Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Drawings
The drawings are objected to as failing to comply with 37 CFR 1.84(p)(5) because they include the following reference character(s) not mentioned in the description: Fig. 7 reference number 714.  Corrected drawing sheets in compliance with 37 CFR 1.121(d), or amendment to the specification to add the reference character(s) in the description in compliance with 37 CFR 1.121(b) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 7-12, 13, 14, 15, 17, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over DURAIRAJ (US-20180316704-A1) in view of FELLOWS (EP-3528459-B1), hereinafter DURAIRAJ-FELLOWS.
Regarding claim 1, DURAIRAJ teaches “A method comprising: receiving event data associated with an event on a first host device; ([DURAIRAJ, para. 0030] “The technology disclosed here enables improved detection of attackers who move through a network via a LM attack strategy. LM refers to a network activity in which a user, who may be an attacker, progressively gains access to an increasing amount of resources inside a networked infrastructure, which is a situation that may be (but is not necessarily) indicative of a security threat. The disclosed technology leverages event data to detect LM candidates, which are entities that indicate or are associated with LM. “Event data” is a discrete set of raw machine data that represents or corresponds to specific network activity, such as data generated by security platform(s) of a network when performing a security-related function, among others.”) detecting, based at least in part on the event data, an incident associated with the event; ([DURAIRAJ, para. 0030] “The specific network activity is also referred to as an “event” or “events.” Event data can be generated, e.g., when a security platform facilitates or tracks a network-related event, such as a login, a privilege elevation, an object access, etc. Various security platforms generate event data, and store the event data in a log file or stream the event data to other platform(s) or application(s) for real-time analysis.”) determining a first value to visually represent the incident in a user interface based at least in part on an incident score representative of a likelihood for the incident to impact operation of the first host device; ([DURAIRAJ, para. 0041] “The LM security application calculates a score for each entity based on the defined event data associated with the entity and the associated weight factor(s). All entities with a score above a certain threshold are identified as LM candidates.”) ([DURAIRAJ, para. 0092] “When a security threat has been detected, the security platform then reports the threat to an administrator of the network (e.g., via the GUI features described above) and/or writes the security threat into a threat log for later review by an administrator.”) ([DURAIRAJ, para. 0093] “FIG. 7 is an illustration of a graph data structure that is indicative of time sequence for detecting LM candidates. Graph 700 is created by an LM security application. The LM security application accesses log files created by various security platforms, and creates the graph based on an analysis of the event data of the various log files.”) determining that the event on the first host device initiates a process or a thread on a second host device; ([DURAIRAJ, para. 0095] “The edge from node U701 to node D702 represents a login event, such as AD event 4624 (an account was successfully logged on), which is logged by AD when user1 logs into the first device.”) ([DURAIRAJ, para. 0096, Fig. 7] “After logging in to the first device, user1 initiates a number of processes, whose associated events are logged as event data by a security platform, in this instance, AD. ……… The LM security application detects that user1 next logs into a second device, and the LM security application creates node D703 to represent the second device”) determining a second value to visually represent the process or the thread on the second host device in the user interface; ([DURAIRAJ, para. 0096, Fig. 7] “The LM security application detects that user1 next logs into a second device, and the LM security application creates node D703 to represent the second device, and creates F1 of node D703 to indicate the user1 login.”) outputting, based at least in part on the first value and the second value, an image in a user interface that represents the incident on the first host device and the process or the thread on the second host device; ([DURAIRAJ, para. 0092] “When a security threat has been detected, the security platform then reports the threat to an administrator of the network (e.g., via the GUI features described above) and/or writes the security threat into a threat log for later review by an administrator.”) ([DURAIRAJ, para. 0095] “The LM security application determines that, at a time later than an event associated with a feature vector of U701, user1 logs in to a first device, and the LM security application creates node D702”) ([DURAIRAJ, para. 0096] “FIGS. 10A-C are an example of an event segment that is indicative of malicious process creation. The LM security application detects that user1 next logs into a second device, and the LM security application creates node D703 to represent the second device, and creates F1 of node D703 to indicate the user1 login.”).
However, DURAIRAJ does not teach “and determining, based at least in part on the image, whether or not the incident associated with the event is a malicious incident.”.
In analogous teaching, FELLOWS teach “and determining, based at least in part on the image, whether or not the incident associated with the event is a malicious incident.” ([FELLOWS, para. 0027] “A GUI can display metrics, alerts, and events of both the OT network in light of activities occurring in information technology network on a common display screen. The GUI allows a viewer to visually contextualize the metrics, alerts, and/or events occurring in the OT network in light of the activities occurring in the information technology network on the common display screen,”) ([FELLOWS, para. 0028] “The GUI also allows a viewer to then to confirm the detected cyber threat in view of what is happening in the OT network as well as in the information technology network.”)
Thus, given the teaching of FELLOWS, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of determining based on an image if an incident is malicious as taught by FELLOWS into the teaching of a method for determining malicious activity though multiple devices taught by DURAIRAJ. One of ordinary skill in the art would have been motivated to do so because FELLOWS recognizes the benefit of being able to view network activity to detect cyber attacks and other malicious activity. ([FELLOWS, para. 0028] “Visibility over the OT network in this manner can be advantageous even when a cyber threat is not detected, as malfunctions or misconfigurations in the production process can be viewed in the same manner”).

