DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that use the word “means” or “step” but are nonetheless not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph because the claim limitation(s) recite(s) sufficient structure, materials, or acts to entirely perform the recited function.  Such claim limitation(s) is/are: “hardware processor generate/derive/build/identify/perform” in claim 1; “hardware processor is configured to access” in claim 2; “hardware processor is configured to generate/present” and “user interface is configured to display” in claim 3; “hardware processor is configured to generate/present” and “user interface is configured to display” in claim 4; “hardware processor configured to access” and “detection tools configured to detect” in claim 5; “hardware processor is configured to analyze/identify/determine” in claim 8; and “hardware processor is configured to access” in claim 10.
Because this/these claim limitation(s) is/are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are not being interpreted to cover only the corresponding structure, material, or acts described in the specification as performing the claimed function, and equivalents thereof.
If applicant intends to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to remove the structure, materials, or acts that performs the claimed function; or (2) present a sufficient showing that the claim limitation(s) does/do not recite sufficient structure, materials, or acts to perform the claimed function.


Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-18 of U.S. Patent No. 10,958,667.  Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant application are anticipated by the earlier filed patented claims in that the claims of the patent contain all of the limitations of the instant application.  Claims 1-20 of the instant application therefore are not patentably distinct from the earlier filed patented claims, and as such, is unpatentable for obvious-type double patenting.

17/131,473
1. A system, comprising:
   a memory; and
   a hardware processor coupled to the memory and configured to:
   generate a single node graph for each of multiple threat artifacts;
   derive an intermediate node based on two of the multiple threat artifacts;
   build a composite node graph that represents a current threat status, wherein the composite node graph includes the single node graphs and the intermediate node, and wherein the intermediate node connects the single node graphs corresponding to the two of the multiple threat artifacts;
   identify one or more attacks based on an analysis of the composite node graph; and
   perform an action to mitigate the identified one or more attacks.  
2. The system of claim 1, wherein the hardware processor is further configured to access data from one or more data sources and augment the composite node graph with one or more additional nodes that represent data from the one or more data sources that is related to information associated with one or more nodes of the composite node graph.  
3. The system of claim 1, wherein the hardware processor is further configured to: generate a user interface configured to display a graphical representation of the composite node graph; and present artifact information associated with one or more nodes displayed by the graphical representation of the composite node graph, wherein the presented artifact information includes information identifying relationships between the artifact and one or more other artifacts.  
4. The system of claim 1, wherein the hardware processor is further configured to: generate a user interface configured to display a graphical representation of the composite node graph; and present artifact information associated with one or more nodes displayed by the graphical representation of the composite node graph, wherein the presented artifact information includes information identifying relationships between indicators associated with the artifact and one or more other artifacts.  
5. The system of claim 1, wherein the hardware processor is further configured to access information provided by detection tools configured to detect threats.  
6. The system of claim 1, wherein each of the single node graphs include nodes that represent indicators for the artifact and edges that represent relationships between the indicators of the artifact.  
7. The system of claim 6, wherein the single node graphs include nodes having weights associated with a determined maliciousness assigned to the indicators represented by the nodes.  
8. The system of claim 1, wherein the hardware processor is further configured to analyze clusters of nodes in an attack vector of the composite node graph, identify major classes of attack vectors within the composite node graph, or determine distances between nodes associated with malicious entities within the composite node graph.  
9. The system of claim 1, wherein the performing the action to mitigate the identified one or more attacks comprises dynamically adjusting or modifying operation of a security device.  
10. The system of claim 1, wherein the hardware processor is further configured to access phishing emails received by the network of computing resources.  











11. A method, comprising:
   generating a single node graph for each of the multiple threat artifacts;
   derive an intermediate node based on two of multiple threat artifacts;
   building a composite node graph that represents a current threat status, wherein the composite node graph includes the single node graphs and the intermediate node, and wherein the intermediate node connects the single node graphs corresponding to the two of the multiple threat artifacts;
   identifying one or more attacks based on an analysis of the composite node graph; and
   performing an action to mitigate the identified one or more attacks.  
12. The method of claim 11, further comprising: generating a user interface configured to display a graphical representation of the composite node graph; and presenting artifact information associated with one or more nodes displayed by the graphical representation of the composite node graph, wherein the presented artifact information includes information identifying relationships between the artifact and one or more other artifacts.  
13. The method of claim 11, further comprising: generating a user interface configured to display a graphical representation of the composite node graph; and presenting artifact information associated with one or more nodes displayed by the graphical representation of the composite node graph, wherein the presented artifact information includes information identifying relationships between indicators associated with the artifact and one or more other artifacts.  
14. The method of claim 11, further comprising accessing phishing emails received by the network of computing resources.  
15. The method of claim 11, wherein each of the single node graphs include nodes that represent indicators for the artifact and edges that represent relationships between the indicators of the artifact.  
16. The method of claim 15, wherein the single node graphs include nodes having weights associated with a determined maliciousness assigned to the indicators represented by the nodes.  
17. The method of claim 11, wherein performing an action to mitigate the identified one or more attacks comprises dynamically adjusting or modifying operation of a security device.  










