 12, Milajerdi discloses the system of claim 11, 
wherein the threshold is approximately 10% [fig. 18, table 7, page 1141, page 1143, page 1145, page 1147, page 1148, wherein the threshold is approximately 10% (less than a specified threshold)].

As per claim 13, Milajerdi discloses the system of claim 11, 
wherein the anomaly detection module is further configured to generate an anomaly graph containing information about anomalous authentication events [fig. 6, page 1138, page 1140, page 1141, page 1147, wherein the anomaly detection module is further configured to generate an anomaly graph containing information about anomalous authentication events (nodes and edges in the provenance graph; a clear distinction between attack and benign subgraphs in the tested datasets)].

As per claim 14, Milajerdi discloses the system of claim 13, further comprising 
a security investigation module configured to forward the authentication event having a probability value below the threshold to security experts for investigation [fig. 18, table 7, page 1141, page 1143, page 1145, page 1147, page 1148, a security investigation module configured to forward the authentication event having a probability value below the threshold to security experts for investigation (less than a specified threshold)].

As per claim 15, Milajerdi discloses the system of claim 1, 
wherein the sampling module is configured to sample the authentication graph via unbiased, fixed-length random walks [table 7, page 1142, page 1143, page 1147, wherein the sampling module is configured to sample the authentication graph via unbiased, fixed-length random walks (threat tuple; graph size ratio)].


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Li et al., U.S. Publication No. 2020/0250308, discloses a method for detecting and responding to APT events. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JACKIE ZUNIGA ABAD whose telephone number is (571)270-7194. The examiner can normally be reached Monday - Friday, 8:00am - 4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, IAN MOORE can be reached on 571-272-3085. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/JACKIE ZUNIGA ABAD/           Primary Examiner, Art Unit 2469