Regarding claim 7, DURAIRAJ-FELLOWS teach all limitations of claim 1. FELLOWS further teach “wherein determining whether or not the incident associated with the event is malicious comprises at least one of. receiving input via the user interface verifying that a pattern in the image is suspicious and determining that the incident associated with the event is malicious based at least in part on the input; or receiving input via the user interface verifying that the pattern in the image is not suspicious and determining that the incident associated with the event is not malicious based at least in part on the input.” ([FELLOWS, para. 0027] “A GUI can display metrics, alerts, and events of both the OT network in light of activities occurring in information technology network on a common display screen. The GUI allows a viewer to visually contextualize the metrics, alerts, and/or events occurring in the OT network in light of the activities occurring in the information technology network on the common display screen,”) ([FELLOWS, para. 0028] “The GUI also allows a viewer to then to confirm the detected cyber threat in view of what is happening in the OT network as well as in the information technology network. Visibility over the OT network in this manner can be advantageous even when a cyber threat is not detected, as malfunctions or misconfigurations in the production process can be viewed in the same manner.”) ([FELLOWS, claim 4] “i) to visually contextualize the metrics, alerts, and/or events occurring in the operational technology network in light of the activities occurring in the information technology network on the common display screen, and then ii) to confirm the detected cyber threat.”)
The same motivation to modify DURAIRAJ with FELLOWS as in the rejection of claim 1, applies.

Regarding claim 8, DURAIRAJ-FELLOWS teaches all limitations of claim 1. DURAIRAJ further teaches “wherein determining the second value to visually represent the process or the thread on the second host device in the user interface is performed independent of analyzing network activity between the first host device and the second host device.” ([DURAIRAJ, para. 0034] “In another example, a macro represents a user account logging into a first machine, then changing the privileges of the user account to an administrator account, and then logging into another machine by use of the administrator privileges.”) ([DURAIRAJ, para. 0095] “The LM security application determines that, at a time later than an event associated with a feature vector of U701, user1 logs in to a first device, and the LM security application creates node D702”) ([DURAIRAJ, para. 0096] “The LM security application detects that user1 next logs into a second device, and the LM security application creates node D703 to represent the second device, and creates F1 of node D703 to indicate the user1 login”) [Examiner’s note: the representation of the second value is done by a LM security module as soon as a login from user1 to a second device is detected.]