18. A non-transitory computer-readable medium whose contents, when executed by a hardware processor of a computing system, cause the computing system to perform a method for mitigating attacks to the computing system, the method comprising:
   generating node graphs for threat artifacts received by the computing system, wherein the node graphs include nodes representing indicators derived from the threat artifacts and edges that represent relationships between the indicators;
   deriving an intermediate node based on two of the multiple threat artifacts;
   combining the generated node graphs and the intermediate node into a composite node graph, wherein the intermediate node connects the single node graphs corresponding to the two of the multiple threat artifacts; and
   performing an action based on an analysis of the composite node graph to dynamically adjust security operations of the computing system.  
19. The non-transitory computer-readable medium of claim 18, wherein the method further comprises: generating a user interface configured to display a graphical representation of the composite node graph; and presenting artifact information associated with one or more nodes displayed by the graphical representation of the composite node graph, {00303181-}-31-Attorney Docket No.: 1303010.226-US3 wherein the presented artifact information includes information identifying relationships between the artifact and one or more other artifacts.  
20. The non-transitory computer-readable medium of claim 18, wherein the node graphs include nodes having weights associated with a determined maliciousness assigned to the indicators represented by the nodes.

10,958,667
1. A system, comprising:
   a memory;
   a hardware processor coupled to the memory and configured to:
   access multiple threat artifacts associated with a network of computing resources;
   generate a single node graph for each of the multiple threat artifacts;
   derive an intermediate node based on two of the multiple threat artifacts;
   build a composite node graph for the network of computing resources that represents a current threat status of the network of computing resources, wherein the composite node graph includes the single node graphs and the intermediate node, and wherein the intermediate node connects the single node graphs corresponding to the two of the multiple threat artifacts;
  identify one or more attacks to the network of computing resources based on an analysis of the composite node graph; and
   perform an action to mitigate the identified one or more attacks to the network of computing resources.  
2. The system of claim 1, wherein the hardware processor is further configured to access data from one or more data sources external to the network of computing resources and augment the composite node graph with one or more additional nodes that represent data from the one or more data sources that is related to information associated with one or more nodes of the composite node graph. {00303197-}2PATENTS Application No.: 15/612,373Attorney Docket No.: 1303010.226-US2  
3. The system of claim 1, wherein the hardware processor is further configured to: generate a user interface configured to display a graphical representation of the composite node graph; and present artifact information associated with one or more nodes displayed by the graphical representation of the composite node graph, wherein the presented artifact information includes information identifying relationships between the artifact and one or more other artifacts of the network of computing resources.  
4. The system of claim 1, wherein the hardware processor is further configured to: generate a user interface configured to display a graphical representation of the composite node graph; and present artifact information associated with one or more nodes displayed by the graphical representation of the composite node graph, wherein the presented artifact information includes information identifying relationships between indicators associated with the artifact and one or more other artifacts of the network of computing resources.  
5. The system of claim 1, wherein the hardware processor is further configured to access information provided by detection tools configured to detect threats to the network of computing resources.  
6. The system of claim 1, wherein each of the single node graphs include nodes that represent indicators for the artifact and edges that represent relationships between the indicators of the artifact. {00303197-}3PATENTS Application No.: 15/612,373Attorney Docket No.: 1303010.226-US2  
7. The system of claim 1, wherein the hardware processor is further configured to analyze clusters of nodes in an attack vector of the composite node graph, identify major classes of attack vectors within the composite node graph, or determine distances between nodes associated with malicious entities within the composite node graph.  
8. The system of claim 1, wherein the hardware processor is further configured to perform an action to dynamically adjust or modify operation of security devices of the network of network resources.  
9. The system of claim 1, wherein the one or more attacks are identified by an attack determination module and wherein the hardware processor is further configured to perform an action to modify operation of the network of computing resources to prevent the one or more attacks identified by the attack determination module.  
10. A method, comprising:
   accessing multiple threat artifacts associated with a network of computing resources;
   generating a single node graph for each of the multiple threat artifacts;
