Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Peppe et al. (US 2017/0346839).

Regarding Claim 1, Peppe discloses a method, in a data processing system, for identifying a pattern of computing resource activity of interest, in activity data characterizing activities of computer system elements, the method comprising: 
receiving, by the data processing system, the activity data characterizing activities of computer system elements from one or more computing devices of a monitored computing environment ([0027], Peppe); 
generating, by the data processing system, a temporal graph of the activity data, wherein the temporal graph comprises nodes representing the computer system elements and edges connecting nodes, wherein each edge represents an event occurring between computer system elements represented by nodes connected by the edge ([0025], [0093]-[0095], and [0127], Peppe); 
applying, by the data processing system, a filter to the temporal graph to generate one or more first vector representations, each vector representation characterizing nodes and edges within a moving window defined by the filter ([0085], [0082], [0124], [0137], and [0142], Peppe); 
applying, by the data processing system, the filter to a pattern graph representing a pattern of entities and events between entities indicative of the pattern of computing resource activity to be identified in the temporal graph ([0077], Peppe), wherein application of the filter to the pattern graph creates a second vector representation ([0077] and [0078]-[0079], Peppe); 
comparing, by the data processing system, the second vector representation to the one or more first vector representations to identify one or more nearby vectors in the one or more first vector representations ([0077]-[0079], [0020], and [0030], Peppe); and 
outputting, by the data processing system, one or more subgraph instances corresponding to the identified one or more nearby vectors to an intelligence console computing system as inexact matches of the temporal graph ([0080], Peppe).

Regarding Claim 2, Peppe discloses a method of claim 1, wherein the intelligence console computing system is a cyber security intelligence center, and wherein the one or more nearby vectors represent potential computer attacks on the one or more computing devices ([0015], and [0019]-[0020], Peppe).

Regarding Claim 3, Peppe discloses a method of claim 1, further comprising training at least one graph neural network (GNN), based on a training dataset, to perform a vector embedding of attributes of the nodes and edges of an input graph to generate a vector output corresponding to the attributes of the nodes and edges of the input graph, and wherein applying the filter to the temporal graph comprises executing the trained at least one GNN on the temporal graph as the input graph, and wherein applying the filter to the pattern graph comprises executing the trained at least one GNN on the pattern graph as the input graph ([0032], Peppe).

Regarding Claim 4, Peppe discloses a  method of claim 3, wherein the training dataset comprises one or more known activity graphs corresponding to activity performed by a known set of computing elements, at least one known pattern graph corresponding to at least one known pattern of activity of interest, and an indication of a correct vector output or classification to be generated by the at least one GNN based on the one or more known activity graphs and the at least one known pattern graph as inputs to the at least one GNN ([0027] and [0032], Peppe).

Regarding Claim 5, Peppe discloses a method of claim 3, wherein the at least one GNN comprises a plurality of GNNs, each GNN having a different size corresponding filter, and wherein applying the filter to the temporal graph and applying the filter to the pattern graph comprises executing a GNN selected from the plurality of GNNs having a corresponding filter of a size corresponding to a size of the pattern graph ([0081]-[0082], and [0032], Peppe).

Regarding Claim 6, Peppe discloses a method of claim 1, wherein the filter has a first dimension corresponding to a reachability limit indicating a distance of nodes away from a first node within the moving window that are within the moving window, and a second dimension corresponding to a time range, from a time point corresponding to a center time point of the moving window, of events that are within the moving window ([0031], Fig. 7, and [0076], Peppe).

Regarding Claim 7, Peppe discloses a method of claim 1, wherein applying the filter to the temporal graph further comprises storing a mapping of portions of the one or more first vector representations to attributes of nodes and edges in the moving window, and wherein outputting the one or more subgraph instances corresponding to the identified one or more nearby vectors comprises converting the one or more nearby vectors to corresponding subgraph instances in the one or more subgraph instances based on the stored mapping ([0090], Peppe).

