DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to communication filed on 12/09/2019.
Status of claims in the instant application:
Claims 1-21 are pending.
Election/Restrictions
No claim restrictions are warranted at the applicant’s initial time of filing for patent.
Priority
The instant application does not claim priority benefit to any previous application for patent.
Information Disclosure Statement
Information Disclosure Statements (IDS) filed on 12/09/2019 have been considered, and a signed copies of the IDS forms have been attached to this office action.
Drawings
Drawings filed on 12/09/2019 have been inspected, and it’s in compliance with MPEP 608.02.
Specification
Specification filed on 12/09/2019 has been inspected and it’s in compliance with MPEP 608.01.
Claim Interpretation
The claims of the instant application are not being interpreted under 35 USC 112(f).
Claim Eligibility
It is of the Examiner’s opinion that the claims of the instant application meets the eligibility requirements under 35 USC 101, and that the claims do not recite any abstract idea per “2019 Revised Patent Eligibility Guidelines”.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5-10, 12-17 and 19-21 are rejected under 35 U.S.C. 103 as being unpatentable over “NPL: Behavior Query Discovery in System Generated Temporal Graphs, to Zong et al (hereinafter “Zong”), Source: https://arxiv.org/abs/1511.05911, (Applicant also provided a version of the NPL as part of IDS” in view of Pub. No.: US 2019/0378051 A1 to Widmann et al. (hereinafter “Widmann”). 
Regarding Claim 1. Zong discloses A method to detect anomalous behavior in a computing system (Zong, Abstract: … Computer system monitoring generates huge amounts of logs that record the interaction of system entities. How to query such data to better understand system behaviors and identify potential system risks and malicious behaviors becomes a challenging task for system administrators due to the dynamics and heterogeneity of the data … In this work, we investigate how to query temporal graphs and treat query formulation as a discriminative temporal graph pattern mining problem. We introduce TGMiner to mine discriminative patterns from system logs, and these patterns can be taken as templates for building more complex queries. TGMiner leverages temporal information in graphs to prune graph patterns that share similar growth trend without compromising pattern quality …), comprising:
receiving a semi-directed temporal graph derived from system-generated events (Zong, Figure 1, Pages 1-2: … In Figure 1(a), a syscall log contains a sequence of events each of which describes at which time what kind of interactions happened between which system entities. Note that this syscall log also forms an equivalent temporal graph. … );
deriving from the semi-directed temporal graph one or more process-centric 5subgraphs, wherein a process-centric subgraph comprises one or more system-generated events associated with a given process (Zong, Figure 1, Pages 1-2: … To ensure the security of an enterprise system, a system expert wants to know if there exists any information stealthy activity in the human resource department over the weekend. A hypothetical activity could involve three steps: someone remotely accessed an HR desktop by ssh, compressed several files, and transferred them to a remote server. In order to find such activity, one can submit a query like Figure 1(b) consisting of three components: “sshd-login”, “compress-files”, and “send-to- remote-server”, and perform search over syscall logs like Fiure 1(a). However, such query cannot retrieve any useful information since the low-level entities (e.g., processes and files) recorded in the syscall logs cannot be directly mapped to any high-level activity like “sshd-login” or “compress-files”. In order to locate all “sshd-login” activities, one has to know which processes or files are involved in “sshd-login” and in what order over time these low-level entities are involved in order to write a query. This becomes very time consuming. Besides querying risky behaviors, the formulated behavior queries can also be applied on the real-time monitoring data for surveillance and policy compliance checking … Querying high-level system behaviors significantly reduces the complexity of evaluating system status, but it is quite difficult to formulate useful system behavior queries, referred to as behavior queries in this paper, because of the big semantic gap between the high-level abnormal activities and the low-level footprints of such activities. To address this problem, one approach is to collect monitoring data of target behaviors (e.g., “sshd-login”), model the raw monitoring data by heterogeneous temporal graphs to, and use the full graphs to formulate queries. Unfortunately, the raw data can be large and noisy. To overcome this challenge, instead of using the full graphs, we identify the most discriminative patterns for target behaviors and treat them as queries. Such queries (e.g., a few edges) are easier to interpret and modify, and are robust to noise. A discriminative pattern should frequently occur in the target activities, and rarely exist in other activities. One of the discriminative subgraph patterns for “sshd-login” is shown in Figure 1(c), which includes a few nodes/edges and is more promising for querying “sshd-login” from syscall logs. To this end, we formulate the behavior query construction problem as a discriminative temporal graph mining problem …);
