DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This office action is in response to the application filed on 10/29/2020. Claims 1-20 are pending.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 
Terminal Disclaimer

The terminal disclaimer filed on 05/10/2022 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of U.S. Patent application No. 10824749 has been reviewed and is accepted.  The terminal disclaimer has been recorded.

Allowable Subject Matter
Claims 1-20 are allowed.
The following is an examiner’s statement of reasons for allowance:
The invention relates to a systems and techniques for an automatic graph-based detection of unlikely file possession are described herein. In an example, a system for detecting unauthorized file possession is adapted to generate a networked computing environment graph for files and the devices which store the files. The detection system may be further adapted to identify a file in question and a device in question that is in possession of the file in question. The detection system may be further adapted to generate a set of connection paths from the device in question to the file in question based upon the edges of the graph. The detection system may be further adapted to determine the device in question should not have possession of the file in question based on a set of metrics derived from the connection paths. The detection system may be further adapted to generate an alert based on the determination.
The closest relevant prior art made of record are:
Brown (US2017/0242958) teaches Genomic references are structured as a reference graph that represents diploid genotypes in organisms. A path through a series of connected nodes and edges represents a genetic sequence. Genetic variation within a diploid organism is represented by multiple paths through the reference graph. The graph may be transformed into a traversal graph in which a path represents a diploid genotype. Genetic analysis using the traversal graph allows an organism's diploid genotype to be elucidated, e.g., by mapping sequence reads to the reference graph and scoring paths in the traversal graph based on the mapping to determine the path through the traversal graph that best fits the sequence reads.
Gackiere (US10223389) teaches a computer-implemented method executable by a computer to analyze complex metadata of a data source is provided. The method includes: receiving, by a processor, complex metadata from the data source; processing, by a processor, the complex metadata to determine a dictionary of metadata; processing, by a processor, the dictionary of metadata to determine a graph of nodes and edges; processing, by a processor, the graph using a single feature analysis method; and displaying a representation of a visual graph based on results of the feature analysis method.
Ravizza et al. (US2019/0266341) teaches a method and a related system for controlling user access to a target node in a knowledge graph may be provided.  The method comprises defining a knowledge graph structure limitation for a user, defining a node type depending on the number of edges connecting to the node, determining a condition for an access to the target node, based on the knowledge graph structure limitation relative 
to the start node and the node type of the target node, upon the user attempting, coming from a start node, to access the target node in the knowledge graph, and granting access to the target node based on the determination.
Stetson et al. (US2015/0033106) teaches systems and methods for visualizing and manipulating graph databases in accordance embodiments of the invention are disclosed.  In one embodiment of the invention, a graph database manipulation device includes a processor and a memory configured to store a graph database manipulation application, wherein the graph database manipulation application configures the processor to obtain a graph database including a set of nodes and a set of edges, determine a source node within the set of nodes, locate a set of related nodes based on the source node and the set of edges, recursively locate a set of sub-related nodes based on the set of related nodes and the set of edges, generate a representation of the set of related nodes from the perspective of the source node, and recursively update the generated representation of the set of sub-related nodes from the perspective of the source node and the related nodes.
Chen et al. (US2019/0317728) teaches Techniques that facilitate graph similarity analytics are provided.  In one example, a system includes an information component and a similarity component.  The information component generates a first information index indicative of a 
first entropy measure for a first graph-structured dataset associated with a machine learning system.  The information component also generates a second information index indicative of a second entropy measure for a second graph-structured dataset associated with the machine learning system.  The similarity component determines similarity between the first graph-structured dataset and the second graph-structured dataset based on a graph similarity 
computation associated with the first information index and the second information index.
Fletcher et al. (US2015/0302300) teaches systems and methods can support efficient graph-based rule engines for complex, dynamic, unstructured data.  The system can provide an interface to a graph database for storing rules and facts.  The system can receive rules and facts.  
The system can convert the received rules to a format suitable for insertion into the graph database and store the converted rules into the graph database.  The system can receive a question and perform a query against the graph database to evaluate rules and facts in light of the received question.  The system can return facts retrieved from the graph database in response to the performed query.  Also, the system can generate one or more actions based upon 
facts retrieved or rules trigger in response to the performed query.
Girgensohn et al. (US2009/0313267) teaches an adaptive, interactive visual workspace for viewing groups of files based on their relationships.  Relationships of files are visualized using iterative refinement of categories through a direct-manipulation graph-based layout.  The visual workspace starts with a fully connected graph linking thumbnail images of related files that is then partitioned into neighborhoods in response to a user creating file stacks corresponding to different categories.  Normalized spring lengths improve the overall quality of the layout.  Different modes for membership in neighborhoods avoid confusing motion of files and help a user to manually organize the workspace.  Additionally, retrieved files can be added without having to significantly move the previous files.  Different visualization techniques indicate which files are related to each other.  An elliptical-shaped window displaying rings of elliptic thumbnail images presents a group of files in an easily visible and space-efficient way.  Different zoom rates are used for file location, and surrogate sizes allow users to increase the separation between files while still increasing the surrogate sizes.
Goldschmit et al. (US2015/0026103) teaches a method, apparatus and product for automatic detection of anomalies in graphs.  The method comprising obtaining training data, the training data comprising a plurality of graphs, each defined by nodes and edges connecting between the 
nodes, at least some of the nodes are labeled; determining a statistical model of a graph in accordance with the training data, the statistical model takes into account at least one structured and labeled feature of the graph, wherein the structured and labeled feature of the graph is defined based on a connection between a plurality of nodes and based on at least a portion of the labels of the plurality of nodes; obtaining an examined graph; and determining a score of the examined graph indicative of a similarity between the examined graph and the training data, wherein the score is based on a value of the structured and labeled feature in the examined graph.
KOLB et al. (US2018/0130019) teaches a computer-implemented method and system are provided for connecting nodes, such as projects, users, and organizations in a database.  A computer processes the connections to recommend further connections to objects, group objects that are related, and provide search results.
Narayanan et al. (US8,185,558) teaches a method includes maintaining a data store of nodes and edges and for each of one or more users: scanning items of content associated with the corresponding user node; identifying a candidate item of content; searching for matches between the candidate item of content and existing nodes; determining whether or not a match between the candidate item of content and an existing node exists; and when it is determined that at least one match exists, generating an edge from the user node to the existing node for which the best match is determined; and when it is determined that no match exists, generating a new node based on the candidate item of content, and generating an edge from the user node to the new node.
Stokes et al. (US2012/0323829) teaches a reliable automated malware classification approach with substantially low false positive rates is provided.  Graph-based local and/or global file 
relationships are used to improve malware classification along with a feature selection algorithm.  File relationships such as containing, creating, copying, downloading, modifying, etc. are used to assign malware probabilities and simultaneously reduce the false positive and false negative rates on executable files.
Thomas et al. (US2012/0079596) teaches a method of detecting malicious software (malware) includes receiving a file and storing a memory baseline for a system.  The method also includes copying the file to the system, executing the file on the system, terminating operation of the system, and storing a post-execution memory map.  The method further includes analyzing the memory baseline and the post-execution memory map and determining that the file includes malware. 
Viswanathan et al. (US2016/0156631) teaches Systems and Methods for providing access control to files stored on a shared file storage platform in a multi-user environment are described herein.  According to the present subject matter, the system(s) implement the described methods for receiving a request from a user device of a user from amongst a 
plurality of users, to perform an operation in relation to a file.  Further determining a global unique identifier (GUID) associated with the file where the GUID uniquely distinguishes the file from other files based on contents of the file.  The method further includes executing the requested operation in relation to the file based on an access reference graph (ARG), where the ARG provides an access control data structure to the files stored on the shared file storage platform, and where the ARG references the files stored on a shared file storage platform based on the GUID associated with each file.
Zhang et al. (US2019/0205480) teaches a layered graph data structure can be stored using a vertex table and an edge table.  The vertex table includes a vertex identifier column and a first graph identifier column.  The edge table includes a second graph identifier column, a node identifier column, and an edge type column.  Queries of the layered graph data structure include a target entity and a graph level, and iterative searching of the vertex table and the edge table is performed based on the graph level and data stored in edge type column.