Regarding claim 9, DURAIRAJ-FELLOWS teaches all limitations of claim 1. DURAIRAJ further teaches “determining a pattern associated with the event, the pattern including a visual representation of the event over a time interval;” ([DURAIRAJ, para. 0002] “Malicious activities may include unauthorized access or subsequent unpermitted use of network resources and data. Network administrators seek to detect such activities, for example, by searching for patterns of behavior that are abnormal or otherwise vary from the expected use pattern of a particular entity”) ([DURAIRAJ, para. 0035] “Macro collections can be matched against a priori known patterns of conducting LM attacks. An aspect of improving accuracy of identification of threats includes refining a population of LM candidates, which can be facilitated by eliminating false positives, such as by eliminating those LM candidates that are determined to not indicate a threat.”) ([DURAIRAJ, para. 0042] “The event data include time-related data, such as timestamp data, which enables some or all of the event data to be sequenced. The LM security application analyzes the timestamp data to sequence the event data, and creates a data structure which represents an associated time constrained graph.”) ([DURAIRAJ, para. 0092] “When a security threat has been detected, the security platform then reports the threat to an administrator of the network (e.g., via the GUI features described above) and/or writes the security threat into a threat log for later review by an administrator.”) determining a time within the time interval at which the incident occurs; ([DURAIRAJ, para. 0125] “Node sequences/paths can indicate LM or a LM candidate(s) in any of various ways. For example, a feature vector that is indicative of a suspicious application associated with a user, followed by a feature vector that is indicative of a privilege elevation of the user …………  In yet another example, feature vectors are associated with some or all of time 1-time 5, with each time being after the previous time (e.g., time 2 is after time 1, time 3 is after time 2, etc.). A node sequence includes a feature vector that is indicative of a blacklisted process at the first time, a feature vector that is indicative of a privilege elevation at the second time, a feature vector that is indicative of an enumeration at a time interval bounded by the second time and the fifth time, and three feature vectors, the first of which is indicative of an anomaly at time 1, the second of which is indicative of an anomaly at time 3, and the third of which is indicative of an anomaly at time 4.”) and verifying that the incident score satisfies a confidence threshold, and wherein determining the first value to represent the incident based at least in part on the incident score comprises modifying the pattern to represent the incident at the time within the time interval at which the incident occurs. ([DURAIRAJ, para. 0041] “The LM security application matches some or all of the defined event data with stored event-related data that indicate LM or LM candidates to identify a weight factor(s) for the defined event data. The LM security application calculates a score for each entity based on the defined event data associated with the entity and the associated weight factor(s). All entities with a score above a certain threshold are identified as LM candidates. The thresholds can be different for each type of entity (e.g., can be 1000 for computers, 1500 for user accounts, 1750 for applications, etc.).”) ([DURAIRAJ, para. 0034] “A macro is data that can be used to identify various event-related data, e.g., specific tasks associated with a particular phase of an attack, among others. In an example, a macro comprises one or more features of one or more feature vectors associated with an entity. Some macros may have features that occur in a time-ordered sequence”) ([DURAIRAJ, para. 0035] “Macros may be matched with features or feature vectors across entities, and may be ordered in time. Macros may further be combined in sets of macros, with individual macros representing attack phases, and the set of macros representing, further attack phases, or even an entire attack. Macro collections can be matched against a priori known patterns of conducting LM attacks.”)

Regarding claim 10, DURAIRAJ-FELLOWS teaches all limitations of claim 1. DURAIRAJ further teaches “wherein determining that the event on the first host device initiates the process or the thread on the second host device is based at least in part on an activity type associated with the incident.” ([DURAIRAJ, para. 0034] “In another example, a macro represents a user account logging into a first machine, then changing the privileges of the user account to an administrator account, and then logging into another machine by use of the administrator privileges.”) ([DURAIRAJ, para. 0095] “The LM security application determines that, at a time later than an event associated with a feature vector of U701, user1 logs in to a first device”) ([DURAIRAJ, para. 0096] “The LM security application detects that user1 next logs into a second device, and the LM security application creates node D703 to represent the second device, and creates F1 of node D703 to indicate the user1 login”).