Regarding Claim 8, Peppe discloses a method of claim 1, wherein comparing the second vector representation to the one or more first vector representations to identify one or more nearby vectors in the one or more first vector representations comprises identifying the one or more nearby vectors based on an inexact matching of the second vector representation to portions of the one or more first vector representations to thereby identify the one or more nearby vectors ([0090], Peppe).

Regarding Claim 9, Peppe discloses a method of claim 1, wherein comparing the second vector representation to the one or more first vector representations to identify the one or more nearby vectors in the one or more first vector representations comprises, for each first vector representation in the one or more first vector representations: 
performing a vector distance based comparison of the second vector representation to the first vector representation to generate a similarity measure corresponding to the first vector representation ([0026] and [0030], Peppe); 
comparing the similarity measure to a threshold similarity measure to determine if the first vector representation represents a nearby vector ([0026] and [0030], Peppe); and 
in response to the similarity measure having a predetermined relationship relative to the threshold similarity measure, returning the first vector representation as a nearby vector ([0030], [0076], Peppe).

Regarding Claim 10, Peppe discloses a method of claim 1, wherein the method is performed dynamically as the temporal graph dynamically changes over time ([0085], Peppe).

Regarding Claim 11, Peppe discloses a computer program product comprising a computer readable storage medium having a computer readable program stored therein, wherein the computer readable program, when executed on a data processing system, causes the data processing system to: 
receive activity data characterizing activities of computer system elements from one or more computing devices of a monitored computing environment ([0027], Peppe); 
generate a temporal graph of the activity data, wherein the temporal graph comprises nodes representing the computer system elements and edges connecting nodes, wherein each edge represents an event occurring between computer system elements represented by nodes connected by the edge ([0025], [0093]-[0095], and [0127], Peppe); 
apply a filter to the temporal graph to generate one or more first vector representations, each vector representation characterizing nodes and edges within a moving window defined by the filter ([0085], [0082], [0124], [0137], and [0142], Peppe); 
apply the filter to a pattern graph representing a pattern of entities and events between entities indicative of the pattern of computing resource activity to be identified in the temporal graph ([0077], Peppe), wherein application of the filter to the pattern graph creates a second vector representation ([0077] and [0078]-[0079], Peppe); 
compare the second vector representation to the one or more first vector representations to identify one or more nearby vectors in the one or more first vector representations ([0077]-[0079], [0020], and [0030], Peppe); and 
output, by the data processing system, one or more subgraph instances corresponding to the identified one or more nearby vectors to an intelligence console computing system as inexact matches of the temporal graph ([0080], Peppe).

Regarding Claim 12, Peppe discloses a computer program product of claim 11, wherein the intelligence console computing system is a cyber security intelligence center, and wherein the one or more nearby vectors represent potential computer attacks on the one or more computing devices ([0015], and [0019]-[0020], Peppe).

Regarding Claim 13, Peppe discloses a computer program product of claim 11, wherein the computer readable program further causes the data processing system to train at least one graph neural network (GNN), based on a training dataset, to perform a vector embedding of attributes of the nodes and edges of an input graph to generate a vector output corresponding to the attributes of the nodes and edges of the input graph, and wherein applying the filter to the temporal graph comprises executing the trained at least one GNN on the temporal graph as the input graph, and wherein applying the filter to the pattern graph comprises executing the trained at least one GNN on the pattern graph as the input graph ([0032], Peppe).

Regarding Claim 14, Peppe discloses a computer program product of claim 13, wherein the training dataset comprises one or more known activity graphs corresponding to activity performed by a known set of computing elements, at least one known pattern graph corresponding to at least one known pattern of activity of interest, and an indication of a correct vector output or classification to be generated by the at least one GNN based on the one or more known activity graphs and the at least one known pattern graph as inputs to the at least one GNN ([0027] and [0032], Peppe).

Regarding Claim 15, Peppe discloses a computer program product of claim 13, wherein the at least one GNN comprises a plurality of GNNs, each GNN having a different size corresponding filter, and wherein applying the filter to the temporal graph and applying the filter to the pattern graph comprises executing a GNN selected from the plurality of GNNs having a corresponding filter of a size corresponding to a size of the pattern graph ([0081]-[0082], and [0032], Peppe).

