DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 3 June 2022 has been entered.

Response to Amendment
This communication is in response to the amendment filed on 3 June 2022.
Claims 1, 3-5, 8, 10, 12, 14-18, and 20 are amended.
Claims 1-20 have been examined. 

Response to Arguments
In response to Applicant’s remarks filed on 3 June 2022:
a.	Applicant's arguments with respect to the 35 U.S.C. 103 rejections of the pending claims have been fully considered but are not deemed persuasive.
	On page 7 of Applicant’s remarks, Applicant addresses independent claim 1, stating the following “Independent claim 1 has been amended based on what was discussed during the Examiner Interview. As discussed, the cited references, alone or in combination, fail to disclose the limitations of…”
	The Office respectfully disagrees with this characterization of the interview. It was not agreed that the cited references fail to disclose the cited limitations. To the contrary, in the interview that occurred on 11 May 2022, the Office cited various portions of Singh, Crabtree, and Choudhury that teach the limitations at issue, as detailed in the interview summary.

	On page 8 of Applicant’s remarks, Applicant argues that the cited prior art fails to teach or suggest the limitations of independent claim 1. Applicant asserts that Singh and Crabtree “do not specifically disclose ‘both of the first node and the second node are connected to a third node representing a device within the time period’ as recited in amended claim 1.” 
	The Office respectfully disagrees with the above remarks. Singh teaches that the data about a user’s network activity is used to update a graph (see Singh col. 39 L35-50). Singh further teaches that a user account for “Bill” is used to escalate privilege to “root1”, and the nodes for user accounts Bill and root are connected to a third node representing server 2852 (see Singh col. 47 L65 to col. 48 L45 and Fig. 28B). Therefore, Singh teaches the limitation as claimed.
	
Claims 8 and 15 recite limitations similar to those of claim 1 and are unpatentable over the prior art for the same reasons that claim 1 is unpatentable, as set forth above.