Regarding claim 11, DURAIRAJ-FELLOWS teaches all limitations of claim 10. DURAIRAJ further teaches “wherein the activity type associated with the incident comprises at least one of: user authentication activity, service activity, or scheduled task activity.” ([DURAIRAJ, para. 0034] “In another example, a macro represents a user account logging into a first machine, then changing the privileges of the user account to an administrator account, and then logging into another machine by use of the administrator privileges.”)

Regarding claim 12, DURAIRAJ-FELLOWS teaches all limitations of claim 1. DURAIRAJ further teaches “The method as recited in claim 1, wherein: the event comprises a thread or a process; ([DURAIRAJ, para. 0031] “Making effective use of event data to identify LM candidates is challenging. For example, event data can be associated with activities, e.g., interactions between AD Objects and Security Principles ………. In an example, AD objects represent physical entities that make up a network and Security Principles represent any entity that can be authenticated by a system, such as user account, a computer account, or a thread or process that runs in the security context of a user or computer account.”) the incident comprises a portion of the thread or the process; ([DURAIRAJ, para. 0036] “The intruder initially logs in to the computer and his user credential is authorized, spawning login and authorization-related events whose event data are logged by AD. The intruder next elevates privileges (which may also mask his identity, such as when he elevates his privileges to an administrative account) in order to access critical systems”) ([DURAIRAJ, para. 0049] “For example, a computer system can “cause” an action by sending a message to a second computer system that commands, requests, or prompts the second computer system to perform the action. Any number of intermediary devices may examine and/or relay the message during this process.”).
However, DURAIRAJ does not teach “and the image output in the user interface communicates a level of impact of the portion of the thread or the process associated with the event on operation of the host device.”.
In analogous teaching, FELLOWS teach “and the image output in the user interface communicates a level of impact of the portion of the thread or the process associated with the event on operation of the host device.” ([FELLOWS, para. 0027] “A GUI can display metrics, alerts, and events of both the OT network in light of activities occurring in information technology network on a common display screen. The GUI allows a viewer to visually contextualize the metrics, alerts, and/or events occurring in the OT network in light of the activities occurring in the information technology network on the common display screen,”) ([FELLOWS, para. 0028] “The GUI also allows a viewer to then to confirm the detected cyber threat in view of what is happening in the OT network as well as in the information technology network.”) ([FELLOWS, para. 0066] “Using cutting-edge visualization techniques, the GUI, such as a threat visualizer user interface, automatically alerts viewers to significant incidents and threats within their OT environment, enabling them to proactively investigate specific areas of the ICS. The GUI provides viewers with insights into the relationships and data flows across the network, in real time delivering an instant overview of day-to-day network activity. By leveraging the GUI, operators can see what is happening in their control systems by the GUI visually representing both individual and peer behavior. This works at a high level, identifying diverse threats and anomalies for the operator's attention, and at a more granular level”) ([FELLOWS, para. 0067] “The GUI's visibility of the network allows the identification and tracking of device assets, data movements, software communications and network utilities. The GUI cooperating with the modules provides a clear view of service dependencies and structures with their critical paths. The GUI is able to display OT network components such as controllers, PLCs, and other systems that extend beyond an end point informational technology component”)
The same motivation to modify DURAIRAJ with FELLOWS as in the rejection of claim 1, applies.

Regarding claim 13, This claim recites a system comprising processors and computer readable media storing instructions which once executed perform the features of claim 1. Therefore, claim 13 is rejected in a similar manner as in the rejection of claim 1.


Regarding claim 14, DURAIRAJ-FELLOWS teaches all limitations of claim 13. Furthermore, this claim recites features similar to those of claim 10. Therefore, claim 14 is rejected in a similar manner as in the rejection of claim 10. 