   derive an intermediate node based on two of the multiple threat artifacts;
   building a composite node graph for the network of computing resources that represents a current threat status of the network of computing resources, wherein the composite node graph includes the single node graphs and the intermediate node, and wherein the intermediate node connects the single node graphs corresponding to the two of the multiple threat artifacts;
   identifying one or more attacks to the network of computing resources based on an analysis of the composite node graph; and
   performing an action to mitigate the identified one or more attacks to the network of computing resources.  {00303197-}4PATENTS Application No.: 15/612,373Attorney Docket No.: 1303010.226-US2
11. (Original) The method of claim 10, further comprising: generating a user interface configured to display a graphical representation of the composite node graph; and presenting artifact information associated with one or more nodes displayed by the graphical representation of the composite node graph, wherein the presented artifact information includes information identifying relationships between the artifact and one or more other artifacts of the network of computing resources.  
12. The method of claim 10, further comprising: generating a user interface configured to display a graphical representation of the composite node graph; and presenting artifact information associated with one or more nodes displayed by the graphical representation of the composite node graph, wherein the presented artifact information includes information identifying relationships between indicators associated with the artifact and one or more other artifacts of the network of computing resources.  
13. The method of claim 10, further comprising accessing phishing emails received by the network of computing resources.  
14. The method of claim 10, wherein each of the single node graphs include nodes that represent indicators for the artifact and edges that represent relationships between the indicators of the artifact.  
15. The method of claim 10, wherein performing an action to mitigate the identified one or more attacks to the network of computing resources includes dynamically adjusting or modifying operation of security devices of the network of network resources. {00303197-}5PATENTS Application No.: 15/612,373Attorney Docket No.: 1303010.226-US2  
16. The method of claim 10, wherein performing an action to mitigate the identified one or more attacks to the network of computing resources includes modifying operation of the network of computing resources to prevent future attacks.  
17. A non-transitory computer-readable medium whose contents, when executed by a hardware processor of a computing system, cause the computing system to perform a method for mitigating attacks to the computing system, the method comprising:
   generating a single node graph for each of multiple threat artifacts received by the computing system, wherein the single node graphs include nodes representing indicators derived from the multiple threat artifacts and edges that represent relationships between indicators;
   deriving an intermediate node based on two of the multiple threat artifacts;
   combining the single node graphs and the intermediate node into a composite node graph, wherein the intermediate node connects the single node graphs corresponding to the two of the multiple threat artifacts; and
   performing an action based on an analysis of the composite node graph to dynamically adjust security operations of the computing system.  
18. The non-transitory computer-readable medium of claim 17, wherein the single node graphs include nodes having weights associated with a determined maliciousness assigned to the indicators represented by the nodes.



Claims 1, 11, and 18 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 2, 11, 12, and 20 of U.S. Patent No. 10,785,239.  Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant application are anticipated by the earlier filed patented claims in that the claims of the patent contain all of the limitations of the instant application.  Claims 1-20 of the instant application therefore are not patentably distinct from the earlier filed patented claims, and as such, is unpatentable for obvious-type double patenting.

17/131,473

1. A system, comprising:
   a memory; and
   a hardware processor coupled to the memory and configured to:
   generate a single node graph for each of multiple threat artifacts;
   derive an intermediate node based on two of the multiple threat artifacts;
   build a composite node graph that represents a current threat status, wherein the composite node graph includes the single node graphs and the intermediate node, and wherein the intermediate node connects the single node graphs corresponding to the two of the multiple threat artifacts;
   identify one or more attacks based on an analysis of the composite node graph; and
   perform an action to mitigate the identified one or more attacks.  










11. A method, comprising:
   generating a single node graph for each of the multiple threat artifacts;
   derive an intermediate node based on two of multiple threat artifacts;
   building a composite node graph that represents a current threat status, wherein the composite node graph includes the single node graphs and the intermediate node, and wherein the intermediate node connects the single node graphs corresponding to the two of the multiple threat artifacts;
   identifying one or more attacks based on an analysis of the composite node graph; and
   performing an action to mitigate the identified one or more attacks.  