Claims 2-7, 9-14, and 16-20 are unpatentable over the prior art for the same reasons that claims 1, 8, and 15 are unpatentable, as set forth above.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Singh et al. (U.S. Patent No. 10,419,469 B1, hereinafter referred to as Singh) in view of Crabtree et al. (U.S. Patent Application Publication No. 20180219919 A1, hereinafter referred to as Crabtree).
As to claim 1, Singh teaches a system comprising:
a non-transitory memory storing instructions (see Singh col. 3 L30-47: the invention is embodied as a computer system comprising a memory that provides instructions to a processor); and
one or more hardware processors configured to execute the instructions to cause the system to perform operations comprising (see Singh col. 3 L30-47: the invention is embodied as a computer system comprising a memory that provides instructions to a processor):
receiving an event update associated with a first user account (see Singh col. 39 L35-50: at step 2202, data about a user’s network activity is received), wherein the event update is associated with a transaction conducted between the first user account and a second user account (see Singh col. 47 L65 to col. 48 L33 and Fig. 28B: user account Bill is used to escalate privilege to “root.” Note: As is well-known to those of ordinary skill in the computing arts, “root” refers to a superuser account2.);
determining a graph mutation on a graph-based model, based in part on the event update (Note: The claimed “graph mutation” is interpreted in light of the instant specification to be a change to the graph.  See instant specification para. 0019, which states (emphasis added): “changes (mutations) from the logging database 208, can be ingested by a graph log ingestion module 210.”
see Singh col. 39 L35-50: the data about a user’s network activity is used to update a graph);
ingesting an event log for the graph mutation (see Singh col. 39 L35-50 and Fig. 22: at step 2202, data about a user’s network activity is received);
transforming the ingested event log to a temporal-based journal entry recorded in a temporal-based journal (Note: In accordance with its meaning in the computing arts, “journaling” is interpreted as “Keeping track of events by recording them in a log (the journal)”3. Hence, the claimed “journal entry” is interpreted as a log entry.
see Singh col. 20 L17-27: a graph representing a summary of all activity within a time interval is stored in database 142), wherein the temporal-based journal entry represents a change of a first node corresponding to the first user account in the graph-based model based on a relationship between the first node and a second node corresponding to the second user account in the graph-based model (see Singh col. 47 L65 to col. 48 L33 and Fig. 28B: user account Bill is used to escalate privilege to “root.”);
analyzing a transformation of the graph-based model (see Singh col. 47 L65 to col. 48 L45 and Fig. 28B: analysis of the graph is used to detect nefarious activity and/or a security threat) within a time period based on one or more temporal-based journal entries recorded in the temporal-based journal (see Singh col. 20 L17-27: a graph representing a summary of all activity within a time interval is stored in database 142), wherein the transformation indicates that both of the first node and the second node are connected to a third node representing a device (see Singh col. 47 L65 to col. 48 L45 and Fig. 28B: the nodes for user accounts Bill and root are connected to a third node representing server 2852) within the time period (see Singh col. 20 L17-27: each graph corresponds to a distinct period of time);
determining that the first user account has been used to perform a malicious activity based on the analyzing the transformation (see Singh col. 47 L65 to col. 48 L45 and Fig. 28B: analysis of the graph is used to detect nefarious activity and/or a security threat); and
performing an action based on the determining that the first user account has been used to perform the malicious activity (see Singh col. 47 L65 to col. 48 L45 and Fig. 28B: in response to detecting nefarious activity and/or a security threat, an alert is generated).
Singh does not appear to explicitly disclose receiving, via a wireless network communication; and performing an action to the first user account.
However, Crabtree teaches:
receiving, via a wireless network communication (see Crabtree para. 0096 and Fig. 21: client-server communication over a wireless network), an event update associated with a first user account (see Crabtree para. 0076: user events are logged), wherein the event update is associated with a transaction conducted between the first user account and a second user account (see Crabtree para. 0078: the system identifies a user adding a new user; Note: Crabtree’s user adding a new user corresponds to the claimed “transaction conducted between the first user account and a second user account”);
ingesting an event log (see Crabtree para. 0076: user events are logged);
transforming an ingested event log to a temporal-based journal entry recorded in a temporal-based journal (see Crabtree para. 0068: logging service 530 transforms requests and messages into an event log; and see Crabtree para. 0079: events are logged as time-series data), wherein the temporal-based journal entry represents a change of a first node corresponding to the first user account in the graph-based model based on a relationship between the first node and a second node corresponding to the second user account in the graph-based model (see Crabtree para. 0076: cyber-physical system graph (CPG) represents relationships between users, servers, devices, and other resources in a security infrastructure, and logged events are used to update cyber-physical system graph (CPG) to reflect changes over time; see Crabtree para. 0078: the system identifies a user adding a new user);
analyzing a transformation of the graph-based model within a time period based on one or more temporal-based journal entries recorded in the temporal-based journal (see Crabtree para. 0072: the system performs cybersecurity behavioral analytics to analyze behavior patterns based on a directed computational graph (DCG) 155; and see Crabtree para. 0049: system processing is performed over regular timing intervals), wherein the transformation indicates that both of the first node and the second node are connected to a third node representing a device (see Crabtree para. 0076: cyber-physical system graph (CPG) represents relationships between users, servers, devices, and other resources in a security infrastructure, and logged events are used to update cyber-physical system graph (CPG) to reflect changes over time; see Crabtree para. 0078: the system identifies a user adding a new user) within the time period (see Crabtree para. 0049: system processing is performed over regular timing intervals; and see Crabtree para. 0078: time-series data is analyzed);
determining that the first user account has been used to perform a malicious activity based on the analyzing the transformation (see Crabtree para. 0072: the cybersecurity behavioral analytics detects malicious activity; and see Crabtree para. 0073: the detected malicious activity may be the result of a human actor or an automated software “bot”); and
performing an action to the first user account based on the determining that the first user account has been used to perform the malicious activity (see Crabtree para. 0072-0073: in response to detecting the malicious activity, the system automatically implements security suggestions to defend against the bad actor).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to have modified Singh to include the teachings of Crabtree because Crabtree’s automated behavioral learning “provides a much more responsive solution than manual intervention, enabling rapid response to threats to mitigate any potential impact” (see Crabtree para. 0073).