Regarding claim 15, DURAIRAJ-FELLOWS teaches all limitations of claim 13. Furthermore, this claim recites features similar to those recited in claim 7 therefore claim 15 is rejected in a similar manner as in the rejection of claim 7.

Regarding claim 17, DURAIRAJ-FELLOWS teaches all limitations of claim 13. DURAIRAJ further teaches “wherein determining the second value to visually represent the process or the thread on the second host device comprises determining that the process or the thread is suspicious based at least in part on the first value.” ([DURAIRAJ, para. 0053] “FIGS. 2 through 6 relate to an example of a method for identifying a set of LM candidates that may pose a security threat based on detecting suspicious lateral movement of a user.”) ([DURAIRAJ, para. 0034] “In another example, a macro represents a user account logging into a first machine, then changing the privileges of the user account to an administrator account, and then logging into another machine by use of the administrator privileges.”) ([DURAIRAJ, para. 0095] “The LM security application determines that, at a time later than an event associated with a feature vector of U701, user1 logs in to a first device, and the LM security application creates node D702”) ([DURAIRAJ, para. 0096] “The LM security application detects that user1 next logs into a second device, and the LM security application creates node D703 to represent the second device, and creates F1 of node D703 to indicate the user1 login”)



Regarding claim 18, This claim recites a non-transitory computer-readable storage having instructions thereon which once executed perform the steps of claim 1. Therefore, claim 18 is rejected in a similar manner as in the rejection of claim 1. 

Claims 2, 4-6, 16, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over DURAIRAJ-FELLOWS in view of STOKES (US-20180367548-A1), hereinafter DURAIRAJ-FELLOWS-STOKES.
Regarding claim 2, DURAIRAJ-FELLOWS teach all limitations of claim 1. However, DURAIRAJ-FELLOWS does not teach “generating a first graph based at least in part on the first value; generating a second graph based at least in part on the second value; and outputting a connector in the user interface between a portion of the first graph and a portion of the second graph, and wherein determining whether or not the incident associated with the event is the malicious incident is further based at least in part on outputting the connector in the user interface.”. 
In analogous teaching, STOKES teaches “generating a first graph based at least in part on the first value; generating a second graph based at least in part on the second value; and outputting a connector in the user interface between a portion of the first graph and a portion of the second graph, and wherein determining whether or not the incident associated with the event is the malicious incident is further based at least in part on outputting the connector in the user interface.” ([STOKES, para. 0020] “Graph-based detection systems and techniques are provided to identify potential malicious lateral movement paths. Large-scale event logs collected from operational networks may be analyzed as described further herein.”) ([STOKES, para. 0049] “In an implementation, given the large-scale datasets (e.g., there are millions of nodes and hundreds of millions of edges), the techniques herein may be implemented in large cluster using a MapReduce framework ……. A tool with a graphical user interface for analysts to query the results may be used”) ([STOKES, para. 0039] “Malicious lateral movement subgraphs may be identified in the network connection graph 173. Lateral movement paths can take several forms including linear paths, directed acyclic graphs (DAGs), or cyclic graphs. To facilitate accurate and efficient processing, search for malicious subpaths (i.e., rare K-hop paths), and then construct the overall malicious graph by joining these subpaths together based on a match of the source node, destination node, and timestamp.”) ([STOKES, para. 0048] “Once a malicious lateral movement subgraph is confirmed, add the two newly discovered nodes to the compromised computer and account list 195. When there are multiple infected nodes in the list 195, repeat the process for each additional node. In an implementation, these individually confirmed paths can be combined to reveal the entire malicious lateral movement graph.”) ([STOKES, para. 0039] “Malicious lateral movement subgraphs may be identified in the network connection graph 173.”) ([STOKES, para. 0048] “Once a malicious lateral movement subgraph is confirmed …… these individually confirmed paths can be combined to reveal the entire malicious lateral movement graph.”). [Examiner’s note: The teaching of subgraphs which are connected together is analogous to a second graph which is then connected to a first graph]
Thus, given the teaching of STOKES, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of determining a malicious incident based on the use of multiple graphs as taught by STOKES into the teaching of a method for determining malicious activity though multiple devices taught by DURAIRAJ-FELLOWS. One of ordinary skill in the art would have been motivated to do so because STOKES recognizes the benefits of using graph based detection to detect malicious activity ([STOKES, para. 0004] “There are a number of challenges posed in trying to detect lateral movement. The computer connection history can be large in scale, with hundreds of thousands computers in datasets each generating an average of 200-300 connection events in a typical day. This large-scale data creates difficulties for both accurately detecting “infected” computers”) ([STOKES, para. 0005] “Graph-based detection systems and techniques are provided to identify potential malicious lateral movement paths. System and security events may be used to generate a network connection graph and detect remote file executions, for use in tracking malicious lateral movement across a computer network”)

