DETAILED ACTION
This office action is in response to the correspondence filed on 07/21/2020. Claims 1-20 are pending and are examined.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Claim Objections
Claims 3, 9, and 16 are objected to because of the following informalities:
Claims 3, 9, and 16, “IP” is not explicitly defined in the claim language. Please spell it out in the first occurrence of each claim set even though it might be commonly known.
Appropriate correction is required.


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claim 6 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention. 
Regarding claim 6, It is unclear the limitation where “determining the performing the second database query returned zero query results matching the second connection pattern” is referring to the (first) database query results or the second database query result. The second database query is not connected to the first database query and it is unclear the purpose of this limitation while the previous limitation already describes zero or more second query results.
Appropriate correction is required.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 6-8, 13-15, 18, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Stockdale et al. (US Pub No. 2020/0244673 A1, referred to as Stockdale), in view of Beck et al. (US Pub No. 2019/0260804 A1, referred to as Beck), and further in view of Noel et al. (US Pub No. 2017/0289187 A1, referred to as Noel).
Regarding claim 1, Stockdale discloses,
1. A computer-implemented method comprising:
receiving network connection data associated with a plurality of network connections between a plurality of computing devices; (Stockdale: [0047]; a graph detection module to collect (receive) and store network data (network connections) in device states.) 
generating, based at least in part on the network connection data, a …[graph] comprising a plurality of graph nodes corresponding to the plurality of computing devices and a plurality of graph edges corresponding to the plurality of network connections; (Stockdale: [0047]; the graph detection module is configured to generate a simple graph to represent the network. A node of the simple graph can represent a device in the network. An edge of the simple graph can represent a connection between devices in the network. The graph detection module can represent the simple graph as a connection matrix describing each edge in the network.)
Stockdale does not explicitly disclose, however Beck teaches,
performing a …query on the …[graph] to generate query results, (Beck: [0044]; the user interface module is configured to generate a query interface component integrated into the threat tracking graphical user interface to receive a query for assistance from the system user (performing a query).) the …query including a connection pattern to be matched by the query results generated by the performing the …query; (Beck: [0046]; the threat-tracking graphical user interface can receive a user input selecting the visual data container representing a data object of the visual representation. The visual data container can be a line of text, a portion of a graph, a node in a network topology map, a connection in the network topology map, or other visual representation from the threat-tracking graphical user interface.)
rendering at least a portion of the query results in a graph view; and (Beck: [0043]; user interface module configured to generate a threat-tracking graphical user interface to display a visual representation of data from a network entity describing network activity containing a potential cyber threat. The threat-tracking graphical user interface can display one or more data objects of the breach state and the chain of relevant behavioral parameters identified by the cyber threat module. The threat tracking graphical user interface can have a network topology map, an action log, a connection data graph, a triaged incident list. The network topology map illustrates connections between network devices (the user interface can receive a user query and display graphical results).)
causing the graph view to be output on a to a user. (Beck: [0146]; the query response field 1010 (output) can expand to create a multimedia communication session between the system user and the system support expert.)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Beck into the teachings of Stockdale with a motivation to review a potential cyber threat including behavior patterns and receive a query for assistance by providing a threat tracking graphical user interface (Beck abstract).
The combination of Stockdale and Beck does not explicitly disclose, however Noel teaches,
…graphical database (Noel: [0006]; an attack-graph database model)
…database query (Noel: [0036]; graph database query)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Noel into the combination of Stockdale and Beck with a motivation to allow a network analyst to analyze the real-time status of a computer network by parsing data into a data model that contains nodes and edges to generate a graph database model (Noel abstract).


Regarding claims 2, 8, and 15, taking claim 2 as exemplary, the combination of Stockdale, Beck and Noel discloses, 
2. The computer-implemented method of claim 1, 
Stockdale does not explicitly disclose, however Beck teaches,
wherein the connection pattern comprises connection activity over a period of time. (Beck: [0059]; behavioral pattern analysis using graph over a time frame.)
The same motivation that was utilized for combining Stockdale and Beck as set forth in claim 1 is equally applicable to claim 2.


Regarding claim 6, the combination of Stockdale, Beck and Noel discloses, 
6. The computer-implemented method of claim 1, further comprising:
Stockdale does not explicitly disclose, however Beck teaches,
performing a second …query on the …[graph] to generate second query results, (Beck: [0044]; the user interface module is configured to generate a query interface component integrated into the threat tracking graphical user interface to receive a query for assistance from the system user (performing a query).) the second …query including a second connection pattern to be matched by the second query results generated by the performing the second …query; (Beck: [0046]; the threat-tracking graphical user interface can receive a user input selecting the visual data container representing a data object of the visual representation. The visual data container can be a line of text, a portion of a graph, a node in a network topology map, a connection in the network topology map, or other visual representation from the threat-tracking graphical user interface.)
determining the performing the second …query returned zero or more second query results matching the second connection pattern; (Beck: [0048]; determining query response, match or no match.)
determining the performing the second …query returned zero query results matching the second connection pattern; and (Beck: [0048]; determining query response, match or no match.)
causing a notification that the second …query returned zero results matching the second connection pattern to be output to a user. (Beck: [0146]; the query response field 1010 (query response notification output, match or no match) can expand to create a multimedia communication session between the system user and the system support expert.)
The same motivation that was utilized for combining Stockdale and Beck as set forth in claim 1 is equally applicable to claim 6.
The combination of Stockdale and Beck does not explicitly disclose, however Noel teaches,
…graphical database (Noel: [0006]; an attack-graph database model)
…database query (Noel: [0036]; graph database query)
The same motivation that was utilized for combining Stockdale, Beck and Noel as set forth in claim 1 is equally applicable to claim 6.