As to claim 2, Singh as modified by Crabtree teaches wherein the operations further comprise:
documenting the graph mutation in the event log (Note: The claimed “graph mutation” is interpreted in light of the instant specification to be a change to the graph.  See instant specification para. 0019, which states (emphasis added): “changes (mutations) from the logging database 208, can be ingested by a graph log ingestion module 210.”
see Singh col. 39 L35-50 and Fig. 22: the received data is data about a user login activity, which is used to update a graph; and see Singh col. 37 L3-14 and Fig. 1: user login data is stored in database 142 of platform 102; and see Crabtree para. 0068: logging service 530 transforms requests and messages into an event log; and see Crabtree para. 0076: cyber-physical system graph (CPG) represents relationships between users, servers, devices, and other resources in a security infrastructure, and logged events are used to update cyber-physical system graph (CPG) to reflect changes over time); and
storing the event log (see Singh col. 37 L3-14 and Fig. 1: user login data is stored in database 142 of platform 102; and see Crabtree para. 0076: user events are logged).

As to claim 3, Singh as modified by Crabtree teaches wherein the operations further comprise:
ingesting a graph mutation simulation that simulates the graph mutation (see Crabtree para. 0050 and Fig. 1: simulation module 125 directs graph module 155 to transform a graph for producing a simulation).

As to claim 4, Singh as modified by Crabtree teaches wherein the graph mutation simulation is created by an external graph builder (see Crabtree para. 0050 and Fig. 1: graph stack service module 145 represents data in graphical form).

As to claim 5, Singh as modified by Crabtree teaches wherein the operations further comprise:
deploying queries using the temporal-based journal entry (see Crabtree para. 0064: simulation capabilities of the system enable a variety of queries).

As to claim 6, Singh as modified by Crabtree teaches wherein the temporal-based journal entry is vertex centric (Note: As is well known to those of ordinary skill in the art, in graph theory the term “vertex” is synonymous with “node.”4
see Singh col. 20 L17-27: a graph representing a summary of all activity within a time interval is stored in database 142; and see Singh col. 49 L58 to col. 50 L2 and Fig. 32: graph 3200 is centered around nodes that represent users; in the illustrative example in Fig. 32, there are nodes for the user “Bill” and the user “root” 3208).

As to claim 7, Singh as modified by Crabtree teaches wherein the graph mutation includes a timestamp associated with the change of the first node (see Singh col. 20 L17-27: a graph representing a summary of all activity within a time interval is stored in database 142; and see Singh col. 5 L43-48: each event has an associated timestamp).