Regarding claim 4, DURAIRAJ-FELLOWS-STOKES teaches all limitations of claim 2. DURAIRAJ further teaches “the first graph is associated with user authentication activity on the first host device, and the second graph is associated with activity on the second host device that is initiated by the user authentication activity on the first host device.” ([DURAIRAJ, para. 0057] “Event data 210 include information regarding computer network activities of user accounts, network devices, applications, etc. In some embodiments, event data 210 includes a projection of a security-related graph (also referred to herein as a “security graph”). The particular projection of the security graph of FIG. 2 is a “login projection” or “login graph”, which records information related to login events in which users log into network devices of the computer network. In another example, a “login graph” records information related to login or other association activities between entities.”) ([DURAIRAJ, para. 0096] “The LM security application detects that user1 next logs into a second device, and the LM security application creates node D703 to represent the second device, and creates F1 of node D703 to indicate the user1 login”).
However, DURAIRAJ does not disclose of a second graph. In analogous teaching, STOKES teach of a second graph. ([STOKES, para. 0006] “In an implementation, a method for detecting malicious computers in a computer network comprises: generating a graph representing the computer network, the graph comprising nodes that represent computers and user accounts, and edges that represent computer connections and user logon events;”) ([STOKES, para. 0039] “Malicious lateral movement subgraphs may be identified in the network connection graph 173.”) ([STOKES, para. 0048] “Once a malicious lateral movement subgraph is confirmed …… these individually confirmed paths can be combined to reveal the entire malicious lateral movement graph.”).
The same motivation to modify DURAIRAJ-FELLOWS with STOKES as in the rejection of claim 2, applies.

