Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


DETAILED ACTION
This is the initial office action has been issued in response to patent application, 17/013209, filed on 04 September 2020 with a provisional date of 22 October 2019.  Claims 1-20, as originally filed, are currently pending and have been considered below.  


Information Disclosure Statement
The information disclosure statement filed 09/04/2020 complies with the provisions of 37 CFR 1.97, 1.98 and MPEP § 609 and the information referred to therein has been considered as to the merits.  



Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.



Claims 1-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Crabtree et al. (US 2022/0060509 A1, provisional date 10/04/2017).

Claim 1:
With respect to claim 1, Crabtree et al. discloses a method (method for detecting and preventing lateral movement in real-time using local session monitors, Figure 20) comprising: 
receiving, at a computer system, session information relating to a current session (request details may be logged such as the user's name and any relevant host information such as hardware or software configurations, When an authentication ticket (e.g. Ticket-granting Ticket or Service Ticket) is issued, ticket details may be recorded 1330 such as the start time, expiration window, user name, host information such as software or hardware configuration, or other session-specific information, 0121, Figure 13) and one or more previous sessions in which a network is accessed by a particular user (The authenticated session details may then be recorded 1340 and monitored throughout the session, 0121) (When the user accesses a network resource using their authenticated session 1430, the details of the session are again checked against the logged details 1440, 0122);
evaluating, by the computer system, network activity (real-time using local session monitors, 0087), wherein the evaluating includes:
a first evaluation of a point of an entry into the network for the current session, wherein the first evaluation includes a ranking of the point of entry relative to other computer systems in the network (a minor network router with a potential firewall vulnerability may have a comparatively low risk itself, but have a direct connection to a database storing customer personal information; this may be used to infer a context-based risk score for the router that is much higher than the original, 0116) (This initial analysis may then be used to apply risk attributes to the hosts and connections within the network map, producing an initial attack path map indicating the risk attributes for each host and connection within a given network path 1730, 0117); and
a second evaluation of timing of the current session relative to previous session timing for the particular user (session-specific details such as data or timestamp information, 0110) (authentication record may simply be a valid timestamp on an authentication ticket, or may be a specific event log generated when a user authenticates, or any other record that is created at the moment of authentication, 0120) (account last login (date and time of last login), 0145);
determining, by the computer system, whether a score (alculated risk score, 0115-0116) based on the evaluating is indicative of whether anomalous lateral movement is present within the network (analyze the network map and the logged host and session details from the local session monitors, and determine a plurality of risk attributes for each host and connection, 0114) (These paths are in turn analyzed 1630 and risk-weighted by applying a plurality of risk attributes, calculated risk score, 0115-0116) (If a mismatch occurs, this may indicate that the session has been tampered with or falsified such as in a pass-the-ticket type attack, 0122) (mismatch indicates lateral movement, Figure 20, 2050).

Claims 2, 10, 18:
With respect to claims 2, 10, 18, Crabtree et al. discloses wherein the second evaluation is based on a user profile created using history data (an authentication session record indicating that the user account, 0120) (request details may be logged such as the user's name and any relevant host information such as hardware or software configurations, When an authentication ticket (e.g. Ticket-granting Ticket or Service Ticket) is issued, ticket details may be recorded 1330 such as the start time, expiration window, user name, host information such as software or hardware configuration, or other session-specific information, 0121, Figure 13) in secure shell session (SSH) logs for the particular user (At subsequent hosts or access attempts, the security event logs may be check 2040 by a local session monitor to determine whether the expected authentication path was followed by the use, 0120) (system logs from servers and workstations on the network 323, 0129).

Claims 3, 11:
With respect to claims 3, 11, Crabtree et al. discloses wherein the second evaluation is performed by applying principal component analysis on data in the user profile in order to determine timing anomalies for login activities of the particular user (The paths, risk attributes, and context-aware risk scoring may then be compared 1650 against stored risk thresholds or other risk configuration settings and those paths that exceed the configured parameters may be composited 1660 to produce an attack path map, that indicates what are likely attack paths based on known potential paths and an analysis of all available risk information. This context-aware risk analysis and network mapping thus produces an effective analysis of paths, 0116).

Claim 4:
With respect to claim 4, Crabtree et al. discloses wherein the second evaluation is based on history data regarding logins by the particular user (session-specific details such as data or timestamp information, 0110) (authentication record may simply be a valid timestamp on an authentication ticket, or may be a specific event log generated when a user authenticates, or any other record that is created at the moment of authentication, 0120) (account last login (date and time of last login), 0145), and wherein the second evaluation is also based on information indicative of the activity of the particular user during the current session (request details may be logged such as the user's name and any relevant host information such as hardware or software configurations, When an authentication ticket (e.g. Ticket-granting Ticket or Service Ticket) is issued, ticket details may be recorded 1330 such as the start time, expiration window, user name, host information such as software or hardware configuration, or other session-specific information, 0121, Figure 13).