Regarding claim 7, Stockdale discloses,
7. A system comprising:
one or more processors; and (Stockdale: [0131])
one or more non-transitory computer-readable media storing instructions executable by the one or more processors, wherein the instructions, when executed, cause the system to perform operations comprising: (Stockdale: [0131])
receiving network connection data associated with a plurality of network connections between a plurality of computing devices; (Stockdale: [0047]; a graph detection module to collect (receive) and store network data (network connections) in device states.)
generating, based at least in part on the network connection data, a …[graph] comprising a plurality of graph nodes corresponding to the plurality of computing devices and a plurality of graph edges corresponding to the plurality of network connections; (Stockdale: [0047]; the graph detection module is configured to generate a simple graph to represent the network. A node of the simple graph can represent a device in the network. An edge of the simple graph can represent a connection between devices in the network. The graph detection module can represent the simple graph as a connection matrix describing each edge in the network.)
Stockdale does not explicitly disclose, however Beck teaches,
performing a …query on the …[graph] to generate query results, the …query including a connection pattern to be matched by the query results generated by the performing the …query; and (Beck: [0046]; the threat-tracking graphical user interface can receive a user input selecting the visual data container representing a data object of the visual representation. The visual data container can be a line of text, a portion of a graph, a node in a network topology map, a connection in the network topology map, or other visual representation from the threat-tracking graphical user interface.)
causing at least a portion of the query results to be output to a user. (Beck: [0043]; user interface module configured to generate a threat-tracking graphical user interface to display a visual representation of data from a network entity describing network activity containing a potential cyber threat. The threat-tracking graphical user interface can display one or more data objects of the breach state and the chain of relevant behavioral parameters identified by the cyber threat module. The threat tracking graphical user interface can have a network topology map, an action log, a connection data graph, a triaged incident list. The network topology map illustrates connections between network devices (the user interface can receive a user query and display graphical results/output). [0146]; the query response field 1010 can expand to create a multimedia communication session between the system user and the system support expert.)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Beck into the teachings of Stockdale with a motivation to review a potential cyber threat including behavior patterns and receive a query for assistance by providing a threat tracking graphical user interface (Beck abstract).
The combination of Stockdale and Beck does not explicitly disclose, however Noel teaches,
…graphical database (Noel: [0006]; an attack-graph database model)
…database query (Noel: [0036]; graph database query)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Noel into the combination of Stockdale and Beck with a motivation to allow a network analyst to analyze the real-time status of a computer network by parsing data into a data model that contains nodes and edges to generate a graph database model (Noel abstract).


Regarding claims 13 and 20, taking claim 13 as exemplary, the combination of Stockdale, Beck and Noel discloses, 
13. The system of claim 7, further comprising:
Stockdale does not explicitly disclose, however Beck teaches,
determining the performing the …query returned at least one query result matching the connection pattern; and (Beck: [0048]; determining query response, match or no match.)
wherein the causing the portion of the query results to be output to the user is performed at least partly in response to the determining the …query returned the at least one query result. (Beck: [0146]; the query response field 1010 (query response output, match or no match) can expand to create a multimedia communication session between the system user and the system support expert.)
The same motivation that was utilized for combining Stockdale and Beck as set forth in claim 7 is equally applicable to claim 13.
The combination of Stockdale and Beck does not explicitly disclose, however Noel teaches,
…graphical database (Noel: [0006]; an attack-graph database model)
…database query (Noel: [0036]; graph database query)
The same motivation that was utilized for combining Stockdale, Beck and Noel as set forth in claim 7 is equally applicable to claim 13.