Regarding claim 5, DURAIRAJ-FELLOWS-STOKES teaches all limitations of claim 2. DURAIRAJ further teaches “wherein outputting the connector in the user interface comprises: outputting a first end of the connector for presentation at the portion of the first graph corresponding to the incident; ([DURAIRAJ, para. 0034, Fig. 7] “A graph is created. In some embodiments, the graph is time constrained and is comprised of nodes which represent entities, and edges (also referred to as “connections”) between nodes which represent login or other association activity between entities.”) ([DURAIRAJ, para. 0093] “Graph 700 includes nodes, each of which represents an entity, and edges, each of which represents login or other association activity between the entities. The nodes include one or more associated feature vectors (e.g., F1, Fn). The circles of graph 700 each represent a node, and the straight lines that connect two nodes each represent an edge, or a connection, with the arrow representing time progression or a time sequence.”) ([DURAIRAJ, para. 0095] “The LM security application determines that, at a time later than an event associated with a feature vector of U701, user1 logs in to a first device, and the LM security application creates node D702 to represent the second device. The edge from node U701 to node D702 represents a login event, such as AD event 4624 (an account was successfully logged on), which is logged by AD when user1 logs into the first device. The LM security application creates F1 of node D702 to indicate a logon event at the first device. FIGS. 8A-C are an example of an event segment that is indicative of a suspicious logon.”) and outputting a second end of the connector for presentation at the portion of the second graph corresponding to an activity on the second host device associated with the event on the first host device. ([DURAIRAJ, para. 0096] “The LM security application, based on the analysis of the AD log file, creates feature vector F2 of node D702, which is indicative of a malicious process creation. FIGS. 10A-C are an example of an event segment that is indicative of malicious process creation. The LM security application detects that user1 next logs into a second device, and the LM security application creates node D703 to represent the second device, and creates F1 of node D703 to indicate the user1 login”) ([DURAIRAJ, para. 0097] “F1 of node A706 is created to indicate that userl installed the application, F1 of node FD707 is created to indicate that the second device accessed an Internet Protocol (IP) address at an untrusted network via the firewall device, and F2 of node D703 is created to indicate that the application was downloaded to the second device.”). [Examiner’s note: DURAIRAJ’s second node teaches what would be in a second graph]
However, DURAIRAJ does not disclose of a second graph. In analogous teaching, STOKES teach of a second graph. ([STOKES, para. 0006] “In an implementation, a method for detecting malicious computers in a computer network comprises: generating a graph representing the computer network, the graph comprising nodes that represent computers and user accounts, and edges that represent computer connections and user logon events;”) ([STOKES, para. 0039] “Malicious lateral movement subgraphs may be identified in the network connection graph 173.”) ([STOKES, para. 0048] “Once a malicious lateral movement subgraph is confirmed …… these individually confirmed paths can be combined to reveal the entire malicious lateral movement graph.”).
The same motivation to modify DURAIRAJ-FELLOWS with STOKES as in the rejection of claim 2, applies.

Regarding claim 6, DURAIRAJ-FELLOWS-STOKES teaches all limitations of claim 5. STOKES further teaches “wherein at least one of: the first end of the connector comprises one or more symbols to communicate an activity type for the incident, a related event, or a level of suspicious activity for the incident, or the second end of the connector comprises one or more symbols to communicate a level of suspicious activity for the process or the thread on the second host device.” ([STOKES, para. 0066] “Thus, in FIG. 3, a known compromised node (denoted as nod G) is discovered and the task is to identify the unknown compromised computers and user accounts (dashed nodes C, F, I, L, and M) along the malicious access path (dashed lines). Searching for potentially compromised nodes which connect to the known compromised node considers inbound paths, while discovering downstream nodes which are connected to by the known compromised node studies outbound paths.”) ([STOKES, para. 0067] “For the forensic analysis problem, the network connection graph is processed with the path-rate score 176 and the forensic analysis module 185 for generating the lateral movement graph with the detection of one or more confirmed malicious (i.e., infected) computers or user accounts.”)
The same motivation to modify DURAIRAJ-FELLOWS with STOKES as in the rejection of claim 2, applies.


Regarding claim 16, DURAIRAJ-FELLOWS teaches all limitations of claims 13. Furthermore, this claim recites features similar to those recited in claim 2. Therefore, claim 16 is rejected in a similar manner as in the rejection of claim 2.

Regarding claim 19, DURAIRAJ-FELLOWS teaches all limitations of claims 18. Furthermore, this claim recites features similar to those recited in claim 2. Therefore, claim 19 is rejected in a similar manner as in the rejection of claim 2. DURAIRAJ further teaches “determining an activity connecting a first graph associated with the first value and a second graph associated with the second value” ([DURAIRAJ, para. 0034, Fig. 7] “a user account logging into a first machine, then changing the privileges of the user account to an administrator account, and then logging into another machine by use of the administrator privileges.”) ([DURAIRAJ, para. 0095] “The LM security application determines that, at a time later than an event associated with a feature vector of U701, user1 logs in to a first device, and the LM security application creates node D702 ….  The edge from node U701 to node D702 represents a login event, such as AD event 4624 (an account was successfully logged on), which is logged by AD when user1 logs into the first device.”) ([DURAIRAJ, para. 0096] “The LM security application detects that user1 next logs into a second device, and the LM security application creates node D703 to represent the second device, and creates F1 of node D703 to indicate the user1 login”) ([DURAIRAJ, para. 0097] “The subsequent analysis can include extracting paths from the graph, which are a sequence of nodes. An example of a path is U701→D702, D703”).