As to claim 8, Singh teaches a method comprising:
receiving, by one or more hardware processors (see Singh col. 3 L30-47: the method of the invention is performed by a computer comprising a processor),  an event log associated with a first user account (see Singh col. 39 L35-50 and Fig. 22: at step 2202, data about a user’s network activity is received), wherein the event log indicates a transaction conducted between the first user account and a second user account (see Singh col. 47 L65 to col. 48 L33 and Fig. 28B: user account Bill is used to escalate privilege to “root.” Note: As is well-known to those of ordinary skill in the computing arts, “root” refers to a superuser account5.);
determining a change of a first node corresponding to the first user account in a graph (see Singh col. 39 L35-50: the data about a user’s network activity is used to update a graph; and see Singh col. 47 L65 to col. 48 L33 and Fig. 28B: user account Bill is used to escalate privilege to “root.”) based on the event log (see Singh col. 39 L35-50 and Fig. 22: at step 2202, data about a user’s network activity is received; and see Singh col. 45 L31-45 and Fig. 26: the received data is log data);
determining a timestamp (see Singh col. 5 L43-46: each event has an associated timestamp) and a characteristic associated with the change based on a relationship between the first node and a second node corresponding to the second user account in the graph (see Singh col. 47 L65 to col. 48 L45 and Fig. 28B: user account Bill is used to escalate privilege to “root,” and analysis of the graph is used to detect nefarious activity and/or a security threat. );
generating a temporal graph-based journal entry representing the change of the first node in association with the second node, the timestamp, and the characteristic (Note: In accordance with its meaning in the computing arts, the claimed “journaling” is interpreted as “Keeping track of events by recording them in a log (the journal)”6.
see Singh col. 20 L17-27: a graph representing a summary of all activity within a time interval is stored in database 142; and see Singh col. 5 L43-46: each event has an associated timestamp);
storing the temporal graph-based journal entry in a temporal-based journal within a physical data store (see Singh col. 20 L17-27: a graph representing a summary of all activity within a time interval is stored in database 142);
analyzing, by the one or more hardware processors, a transformation of the graph (see Singh col. 47 L65 to col. 48 L45 and Fig. 28B: analysis of the graph is used to detect nefarious activity and/or a security threat) within a time period (see Singh col. 20 L17-27: each graph corresponds to a distinct period of time) based on one or more temporal-based journal entries from the temporal-based journal (see Singh col. 20 L17-27: a graph representing a summary of all activity within a time interval is stored in database 142), wherein the transformation indicates that both of the first node and the second node are connected to a third node representing a device (see Singh col. 47 L65 to col. 48 L45 and Fig. 28B: the nodes for user accounts Bill and root are connected to a third node representing server 2852) within the time period (see Singh col. 20 L17-27: each graph corresponds to a distinct period of time);
determining, by the one or more hardware processors, that the first user account has been used to perform a malicious activity based on the analyzing the transformation (see Singh col. 47 L65 to col. 48 L45 and Fig. 28B: analysis of the graph is used to detect nefarious activity and/or a security threat); and
performing, by the one or more hardware processors, an action based on the determining that the first user account has been used to perform the malicious activity (see Singh col. 47 L65 to col. 48 L45 and Fig. 28B: in response to detecting nefarious activity and/or a security threat, an alert is generated).
Singh does not appear to explicitly disclose performing, by one or more hardware processors, an action to the first user account.
However, Crabtree teaches:
receiving, by one or more hardware processors (see Crabtree para. 0086-0087 and Fig. 19: the method of the invention is performed by computing device 10 comprising one or more central processing units (CPU) 12), an event log associated with a first user account (see Crabtree para. 0079: events are logged), wherein the event log indicates a transaction conducted between the first user account and a second user account (see Crabtree para. 0078: the system identifies a user adding a new user; Note: Crabtree’s user adding a new user corresponds to the claimed “transaction conducted between the first user account and a second user account”);
determining a change of a first node corresponding to the first user account in a graph based on the event log (see Crabtree para. 0076: cyber-physical system graph (CPG) represents relationships between users, servers, devices, and other resources in a security infrastructure, and logged events are used to update cyber-physical system graph (CPG) to reflect changes over time; see Crabtree para. 0078: the system identifies a user adding a new user);
determining a timestamp (see Crabtree para. 0061: timestamps are associated with ongoing changes) and a characteristic associated with the change (see Crabtree para. 0072: cybersecurity behavioral analytics detects malicious activity) based on a relationship between the first node and a second node corresponding to the second user account in the graph (see Crabtree para. 0076: cyber-physical system graph (CPG) represents relationships between users, servers, devices, and other resources in a security infrastructure, and logged events are used to update cyber-physical system graph (CPG) to reflect changes over time; and see Crabtree Fig. 5: an illustrative example of the graph visualization is shown, depicting relationships between actors 512a-d);
generating a temporal graph-based journal entry (Note: In accordance with its meaning in the computing arts, the claimed “journaling” is interpreted as “Keeping track of events by recording them in a log (the journal)”7.
see Crabtree para. 0068: logging service 530 transforms requests and messages into an event log; and see Crabtree para. 0079: events are logged as time-series data) representing the change of the first node in association with the second node (see Crabtree para. 0076: cyber-physical system graph (CPG) represents relationships between users, servers, devices, and other resources in a security infrastructure, and logged events are used to update cyber-physical system graph (CPG) to reflect changes over time; and see Crabtree Fig. 5: an illustrative example of the graph visualization is shown, depicting relationships between actors 512a-d), the timestamp (see Crabtree para. 0061: timestamps are associated with ongoing changes), and the characteristic (see Crabtree para. 0072: cybersecurity behavioral analytics detects malicious activity);
storing the temporal graph-based journal entry in a temporal-based journal within a physical datastore (see Crabtree para. 0068: logging service 530 transforms requests and messages into an event log; and see Crabtree para. 0079: events are logged as time-series data);
analyzing, by one or more hardware processors (see Crabtree para. 0092: the method of the invention is performed by a computer comprising a processor), a transformation of the graph within a time period based on one or more temporal-based journal entries from the temporal-based journal (see Crabtree para. 0072: the system performs cybersecurity behavioral analytics to analyze behavior patterns based on a directed computational graph (DCG) 155; and see Crabtree para. 0049: system processing is performed over regular timing intervals), wherein the transformation indicates that both of the first node and the second node are connected to a third node representing a device within the time period (see Crabtree para. 0076: cyber-physical system graph (CPG) represents relationships between users, servers, devices, and other resources in a security infrastructure, and logged events are used to update cyber-physical system graph (CPG) to reflect changes over time; and see Crabtree para. 0078: the system identifies a user adding a new user);
determining, by the one or more hardware processors, that a first user account has been used to perform a malicious activity based on the analyzing the transformation (see Crabtree para. 0072: the cybersecurity behavioral analytics detects malicious activity; and see Crabtree para. 0073: the detected malicious activity may be the result of a human actor or an automated software “bot”); and
performing, by the one or more hardware processors, an action to the first user account based on the determining that the first user account has been used to perform the malicious activity (see Crabtree para. 0072-0073: in response to detecting the malicious activity, the system automatically implements security suggestions to defend against the bad actor).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to have modified Singh to include the teachings of Crabtree because Crabtree’s automated behavioral learning “provides a much more responsive solution than manual intervention, enabling rapid response to threats to mitigate any potential impact” (see Crabtree para. 0073).