Regarding claim 14, Stockdale discloses,
14. A non-transitory computer-readable media storing computer-executable instructions, which when executed by one or more processors, cause the one or more processors to perform actions comprising: (Stockdale: [0131])
receiving network connection data associated with a plurality of network connections between a plurality of computing devices; (Stockdale: [0047]; a graph detection module to collect (receive) and store network data (network connections) in device states.)
generating, based at least in part on the network connection data, a …[graph] comprising a plurality of graph nodes corresponding to the plurality of computing devices and a plurality of graph edges corresponding to the plurality of network connections; (Stockdale: [0047]; the graph detection module is configured to generate a simple graph to represent the network. A node of the simple graph can represent a device in the network. An edge of the simple graph can represent a connection between devices in the network. The graph detection module can represent the simple graph as a connection matrix describing each edge in the network.)
Stockdale does not explicitly disclose, however Beck teaches,
performing a …query on the …[graph] to generate query results, the …query including a connection pattern to be matched by the query results generated by the performing the …query; and (Beck: [0046]; the threat-tracking graphical user interface can receive a user input selecting the visual data container representing a data object of the visual representation. The visual data container can be a line of text, a portion of a graph, a node in a network topology map, a connection in the network topology map, or other visual representation from the threat-tracking graphical user interface.)
causing at least a portion of the query results to be output to a user. (Beck: [0043]; user interface module configured to generate a threat-tracking graphical user interface to display a visual representation of data from a network entity describing network activity containing a potential cyber threat. The threat-tracking graphical user interface can display one or more data objects of the breach state and the chain of relevant behavioral parameters identified by the cyber threat module. The threat tracking graphical user interface can have a network topology map, an action log, a connection data graph, a triaged incident list. The network topology map illustrates connections between network devices (the user interface can receive a user query and display graphical results output). [0146]; the query response field 1010 can expand to create a multimedia communication session between the system user and the system support expert.)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Beck into the teachings of Stockdale with a motivation to review a potential cyber threat including behavior patterns and receive a query for assistance by providing a threat tracking graphical user interface (Beck abstract).
The combination of Stockdale and Beck does not explicitly disclose, however Noel teaches,
…graphical database (Noel: [0006]; an attack-graph database model)
…database query (Noel: [0036]; graph database query)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Noel into the combination of Stockdale and Beck with a motivation to allow a network analyst to analyze the real-time status of a computer network by parsing data into a data model that contains nodes and edges to generate a graph database model (Noel abstract).


Regarding claim 18, the combination of Stockdale, Beck and Noel discloses, 
18. The non-transitory computer-readable media of claim 15, wherein:
Stockdale does not explicitly disclose, however Beck teaches,
the causing at least the portion of the query results to be output to the user comprises:
rendering a graph view of at least the portion of the query results; and (Beck: [0043]; user interface module configured to generate a threat-tracking graphical user interface to display a visual representation of data from a network entity describing network activity containing a potential cyber threat. The threat-tracking graphical user interface can display one or more data objects of the breach state and the chain of relevant behavioral parameters identified by the cyber threat module. The threat tracking graphical user interface can have a network topology map, an action log, a connection data graph, a triaged incident list. The network topology map illustrates connections between network devices (the user interface can receive a user query and display graphical results output).)
outputting the graph view. (Beck: [0146]; the query response field 1010 (output) can expand to create a multimedia communication session between the system user and the system support expert.)
The same motivation that was utilized for combining Stockdale and Beck as set forth in claim 14 is equally applicable to claim 18.


Claims 5, 12, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Stockdale, in view of Beck, further in view of Noel, and further in view of Li et al. (US Pub No. 2021/0067558 A1, referred to as Li).
Regarding claims 5, 12, and 19, taking claim 5 as exemplary, the combination of Stockdale, Beck and Noel discloses, 
5. The computer-implemented method of claim 1,
The combination of Stockdale, Beck and Noel does not explicitly disclose, however Li teaches,
wherein the plurality of graph nodes are labeled as one or more of:
associated with the user;
having a low-risk level; or 
having a high risk level. (Li: [0074]; labels of nodes in a network graph that identifies the topology and the attributes of the computer systems 802 in the network. At least one anomalous computer system 804 can be identified using these labels, for example using the labels to identify normal operation (low risk) and anomalous operation (high risk).)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Li into the combination of Stockdale, Beck and Noel with a motivation to perform node classification, for example using attributed temporal graphs, to learn effective node embeddings that can fully capture the evolutionary patterns encoded by changing node relationships and attributes for detecting and responding to anomalous nodes in a network by labeling network graph nodes (Li: [0016]).


Allowable Subject Matter
Claims 3-4, 9-11, and 16-17 are objected to as being dependent upon rejected base claims, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The following is an examiner’s statement of reasons for allowance: 
Although prior arts Stockdale, Beck, Noel and Li above disclose all the limitations of the prior claims (see rejections above), none of the prior arts of record alone or in combination discloses two connections with three computing devices with two IP addresses associated with a high risk level or being in internal and external network within a period of time; or a database query being received prior to generating of a graphical database and the database query is associated with a user alert as described in the claims.	 
At the effective filing date of the application, the above limitations would not have been obvious over the prior arts of record. 


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Lisle; Alex et al.		US-PGPUB	US 20180343276 A1	detection system for network security threats
Patterson; Joshua et al.	US-PGPUB	US 20180069885 A1	graph database analysis for network anomaly detection systems
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KA SHAN CHOY whose telephone number is (571) 272-1569.  The examiner can normally be reached on MON - FRI: 9AM-5:30PM EST Alternate Fridays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571) 272-3685.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/KA SHAN CHOY/Examiner, Art Unit 2435