Regarding Claims 1, 8, and 15, although the above closest prior art of record  teaches generating a networked computing environment graph, wherein nodes of the networked computing environment graph represent networked computing devices and files, and edges of the networked computing environment graph are between a networked computing device node and a file node, indicating a file represented by the file node is located on a networked computing device represented by the networked computing device node; identifying a file in question node for a file in question in the networked computing environment graph; identifying a device in question node connected to the file in question node, wherein the file in question is located on a respective networked computing device represented by the device in question node; identifying a set of file nodes, wherein the set of files nodes includes each file node of the networked computing environment graph for the file in question except the file in question node; generating a set of connection paths from the device in question node to each file node of the set of file nodes based upon edges of the networked computing environment graph.
	However, none of the prior art, alone or in combination teaches determining the respective networked computing device represented by the device in question node should not have possession of the file in question based on a set of one or more metrics derived from the networked computing environment graph and the set of connection paths, wherein the set of metrics includes a first metric determined based on a minimum degree of separation exceeds a threshold, wherein the minimum degree of separation is a number of edges in a connection path between the device in question node and a respective file node for the connection path with lowest number of edges for all connection paths of the set of connection paths in view of other limitations of the independent claims. Therefore the claims are allowable over the cited prior arts.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
                                                                                                                                                                                                       
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHAHRIAR ZARRINEH whose telephone number is (571)272-1207.  The examiner can normally be reached on Monday-Friday, 8:30am-5:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on 571-272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/SHAHRIAR ZARRINEH/Examiner, Art Unit 2497