DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claim 20 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim does not fall within at least one of the four categories of patent eligible subject matter because a computer program product comprising a computer-readable storage medium does not exclude signal, per se.  A signal claim is non-statutory subject matter.  It is suggested to replace with a computer program product comprising a non-transitory computer-readable storage medium.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 4-10 and 14-19 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Regarding claim 4, the limitation “grouping the nodes having same types” is unclear and indefinite.  It is unclear what types are indeed referred to, e.g., size, length, capacity, activities, etc…
Regarding claim 6, the limitation “the visualization based on the types” is unclear and indefinite.  It is unclear what types are indeed referred to, e.g., size, length, capacity, activities, etc…
Regarding claim 14, the limitation “grouping the nodes having same types” is unclear and indefinite.  It is unclear what types are indeed referred to, e.g., size, length, capacity, activities, etc…
Regarding claim 16, the limitation “the visualization based on the types” is unclear and indefinite.  It is unclear what types are indeed referred to, e.g., size, length, capacity, activities, etc…
Other claims are automatically rejected to for the reasons as set forth in rejected dependent claims 4 and 14.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-3, 11-13, and 20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Apostolopoulos (US 2019/0124104 A1).
Regarding claims 1, 11, and 20, Apostolopoulos discloses a computer-implemented method (Fig. 18), comprising: 
accessing information (Fig. 18, blocks 1810-1830, receive event data, acquire event relationship graph for each event, and acquire anomaly data indicative of security related anomalies detected for event data) for a knowledge graph (Fig. 16), the knowledge graph having nodes (Fig. 16, U1-U11, IP1-IP7, and I1-I4) and edges of a network (Fig. 16, connections between U1-U11, IP1-IP7, and I1-I4.  Herein, edges are connections, see 62nd paragraph of the specification) and having information regarding one or more security incidents in the network (Fig. 16 includes indicators of anomalies and threats); 
grouping together related entities from the knowledge graph (Fig. 23), where the related entities that are grouped together are determined by types of the entities (238th paragraph, entities associated with the activities can be grouped into smaller time units), and also by one or more threats impacting the entities (239th paragraph, threats can be detected based on the risk score of group of linked entities), wherein the one or more threats correspond to the one or more security incidents (Fig. 18, threat is derived from anomalies or incidents); 
arranging the grouped related entities in visualization data in order that the visualization data are configured to provide a visualization of the knowledge graph with the grouped related entities (Fig. 23); and
 outputting the visualization data (Fig. 23).

Regarding claims 2 and 12, Apostolopoulos discloses wherein the types of the entities comprise one or more of the following: one or more assets in the network (Fig. 16); one or more external connections from the one or more assets to the one or more threats (Fig. 16); and the one or more threats that correspond to assets via the one or more external connections (Fig. 16).  

Regarding claims 3 and 13, Apostolopoulos discloses that wherein the types of entities further comprise one or more security alert sources (Fig. 16 and 212th paragraph, I1 through I4 represent anomaly nodes).

Allowable Subject Matter
Claims 4-10 and 14-19 would be allowable if rewritten to overcome the rejection(s) under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), 2nd paragraph, set forth in this Office action and to include all of the limitations of the base claim and any intervening claims.

Conclusion
Lem et al (US 2019/0132344 A1) discloses employing graph analysis for detecting malicious activity in time evolving networks.
Ochi et al (US 2019/0166139 A1) discloses a network protection device for removing threats.
Pratt et al (US Patent No. 10,673,880 B1) discloses anomaly detection to identify security threats.
Humphrey et al (US 2021/0273961 A1) discloses a cyber threat defense system.
Stockdale et al (US 2020/0244673 A1) discloses multivariable network structure anomaly detector.
Israel et al (US 2021/0326744 A1) discloses security alert incident grouping based on investigation history.
Tsironis (US 2018/0316706 A1) discloses defining threat rules in a network.
Walsh et al (US 2019/0182273 A1) discloses learning maliciousness in cybersecurity graphs.
Kopp et al (US 2020/0304462 A1) discloses graphical representation of security threats in a network.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANH VU H LY whose telephone number is (571)272-3175. The examiner can normally be reached M-F 8am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hassan Kizou can be reached on 571-272-3088. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

ANH VU H. LY
Primary Examiner
Art Unit 2472



/ANH VU H LY/             Primary Examiner, Art Unit 2472