As to claim 9, Singh as modified by Crabtree teaches further comprising: 
simulating a graph mutation based on the event log (see Crabtree para. 0050 and Fig. 1: simulation module 125 directs graph module 155 to transform a graph for producing a simulation).

As to claim 10, Singh as modified by Crabtree teaches further comprising:
in response to a query comprising a particular time that corresponds to the
timestamp, accessing the temporal graph-based journal entry from the physical data store (see Singh col. 50 L50-67 and Fig. 33: a user queries the dataset for events during a given time period and the system dynamically generates structured query language (SQL) queries to retrieve the requested data).

As to claim 11, Singh as modified by Crabtree teaches further comprising:
generating a journal entry snapshot for the event log (see Singh col. 18 L57 to col. 19 L8: ongoing hourly snapshots are created for activities in a datacenter).

As to claim 12, Singh as modified by Crabtree teaches wherein the transaction comprises a purchase transaction for purchasing an item through the first user account from the second account (Note: This limitation describes a particular type of transaction that the claimed invention may be applied against, but this limitation fails to recite any features that would limit the claimed method. Hence, this limitation represents merely a intended use that has no patentable weight. However, assuming arguendo that this limitation has patentable weight, prior art is cited. See Singh col. 39 L35-50 and Fig. 22: at step 2202, data about a user’s network activity is received; and see Singh col. 5 L4-21: the data is related to financial transactions; and see Crabtree para. 0050, sentence beginning with “The multiple dimension time series data store module may also store any time series data…”: the system acquires and stores sales and service customer data; and see Crabtree para. 0091: data is acquired from “Point of Sale (POS) interfaces”).

As to claim 13, Singh as modified by Crabtree teaches wherein the temporal graph-based journal entry is node centric and based on the second node (see Singh col. 49 L58 to col. 50 L2 and Fig. 32: graph 3200 is centered around nodes that represent users; in the illustrative example in Fig. 32, there are nodes for the user “Bill” and the user “root” 3208).

As to claim 14, Singh as modified by Crabtree teaches wherein the change of the first node includes connecting the first node to the second node based on the transaction (see Singh col. 39 L35-50: the data about a user’s network activity is used to update a graph; and see Singh col. 47 L65 to col. 48 L33 and Fig. 28B: user account Bill is used to escalate privilege to “root,” and the node for user account Bill is connected to the node for user account root).