Regarding claim 20, DURAIRAJ-FELLOWS-STOKES teach all limitations of claim 19. DURAIRAJ further teaches “wherein the first graph or the second graph comprises one or more of: a process tree, one or more symbols to represent activity by a processor of the first host device.” ([DURAIRAJ, para. 0093, Fig. 7] “The nodes include one or more associated feature vectors (e.g., F1, Fn). The circles of graph 700 each represent a node, and the straight lines that connect two nodes each represent an edge, or a connection, with the arrow representing time progression or a time sequence.”) ([DURAIRAJ, para. 0094, Fig. 7] “In the example of FIG. 7, node U701 represents a first user. The associated feature vectors (e.g., F1 Fn of node U701) each represent or are derived from an event segment. Each event of the event segment of this example has associated time-related data, such as timestamp data, and a time sequence of the events can be determined based on the time-related data ……… The LM security application, based on an analysis of the AD log file, creates feature vector F1 of node U701 based on an event segment that is indicative of a user1 account authorization. Accordingly, F1 of node U701 is indicative of a user1 account authorization, as it was derived from an event segment that is indicative of a user1 account authorization.”)


Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over DURAIRAJ-FELLOWS-STOKES in view of BISWAS (US20200128047A1), based on the priority of its Indian provisional application No. 201841039632.

Regarding claim 3, DURAIRAJ-FELLOWS-STOKES teaches all limitations of claim 2. However, DURAIRAJ-FELLOWS-STOKES does not teach “wherein: the first graph is associated with a pre-boot activity on the first host device, and the second graph is associated with a post-boot activity on the first host device.”.
In analogous teaching BISWAS teaches “wherein: the first graph is associated with a pre-boot activity on the first host device, and the second graph is associated with a post-boot activity on the first host device.” ([BISWAS, para. 0196, Fig. 4] “In various examples, as users perform various activities in the cloud application, each activity can be recorded and stored as an audit event. Sequences of events can then be mapped to a graph, for example starting from a service's entry point (e.g. a login) through various actions that can be taken using the service (e.g., reading pages, modifying pages, etc.), and to an end point of the user's activity (e.g. user logout). The sequence of events can include events for a given time window (e.g., one day), and can be used to generate a graph such as is illustrated in FIG. 4.”) ([BISWAS, para. 0108] “In various examples activity data can include information about system status or activity of a cloud system such as, for example, server activity, server reboots”).
Thus, given the teaching of BISWAS, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of graphs showing pre-boot and post-boot activity as taught by BISWAS into the teaching of a method for determining malicious activity though multiple devices taught by DURAIRAJ-FELLOWS-STOKES. One of ordinary skill in the art would have been motivated to do so because BISWAS recognizes the benefits of using graph based approach to detect anomalous activity. ([BISWAS, para. 0037] “When the actions do correspond to the graph, the system can recommend that the security control or security policy that triggered the alert be modified. In various examples, the graphs can also be used to determine whether any user's actions are anomalous as compared to earlier behavior.”)


The prior art made of record and not relied upon is considered pertinent to applicant’s
disclosure.
PARK (US-20180159876-A1) teaches an automated method for processing security events. It begins by building an initial version of a knowledge graph based on security information received from structured data sources. The initial version of the knowledge graph is then augmented with the entities and relationships extracted from unstructured data sources to build a new version of the knowledge graph that consolidates the intelligence received from the structured data sources and the unstructured data sources. The new version is then used to process security event data.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AFAQ ALI whose telephone number is (571)272-1571. The examiner can normally be reached Mon - Fri 7:30am - 5:30pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AFAQ ALI/Examiner, Art Unit 2434                                                                                                                                                                                                        
/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434