Regarding Claim 16, Peppe discloses a computer program product of claim 11, wherein the filter has a first dimension corresponding to a reachability limit indicating a distance of nodes away from a first node within the moving window that are within the moving window, and a second dimension corresponding to a time range, from a time point corresponding to a center time point of the moving window, of events that are within the moving window ([0031], Fig. 7, and [0076], Peppe).

Regarding Claim 17, Peppe discloses a computer program product of claim 11, wherein the computer readable program further causes the data processing system to apply the filter to the temporal graph further at least by storing a mapping of portions of the one or more first vector representations to attributes of nodes and edges in the moving window, and wherein the computer readable program further causes the data processing system to output the one or more subgraph instances corresponding to the identified one or more nearby vectors at least by converting the one or more nearby vectors to corresponding subgraph instances in the one or more subgraph instances based on the stored mapping ([0090], Peppe).

Regarding Claim 18, Peppe discloses a computer program product of claim 11, wherein the computer readable program further causes the data processing system to compare the second vector representation to the one or more first vector representations to identify one or more nearby vectors in the one or more first vector representations at least by identifying the one or more nearby vectors based on an inexact matching of the second vector representation to portions of the one or more first vector representations to thereby identify the one or more nearby vectors ([0090], Peppe).

Regarding Claim 19, Peppe discloses a computer program product of claim 11, wherein the computer readable program further causes the data processing system to compare the second vector representation to the one or more first vector representations to identify the one or more nearby vectors in the one or more first vector representations at least by, for each first vector representation in the one or more first vector representations: 
performing a vector distance based comparison of the second vector representation to the first vector representation to generate a similarity measure corresponding to the first vector representation ([0026] and [0030], Peppe); 
comparing the similarity measure to a threshold similarity measure to determine if the first vector representation represents a nearby vector ([0026] and [0030], Peppe); and 
in response to the similarity measure having a predetermined relationship relative to the threshold similarity measure, returning the first vector representation as a nearby vector ([0030], [0076], Peppe).

Regarding Claim 20, Peppe discloses an apparatus comprising: 
a processor (Fig. 5, 504, 520, Peppe); and 
a memory coupled to the processor, wherein the memory comprises instructions which, when executed by the processor (Fig. 5, 506 and 522, Peppe), specifically configures the processor to implement an inexact graph pattern matching mechanism that operates to: 
receive activity data characterizing activities of computer system elements from one or more computing devices of a monitored computing environment ([0027], Peppe); 
generate a temporal graph of the activity data, wherein the temporal graph comprises nodes representing the computer system elements and edges connecting nodes, wherein each edge represents an event occurring between computer system elements represented by nodes connected by the edge ([0025], [0093]-[0095], and [0127], Peppe); 
apply a filter to the temporal graph to generate one or more first vector representations, each vector representation characterizing nodes and edges within a moving window defined by the filter ([0085], [0082], [0124], [0137], and [0142], Peppe); 
apply the filter to a pattern graph representing a pattern of entities and events between entities indicative of the pattern of computing resource activity to be identified in the temporal graph ([0077], Peppe), wherein application of the filter to the pattern graph creates a second vector representation ([0077] and [0078]-[0079], Peppe); 
compare the second vector representation to the one or more first vector representations to identify one or more nearby vectors in the one or more first vector representations ([0077]-[0079], [0020], and [0030], Peppe); and 
output, by the data processing system, one or more subgraph instances corresponding to the identified one or more nearby vectors to an intelligence console computing system as inexact matches of the temporal graph ([0080], Peppe).



Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GIOVANNA B COLAN whose telephone number is (571)272-2752.  The examiner can normally be reached on Mon - Fri 8:30-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Aleksandr Kerzhner can be reached on (571) 270-1760.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/GIOVANNA B COLAN/Primary Examiner, Art Unit 2165
May 9, 2022