As to claim 15, Singh teaches a non-transitory machine-readable medium having stored thereon machine-readable instructions executable to cause a machine to perform operations comprising (see Singh col. 3 L30-47: a memory provides instructions to a processor):
receiving an event update associated with a first user account (see Singh col. 39 L35-50: at step 2202, data about a user’s network activity is received), wherein the event update is associated with a transaction conducted between the first user account and a second user account (see Singh col. 47 L65 to col. 48 L33 and Fig. 28B: user account Bill is used to escalate privilege to “root.” Note: As is well-known to those of ordinary skill in the computing arts, “root” refers to a superuser account8.);
determining a graph mutation on a graph-based model, based in part on the event update (Note: The claimed “graph mutation” is interpreted in light of the instant specification to be a change to the graph.  See instant specification para. 0019, which states (emphasis added): “changes (mutations) from the logging database 208, can be ingested by a graph log ingestion module 210.”
see Singh col. 39 L35-50: the data about a user’s network activity is used to update a graph);
transforming an event log associated with the graph-based model (see Singh col. 39 L35-50: the data about a user’s network activity is used to update a graph) to a temporal-based journal entry recorded in a temporal-based journal (Note: In accordance with its meaning in the computing arts, “journaling” is interpreted as “Keeping track of events by recording them in a log (the journal)”9. Hence, the claimed “journal entry” is interpreted as a log entry.
see Singh col. 20 L17-27: a graph representing a summary of all activity within a time interval is stored in database 142), wherein the temporal-based journal entry represents a change of a first node corresponding to the first user account in the graph-based model based on a relationship between the first node and a second node corresponding to the second user account in the graph-based model (see Singh col. 47 L65 to col. 48 L33 and Fig. 28B: user account Bill is used to escalate privilege to “root.”);
analyzing a transformation of the graph-based model (see Singh col. 47 L65 to col. 48 L45 and Fig. 28B: analysis of the graph is used to detect nefarious activity and/or a security threat) within a time period based on one or more temporal-based journal entries recorded in the temporal-based journal (see Singh col. 20 L17-27: a graph representing a summary of all activity within a time interval is stored in database 142), wherein the transformation indicates that both of the first node and the second node are connected to a third node representing a device (see Singh col. 47 L65 to col. 48 L45 and Fig. 28B: the nodes for user accounts Bill and root are connected to a third node representing server 2852) within the time period (see Singh col. 20 L17-27: each graph corresponds to a distinct period of time);
determining that the first user account has been used to perform a malicious activity based on the analyzing the transformation (see Singh col. 47 L65 to col. 48 L45 and Fig. 28B: analysis of the graph is used to detect nefarious activity and/or a security threat); and
performing an action based on the determining that the first user account has been used to perform the malicious activity (see Singh col. 47 L65 to col. 48 L45 and Fig. 28B: in response to detecting nefarious activity and/or a security threat, an alert is generated).
Singh does not appear to explicitly disclose receiving, via a wireless network communication; and performing an action to the first user account.
However, Crabtree teaches:
receiving, via a wireless network communication (see Crabtree para. 0096 and Fig. 21: client-server communication over a wireless network), an event update associated with a first user account (see Crabtree para. 0076: user events are logged), wherein the event update is associated with a transaction conducted between the first user account and a second user account (see Crabtree para. 0078: the system identifies a user adding a new user; Note: Crabtree’s user adding a new user corresponds to the claimed “transaction conducted between the first user account and a second user account”);
ingesting an event log (see Crabtree para. 0076: user events are logged);
transforming an ingested event log to a temporal-based journal entry recorded in a temporal-based journal (see Crabtree para. 0068: logging service 530 transforms requests and messages into an event log; and see Crabtree para. 0079: events are logged as time-series data), wherein the temporal-based journal entry represents a change of a first node corresponding to the first user account in the graph-based model based on a relationship between the first node and a second node corresponding to the second user account in the graph-based model (see Crabtree para. 0076: cyber-physical system graph (CPG) represents relationships between users, servers, devices, and other resources in a security infrastructure, and logged events are used to update cyber-physical system graph (CPG) to reflect changes over time; see Crabtree para. 0078: the system identifies a user adding a new user);
analyzing a transformation of the graph-based model within a time period based on one or more temporal-based journal entries recorded in the temporal-based journal (see Crabtree para. 0072: the system performs cybersecurity behavioral analytics to analyze behavior patterns based on a directed computational graph (DCG) 155; and see Crabtree para. 0049: system processing is performed over regular timing intervals), wherein the transformation indicates that both of the first node and the second node are connected to a third node representing a device (see Crabtree para. 0076: cyber-physical system graph (CPG) represents relationships between users, servers, devices, and other resources in a security infrastructure, and logged events are used to update cyber-physical system graph (CPG) to reflect changes over time; see Crabtree para. 0078: the system identifies a user adding a new user) within the time period (see Crabtree para. 0049: system processing is performed over regular timing intervals; and see Crabtree para. 0078: time-series data is analyzed);
determining that the first user account has been used to perform a malicious activity based on the analyzing the transformation (see Crabtree para. 0072: the cybersecurity behavioral analytics detects malicious activity; and see Crabtree para. 0073: the detected malicious activity may be the result of a human actor or an automated software “bot”); and
performing an action to the first user account based on the determining that the first user account has been used to perform the malicious activity (see Crabtree para. 0072-0073: in response to detecting the malicious activity, the system automatically implements security suggestions to defend against the bad actor).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to have modified Singh to include the teachings of Crabtree because Crabtree’s automated behavioral learning “provides a much more responsive solution than manual intervention, enabling rapid response to threats to mitigate any potential impact” (see Crabtree para. 0073).