 
18. A non-transitory computer-readable medium whose contents, when executed by a hardware processor of a computing system, cause the computing system to perform a method for mitigating attacks to the computing system, the method comprising:
   generating node graphs for threat artifacts received by the computing system, wherein the node graphs include nodes representing indicators derived from the threat artifacts and edges that represent relationships between the indicators;
   deriving an intermediate node based on two of the multiple threat artifacts;
   combining the generated node graphs and the intermediate node into a composite node graph, wherein the intermediate node connects the single node graphs corresponding to the two of the multiple threat artifacts; and
   performing an action based on an analysis of the composite node graph to dynamically adjust security operations of the computing system.  
10,785,239

20. A system, comprising:
   a memory; and
   a hardware processor coupled to the memory and configured to:
   access multiple threat artifacts associated with a network of computing resources; {00280921-}7PATENTS Application No.: 16/215,491Attorney Docket No.: 1303010.227-US2
   generate a single node graph for each of the multiple threat artifacts, wherein the single node graph for each of the multiple threat artifacts includes a plurality of nodes including a first node representing the corresponding threat artifact and second nodes representing attributes derived from the corresponding threat artifact, wherein the attributes describe the corresponding threat artifact, and wherein one of the second nodes is assigned a predicted maliciousness value based on known maliciousness values of multiple neighboring nodes of the single node graph; and
   build a composite node graph for the network of computing resources that represents a current threat status of the network of computing resources;
   identify one or more attacks to the network of computing resources based on an analysis of the composite node graph; and
   mitigate the identified one or more attacks to the network of computing resources.

11. A method for mitigating attacks to a computing system, the method comprising:
   generating a node graph for a threat artifact received by the computing system, wherein the node graph includes a plurality of nodes including a first node representing the threat artifact and second nodes representing attributes derived from the threat artifact, and edges that each represent a relationship between two of the nodes, wherein the attributes describe the threat artifact, and wherein one of the second nodes representing the attributes is assigned a predicted maliciousness value based on known maliciousness values of multiple other of the plurality of nodes of the node graph; and
   performing an action based on an analysis of the node graph to dynamically adjust security operations of the computing system.  
12. The method of claim 11, further comprising:
   combining the generated node graph with another node graph into a composite node graph, wherein the composite node graph includes one or more intermediate nodes that join unique instances of attributes derived from different artifacts received by the computing system.


1. A non-transitory computer-readable medium whose contents, when executed by a hardware processor, cause the hardware processor to perform a method for mitigating attacks on a computing system, the method comprising:
   generating a node graph for a threat artifact received by the computing system, wherein the node graph includes a plurality of nodes including a first node representing the threat artifact and second nodes representing attributes derived from the threat artifact, and edges that each represent a relationship between two of the nodes, wherein the attributes describe the threat artifact, and wherein one of the second nodes representing the attributes is assigned a predicted maliciousness value based on known maliciousness values of multiple other of the plurality of nodes of the node graph; and performing an action based on an analysis of the node graph to dynamically adjust security operations of the computing system.  
2. The non-transitory computer-readable medium of claim 1, wherein the method further comprises:
   combining the generated node graph with another node graph into a composite node graph, wherein the composite node graph includes one or more intermediate nodes that join unique instances of attributes derived from different artifacts received by the computing system.



Claims 1, 11, and 18 provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 2, 11, 12, and 20 of copending Application No. 17/027,411 (reference application) that has recently been determined to be in conditions for allowance. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant application are anticipated by the copending claims of the ‘411 application in that the claims of the ‘411 application contain all of the limitations of the instant application.  Claims 1, 11, and 18 of the instant application therefore are not patentably distinct from the claims of the allowed ‘411 application, and as such, is unpatentable for obvious-type double patenting.

17/131,473

1. A system, comprising:
   a memory; and
   a hardware processor coupled to the memory and configured to:
   generate a single node graph for each of multiple threat artifacts;
   derive an intermediate node based on two of the multiple threat artifacts;
   build a composite node graph that represents a current threat status, wherein the composite node graph includes the single node graphs and the intermediate node, and wherein the intermediate node connects the single node graphs corresponding to the two of the multiple threat artifacts;
   identify one or more attacks based on an analysis of the composite node graph; and
   perform an action to mitigate the identified one or more attacks.  







11. A method, comprising:
   generating a single node graph for each of the multiple threat artifacts;
   derive an intermediate node based on two of multiple threat artifacts;
   building a composite node graph that represents a current threat status, wherein the composite node graph includes the single node graphs and the intermediate node, and wherein the intermediate node connects the single node graphs corresponding to the two of the multiple threat artifacts;
   identifying one or more attacks based on an analysis of the composite node graph; and
   performing an action to mitigate the identified one or more attacks.  