identifying from the one or more process-centric subgraphs one or more atomic operations, wherein an atomic operation comprises a set of system-generated events common to more than one process-centric subgraph (Zong, Page 2, figure 2: … Querying high-level system behaviors significantly reduces the complexity of evaluating system status, but it is quite difficult to formulate useful system behavior queries, referred to as behavior queries in this paper, because of the big semantic gap between the high-level abnormal activities and the low-level footprints of such activities. To address this problem, one approach is to collect monitoring data of target behaviors (e.g., “sshd-login”), model the raw monitoring data by heterogeneous temporal graphs to, and use the full graphs to formulate queries. Unfortunately, the raw data can be large and noisy. To overcome this challenge, instead of using the full graphs, we identify the most discriminative patterns for target behaviors and treat them as queries. Such queries (e.g., a few edges) are easier to interpret and modify, and are robust to noise. A discriminative pattern should frequently occur in the target activities, and rarely exist in other activities. One of the discriminative subgraph patterns for “sshd-login” is shown in Figure 1(c), which includes a few nodes/edges and is more promising for querying “sshd-login” from syscall logs …);
10modifying the semi-directed temporal graph by replacing information therein with the one or more identified atomic operations (Zong, Page 2, figure 2: … In this paper, we propose TGMiner that addresses the challenges to discriminative temporal graph pattern mining. 1. We have to consider both topology and edge temporal order while searching temporal graph space. To avoid redundant search, do we need another complex canonical labeling method like [11, 31] for mining temporal graphs? In our study, we find the temporal information in graphs allows us to explore temporal graph space in a more efficient manner. In particular, we propose a pattern growth algorithm without any complex canonical labeling. It guarantees that all promising patterns are covered, and no redundant search. 2. Since temporal graph space is huge, a naive exhaustive search is slow even for small temporal graphs. To speed up search, we first identify general cases where we can conduct pruning. Then we propose algorithms to minimize the overhead for discovering the pruning opportunities: (1) By encoding temporal graphs into sequences, a light-weight algorithm based on subsequence tests is proposed to enable fast temporal subgraph tests; and (2) we compress residual graph sets into integers such that residual graph set equivalence tests are performed in constant time. …); and
However Zong does not explicitly teach, but Widmann from same or similar field of endeavor teaches:
“training a machine learning model using the modified semi-directed temporal graph (Widmann, Para [0008, 0131, 0164 ]: … One general aspect includes a machine learning system that optimizes a feature vector, the system including: a first interface configured to receive transaction data; a graph module configured to store and update a graph using the transaction data, the graph including nodes and edges, where each node corresponds to an entity type, and where each edge represents a relationship between two nodes; and a machine learning engine including a plurality of machine learning sub-engines, where each entity type in the graph is assigned a separate machine learning sub-engine, the machine learning engine is programmed to perform steps including: training a machine learning model of a machine learning sub-engine of the machine learning engine using the transaction data; classifying a plurality of nodes in the graph based on known patterns in the transaction data and the machine learning model, by setting a classification attribute of each node to one of a plurality of classifications; detecting, by the machine learning sub-engine, an emerging pattern between a first node and second node in the graph based on the transaction data …  In another example, the spreading functionality may occur based on temporal considerations. For example, if the machine learning engine 712 outputs a Boolean true outcome for a new node being added to the stored graph, a node corresponding to a merchant device that received the transaction may be flagged for additional scrutiny. That merchant device corresponds to a particular node in the graph module. All transactions that occurred at the merchant device node in the graph module for a threshold of time T may receive a slightly weighted hot file value …  in alternative embodiments, one or more of the computing platforms discussed above may be combined into a single computing platform, and the various functions of each computing platform may be performed by the single computing platform …).”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Widmann into the teachings of Zong, because it discloses that “Machine learning has enabled the automated processing of problems formerly limited to human intervention. Traditionally, computers have been explicitly programmed to perform tasks, meaning that even fairly simple tasks can take significant amounts of programming time to implement. Machine learning may be used to allow a computer to perform the same or similar tasks without being explicitly programmed to do so. For example, where formerly a programmer may have manually programmed a face detection algorithm (e.g., providing code telling a computer to look for two eyes, a nose, and a mouth), machine learning may be used instead by providing a computer with a large set of pictures of human faces (e.g., some winking, some smiling, some partially obscured) and rewarding the computer for correct identifications of human faces over repeated trials. Colloquially, such methods may be said to allow a machine learning algorithm to both think and learn … Machine learning has benefits far beyond programming efficiency: machines may also learn and identify correlations in data that would otherwise go undetected if reviewed by humans (Widmann, Para [0002-0003])”.