Claim 5:
With respect to claim 5, Crabtree et al. discloses wherein the first evaluation includes generating a prevalence value for the point of entry using user graphs and a population graph (creating and store a cyber-physical graph of the computer network using the event log, wherein the vertices of the cyber-physical graph represent directory access protocol objects and the edges of the cyber-physical graph represent the relationships between those objects; performing a plurality of queries over time on the cyber-physical graph a cyberattack parameter of interest, 0066) (A graph engine builds a cyber-physical graph, 0095).

Claims 6, 13, 19:
With respect to claims 6, 13, 19, Crabtree et al. discloses wherein the evaluating includes:
a further evaluation of whether the particular user has an active Wi-Fi or virtual private network (VPN) connection to the network (cyber-physical graph 600 showing various pathways, The possible configurations of this graph 600 are as numerous as the amount of ways to configure an enterprise IT environment, 0140, Figure 6)
(implemented in one or more virtualized computing environments (e.g., network computing clouds, virtual machines hosted on one or more physical computing machines, or other appropriate virtual environments), 0165).

Claims 7, 14, 20:
With respect to claims 7, 14, 20, Crabtree et al. discloses wherein the evaluating includes:
a further evaluation of whether network activity associated with the particular user is anomalous to other users designated as peers to the particular user (Examples of anomalous activities may include a user attempting to gain access several workstations or servers in rapid succession, or a user attempting to gain access to a domain server of server with sensitive information using random userIDs or another user's userID and password, 0128).

Claim 8:
With respect to claim 8, Crabtree et al. discloses wherein the evaluating includes:
a third evaluation of whether the particular user has an active Wi-Fi or virtual private network (VPN) connection to the network (cyber-physical graph 600 showing various pathways, The possible configurations of this graph 600 are as numerous as the amount of ways to configure an enterprise IT environment, 0140, Figure 6)
(implemented in one or more virtualized computing environments (e.g., network computing clouds, virtual machines hosted on one or more physical computing machines, or other appropriate virtual environments), 0165); and 
a fourth evaluation of whether network activity associated with the particular user is anomalous to other users designated as peers to the particular user (Examples of anomalous activities may include a user attempting to gain access several workstations or servers in rapid succession, or a user attempting to gain access to a domain server of server with sensitive information using random userIDs or another user's userID and password, 0128).

Claim 9:
With respect to claim 9, Crabtree et al. discloses a non-transitory, computer-readable medium (include nontransitory machine-readable storage media, 0172) having program instructions stored thereon that are capable of causing a computing system to implement operations comprising: 
determining that a particular user has a current session active with a computing device of a network (When local session monitors are installed on network hosts 2010, they may be used for active session monitoring, the local session monitor on that host may check for, and validate, an authentication session record indicating that the user account was properly authenticated by an authentication-granting entity such as a domain controller within the network 2020, 0120); 
evaluating information to detect anomalous lateral movement within the network (method for detecting and preventing lateral movement in real-time using local session monitors, Figure 20),
wherein the information relates to the current session (request details may be logged such as the user's name and any relevant host information such as hardware or software configurations, When an authentication ticket (e.g. Ticket-granting Ticket or Service Ticket) is issued, ticket details may be recorded 1330 such as the start time, expiration window, user name, host information such as software or hardware configuration, or other session-specific information, 0121, Figure 13)
and one or more additional sessions within the network (The authenticated session details may then be recorded 1340 and monitored throughout the session, 0121) (When the user accesses a network resource using their authenticated session 1430, the details of the session are again checked against the logged details 1440, 0122), and 
wherein the evaluating includes: 
assessing a point of entry for the current session using an algorithm (path search algorithms, 0140) that determines a prevalence of the point of entry relative to other computer systems in the network (a minor network router with a potential firewall vulnerability may have a comparatively low risk itself, but have a direct connection to a database storing customer personal information; this may be used to infer a context-based risk score for the router that is much higher than the original, 0116) (This initial analysis may then be used to apply risk attributes to the hosts and connections within the network map, producing an initial attack path map indicating the risk attributes for each host and connection within a given network path 1730, 0117); and 
assessing timing of the current session using history information for the particular user (session-specific details such as data or timestamp information, 0110) (authentication record may simply be a valid timestamp on an authentication ticket, or may be a specific event log generated when a user authenticates, or any other record that is created at the moment of authentication, 0120) (account last login (date and time of last login), 0145);
determining whether the evaluating is indicative of anomalous lateral movement within the network (analyze the network map and the logged host and session details from the local session monitors, and determine a plurality of risk attributes for each host and connection, 0114) (These paths are in turn analyzed 1630 and risk-weighted by applying a plurality of risk attributes, calculated risk score, 0115-0116) (If a mismatch occurs, this may indicate that the session has been tampered with or falsified such as in a pass-the-ticket type attack, 0122) (mismatch indicates lateral movement, Figure 20, 2050).