As to claim 16, see the rejection of claim 3 above.

As to claim 17, see the rejection of claim 4 above.

As to claim 18, see the rejection of claim 5 above.

As to claim 19, see the rejection of claim 6 above.

As to claim 20, see the rejection of claim 12 above.

Additional Art Considered
The prior art made of record and not relied upon is considered pertinent to the Applicants’ disclosure.
The following patents and papers are cited to further show the state of the art at the time of Applicants’ invention with respect to scalable temporal graph databases.
a.	Xu, Fengyuan. “Lightweight temporal graph management engine”; U.S. PGPub. No. 20160125095 A1.
Teaches a temporal graph database (see para. 0006 and Fig. 2) that is time-efficient and scalable (see para. 0015).
b.	Li et al. “Method and system for behavior query construction in temporal graphs using discriminative sub-trace mining”; U.S. PGPub. No. 20160125094 A1.
Teaches a temporal graph database (see para. 0093-0094 and Fig. 10) that avoids potential scalability problems (see para. 0068).
c.	Gerken et al. “Temporal Predictive Analytics”; U.S. PGPub. No. 20130325787 A1.
Teaches complex event processing (see para. 0010-0011) that applies temporal constraints (see para. 0075) to graph data structures (see para. 0072-0073 Figs. 2A and 2C) and provides scalable indexing (see para. 0108).

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to UMAR MIAN whose telephone number is (571) 270-3970.  The examiner can normally be reached on Monday to Friday, 10 am to 6:30 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Tony Mahmoudi can be reached on (571) 272-4078.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/UM/
Examiner, Art Unit 2163                                                                                                                                                                                            

/TONY MAHMOUDI/Supervisory Patent Examiner, Art Unit 2163                                                                                                                                                                                                        



    
        
            
        
            
        
            
    

    
        1 As is well-known to those of ordinary skill in the computing arts, “root” refers to a superuser account. See “Root.” Free On-Line Dictionary of Computing. http://foldoc.org/root
        2 See “Root.” Free On-Line Dictionary of Computing. http://foldoc.org/root
        3 See “Journaling.” Computer Desktop Encyclopedia. https://www.computerlanguage.com/results.php?definition=journaling
        4 See https://mathworld.wolfram.com/GraphVertex.html
        5 See “Root.” Free On-Line Dictionary of Computing. http://foldoc.org/root
        6 See https://www.computerlanguage.com/results.php?definition=journaling
        7 See https://www.computerlanguage.com/results.php?definition=journaling
        8 See “Root.” Free On-Line Dictionary of Computing. http://foldoc.org/root
        9 See “Journaling.” Computer Desktop Encyclopedia. https://www.computerlanguage.com/results.php?definition=journaling