Regarding Claim 2. The combination of Zong-Widmann discloses the method as described in claim 1, Widmann further discloses, “wherein training the machine learning 15model includes:
applying graph embedding to the modified semi-directed temporal graph to generate one or more vectors (Widmann, Para [0138-0139, 0146]: … In some examples, the machine learning engine may identify relationships between nodes that previously may have gone unrecognized. For example, using a collaborative filtering technique … Regarding unsupervised anomaly detection, a unsupervised machine learning engine (UMLE) 714 may take as input a graph generated by the graph module 702A, 702B. The UMLE may construct unsupervised feature vectors using the graph for use in an unsupervised machine learning algorithm. For example, each node and its associated edges may be converted into a feature vector. An unsupervised feature vector may include data we know about each entity, such as data from historical data 710, current event data 708, and transaction data. An unsupervised feature vector may also include a score output by the entity's associated supervised machine learning engine for that entity …  graph representation of entities and relationships may be analyzed by an unsupervised machine learning model. As discussed in greater detail above, an unsupervised machine learning model may be used to determine, among other things, correlations in data sets without external feedback (e.g., a score associated with machine learning output). Such an unsupervised machine learning model may be executed on a graph representation of entities and relationships in order to determine, for example, how a characterization of one entity (e.g., a determination of a flaw or error in one entity) may spread to other entities …); and
applying to the machine learning model the one or more vectors as labeled data sets (Widmann, Para [0050]: … Machine learning tasks are sometimes broadly categorized as either unsupervised learning or supervised learning. In unsupervised learning, a machine learning algorithm is left to generate any output (e.g., to label as desired) without feedback. The machine learning algorithm may teach itself (e.g., observe past output), but otherwise operates without (or mostly without) feedback from, for example, a human administrator. An embodiment involving unsupervised machine learning is described herein …).”
The motivation to further combine Widmann remains same as in claim 1.
Regarding Claim  203. The combination of Zong-Widmann discloses the method as described in claim 2, Widmann further discloses, “wherein the machine learning model is a deep neural network (DNN) that is trained to distinguish between benign and malicious user actions (Widmann, Abstract, Para [0001, 0068, 0082, 0142]: … This disclosure pertains to machine learning models, semantic networks, adaptive systems, artificial neural networks …  The artificial neural network 100 may be supported or replaced by other forms of machine learning. For example, one or more of the nodes of artificial neural network 100 may implement a decision tree, associational rule set, logic programming, regression model, cluster analysis mechanisms, Bayesian network, propositional formulae, generative models, and/or other algorithms or forms of decision-making. The artificial neural network 100 may effectuate deep learning …  the machine learning model may cluster a first transaction with one or more other transactions and may determine that the cluster is an outlier when compared with other clusters (e.g., from prior transactions). The machine learning model may, based on such clustering activity, indicate a transaction is fraudulent … using unsupervised machine learning techniques, the UMLE may determine that a group of fraudulent credit cards were issued where the provided employer name, address, and phone number share similar characteristics (e.g., the fraudster(s) all setup an unverified employer with a Google phone number to verify their fake income). The UMLE may identify these fraudulent credit cards because they are outliers when compared with the rest of the entities in the graph …).”
The motivation to further combine Widmann remains same as in claim 2.
Regarding Claim  55. The combination of Zong-Widmann discloses the method as described in claim 1, Zong further discloses, “further including:receiving a set of system-generated events, wherein at least one system-generated event is responsive to a user action, and wherein each of the system-generated events has an associated set of parameters (Zong, Page 15: … Training data is a set of temporal graphs representing a set of syscall logs generated from a closed environment (i.e., a server used to collect syscall logs with as little noise as possible), where security-related behaviors are performed. First, we target at 12 behaviors as representatives for the basic security-related behaviors that have drawn attention in cybersecurity study [2, 3, 10, 33]. We execute the popular applications that perform these behaviors and collect the syscall logs as training data. In general, we consider security-related behaviors from five categories … Remote login involves behaviors where a user logs into a remote server. For attackers, these behaviors are usually the first step for breaking into a computer system. The behavior “sshd-login” in the cybersecurity application in Section 1 falls into this category. We include the behaviors of ssh-based login (client side), sshd-based lo- gin (server side), and ftpd-based login (server side) in this study …); and
using the associated parameters for one or more system-generated events to build the 10semi-directed temporal graph (Zong, Page 15: … Training data is a set of temporal graphs representing a set of syscall logs generated from a closed environment (i.e., a server used to collect syscall logs with as little noise as possible), where security-related behaviors are performed. First, we target at 12 behaviors as representatives for the basic security-related behaviors that have drawn attention in cybersecurity study [2, 3, 10, 33]. We execute the popular applications that perform these behaviors and collect the syscall logs as training data. In general, we consider security-related behaviors from five categories … File compression/decompression … Source code compilation … File download/upload … Remote login … System software management … For each target behavior, it is independently performed 100 times in a closed environment with the guarantee that no other target behaviors are performed, and accordingly, 100 temporal graphs (100 syscall logs) are collected. More details about the syscall logs for each behavior are shown in Table 1, where the average number of nodes/edges in each syscall log is reported …).”