Claim 12:
With respect to claim 12, Crabtree et al. discloses wherein the evaluating further includes assessing behavior of the particular user during the current session (network and system user behavior analytics 332, 0129).

Claim 15:
With respect to claim 15, Crabtree et al. discloses a method (method for detecting and preventing lateral movement in real-time using local session monitors, Figure 20), comprising: 
receiving, at a computer system, session information relating to a current session (request details may be logged such as the user's name and any relevant host information such as hardware or software configurations, When an authentication ticket (e.g. Ticket-granting Ticket or Service Ticket) is issued, ticket details may be recorded 1330 such as the start time, expiration window, user name, host information such as software or hardware configuration, or other session-specific information, 0121, Figure 13) and one or more previous sessions in which a network is accessed (The authenticated session details may then be recorded 1340 and monitored throughout the session, 0121) (When the user accesses a network resource using their authenticated session 1430, the details of the session are again checked against the logged details 1440, 0122);
evaluating, by the computer system, network activity that includes network activity associated with a particular user (real-time using local session monitors, 0087),
wherein the evaluating includes determining a score (calculated risk score, 0115-0116) based on at least two of the following sub-models: 
a first sub-model that ranks a network point of entry for the particular user relative to other network computer systems (a minor network router with a potential firewall vulnerability may have a comparatively low risk itself, but have a direct connection to a database storing customer personal information; this may be used to infer a context-based risk score for the router that is much higher than the original, 0116) (This initial analysis may then be used to apply risk attributes to the hosts and connections within the network map, producing an initial attack path map indicating the risk attributes for each host and connection within a given network path 1730, 0117);

a second sub-model that detects anomalous timing of activity relative to a history of sessions associated with the particular user (session-specific details such as data or timestamp information, 0110) (authentication record may simply be a valid timestamp on an authentication ticket, or may be a specific event log generated when a user authenticates, or any other record that is created at the moment of authentication, 0120) (account last login (date and time of last login), 0145);
a third sub-model that determines whether permissible network connection types are currently active (cyber-physical graph 600 showing various pathways, The possible configurations of this graph 600 are as numerous as the amount of ways to configure an enterprise IT environment, 0140, Figure 6)
(implemented in one or more virtualized computing environments (e.g., network computing clouds, virtual machines hosted on one or more physical computing machines, or other appropriate virtual environments), 0165); and 
a fourth sub-model that detects anomalous activity during the current session relative to peers of the particular user (Examples of anomalous activities may include a user attempting to gain access several workstations or servers in rapid succession, or a user attempting to gain access to a domain server of server with sensitive information using random userIDs or another user's userID and password, 0128); and 
determining, by the computer system based on the score, whether anomalous lateral movement is present within the network (analyze the network map and the logged host and session details from the local session monitors, and determine a plurality of risk attributes for each host and connection, 0114) (These paths are in turn analyzed 1630 and risk-weighted by applying a plurality of risk attributes, calculated risk score, 0115-0116) (If a mismatch occurs, this may indicate that the session has been tampered with or falsified such as in a pass-the-ticket type attack, 0122) (mismatch indicates lateral movement, Figure 20, 2050).

Claim 16:
With respect to claim 16, Crabtree et al. discloses wherein the evaluating includes using the first sub-model and the third-sub model, and wherein the computer system does not implement the second sub-model and the fourth sub-model (cyber-physical graph 600 showing various pathways, The possible configurations of this graph 600 are as numerous as the amount of ways to configure an enterprise IT environment, 0140, Figure 6).

Claim 17:
With respect to claim 17, Crabtree et al. discloses wherein the score is determined based on the first sub-model (implemented in one or more virtualized computing environments (e.g., network computing clouds, virtual machines hosted on one or more physical computing machines, or other appropriate virtual environments), 0165) and at least one of the other sub-models (Examples of anomalous activities may include a user attempting to gain access several workstations or servers in rapid succession, or a user attempting to gain access to a domain server of server with sensitive information using random userIDs or another user's userID and password, 0128).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure, (see PTO Form 892).

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Helai Salehi whose telephone number is 571-270-7468.  The examiner can normally be reached on Monday - Friday from 9 am to 5 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Jeff Pwu, can be reached on 571-272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/HELAI SALEHI/           Examiner, Art Unit 2433            

/JEFFREY C PWU/           Supervisory Patent Examiner, Art Unit 2433