18. A non-transitory computer-readable medium whose contents, when executed by a hardware processor of a computing system, cause the computing system to perform a method for mitigating attacks to the computing system, the method comprising:
   generating node graphs for threat artifacts received by the computing system, wherein the node graphs include nodes representing indicators derived from the threat artifacts and edges that represent relationships between the indicators;
   deriving an intermediate node based on two of the multiple threat artifacts;
   combining the generated node graphs and the intermediate node into a composite node graph, wherein the intermediate node connects the single node graphs corresponding to the two of the multiple threat artifacts; and
   performing an action based on an analysis of the composite node graph to dynamically adjust security operations of the computing system.  

17/027,411

20. A system, comprising:
   a memory; and
   a hardware processor coupled to the memory and configured to:
   access multiple threat artifacts associated with a network of computing resources;
   generate a node graph for each of the multiple threat artifacts, wherein the node graph for each of the multiple threat artifacts includes a plurality of nodes representing attributes derived from the corresponding threat artifact, wherein the attributes describe the corresponding threat artifact, and wherein at least one of the nodes is assigned a predicted maliciousness value based on known maliciousness values of multiple neighboring nodes of the node graph; and
   build a composite node graph for the network of computing resources that represents a current threat status of the network of computing resources; {00288221-}-42-1303010.227-US3
   identify one or more attacks to the network of computing resources based on an analysis of the composite node graph; and
   mitigate the identified one or more attacks to the network of computing resources.

11. A method for mitigating attacks to a computing system, the method comprising:
   generating a node graph for a threat artifact received by the computing system, wherein the node graph includes a plurality of nodes representing attributes derived from the threat artifact, and edges that each represent a relationship between two of the nodes, wherein the attributes describe the threat artifact, and wherein at least one of the nodes is assigned a predicted maliciousness value based on known maliciousness values of multiple other of the plurality of nodes of the node graph; and
   performing an action based on an analysis of the node graph to dynamically adjust security operations of the computing system.  
12. The method of claim 11, further comprising:
   combining the generated node graph with another node graph into a composite node graph, wherein the composite node graph includes one or more intermediate nodes that join unique instances of attributes derived from different artifacts received by the computing system.




1. A non-transitory computer-readable medium whose contents, when executed by a hardware processor, cause the hardware processor to perform a method for mitigating attacks on a computing system, the method comprising:
   generating a node graph for a threat artifact received by the computing system, wherein the node graph includes a plurality of nodes representing attributes derived from the threat artifact, and edges that each represent a relationship between two of the nodes, wherein the attributes describe the threat artifact, and wherein at least one of the nodes is assigned a predicted maliciousness value based on known maliciousness values of multiple other of the plurality of nodes of the node graph; and
   performing an action based on an analysis of the node graph to dynamically adjust security operations of the computing system.  
2. The non-transitory computer-readable medium of claim 1, wherein the method further comprises:
   combining the generated node graph with another node graph into a composite node graph, wherein the composite node graph includes one or more intermediate nodes that join unique instances of attributes derived from different artifacts received by the computing system.



This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.

Allowable Subject Matter
Claims 1-20 are allowed, however the claims are currently rejected under obvious-type double patenting.
The following is a statement of reasons for the indication of allowable subject matter:
Roundy et al, U.S. Patent 9,256,739 discloses of detecting suspicious events using an event correlation graph.  A node is represented by a first actor (executable), a node that represents another actor, and an edge that represents an event, as taught in column 8, lines 31-40.  As argued by the Applicant in the remarks dated October 15, 2019 in application serial number 15/612,373, “deriving an intermediate node based on two of the multiple threat artifacts wherein the two multiple threat artifacts have each been used to generate a single node graph, and building a composite node graph…that includes single node graphs and the intermediate node…wherein the intermediate node connects the single node graph corresponding to the two of the multiple threat artifacts” is not taught by Roundy et al.  “A person of ordinary skill in the art would clearly understand that these as edges being different from the intermediate nodes claimed.”
Claims 1, 11, and 18 of the instant application include similar language that is addressed by the previously submitted Applicant’s arguments, and are allowable for at least these argued points, in combination with the other claim elements.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
CN 114117160 A is relied upon for disclosing of data association points corresponding to data relationships, which include map vertices and graph score lines.  A threat analysis map is built based upon the threat intelligence according to the data association points, see abstract of machine translation.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER A REVAK whose telephone number is (571)272-3794. The examiner can normally be reached 5:30am - 3:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LYNN FEILD can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHRISTOPHER A REVAK/Primary Examiner, Art Unit 2431