Regarding Claim 6. The combination of Zong-Widmann discloses the method as described in claim 1, , Widmann further discloses, “further including setting a filter on an output of the machine learning model to attempt to identify a particular user intent or other given behavior information (Widmann, Para [0123]: … In FIG. 7A, the system may assess, as explained in step 612, the heat value (or risk score) of each node involved in a transaction. A hotfile module 704 and/or hotfile propagation engine 706 may assess the transaction data, and then the hot files/warm files may be calculated for the appropriate nodes in the graph structure. The transaction data may be filtered through a machine learning model, as illustrated in FIG. 1, of the one or more machine learning engines to determine an output based on the various inputs generated by the transaction data …).”
The motivation to further combine Widmann remains same as in claim 1.
Regarding Claim 7. The combination of Zong-Widmann discloses the method as described in claim 1, , Widmann further discloses, “further including using the trained machine learning model to detect a potentially malicious behavior associated with the computer system (Widmann, Para [0078, 0144]: … Machine learning models, such as those associated with a particular entity in step 604, may provide output associated with one or more entities. Output, as illustrated in FIG. 1, may comprise an anomaly score, an indication of a level of risk, or the like. An anomaly score output from a machine learning model may comprise an indication of how different input data was from, for example, training data provided to the machine learning model. For example, machine learning models may output a high fraud risk score for one or more entities based on determining that the one or more entities are, per the received data (e.g., input data as illustrated in FIG. 1), behaving in a different manner than one or more similar entities provided in training data. Such a high fraud risk score may indicate that a transaction was fraudulent (e.g., that a purchase was not made by the owner of the credit card). In the online purchase example referenced above, a machine learning model associated with a credit card may determine that the credit card was used fraudulently … UMLE may determine that some clusters are fraudulent because of their differences from other clusters. The UMLE may also identify individual entities that are anomalous. For example, in a shared nearest neighbor clustering, entities that are marked as noise entities (entities that do not belong to any cluster) may be flagged as anomalous so that they can be investigated for potential fraudulent activity …).”
The motivation to further combine Widmann remains same as in claim 1.
Regarding Claim 8. This apparatus claim contains all the same or similar limitations as claim 1, hence similarly rejected as claim 1.
**** Note: Widmann further discloses processor, memory and computer instructions for performing the claimed functions (Widmann, Para [0012]).
Regarding Claim 9. This apparatus claim contains all the same or similar limitations as claim 2, hence similarly rejected as claim 2.
Regarding Claim 10. This apparatus claim contains all the same or similar limitations as claim 3, hence similarly rejected as claim 3.
Regarding Claim  1012. This apparatus claim contains all the same or similar limitations as claim 5, hence similarly rejected as claim 5.
Regarding Claim 13. This apparatus claim contains all the same or similar limitations as claim 6, hence similarly rejected as claim 6.
Regarding Claim 14. This apparatus claim contains all the same or similar limitations as claim 7, hence similarly rejected as claim 7.
Regarding Claim  515. This apparatus claim contains all the same or similar limitations as claim 1, hence similarly rejected as claim 1.
**** Note: Widmann further discloses processor,  non-transitory computer readable medium and computer instructions for performing the claimed functions (Widmann, Para [0012]
Regarding Claim 16. This apparatus claim contains all the same or similar limitations as claim 2, hence similarly rejected as claim 2.
Regarding Claim 17. This apparatus claim contains all the same or similar limitations as claim 3, hence similarly rejected as claim 3.
Regarding Claim 19. This apparatus claim contains all the same or similar limitations as claim 5, hence similarly rejected as claim 5.
Regarding Claim 20. This apparatus claim contains all the same or similar limitations as claim 6, hence similarly rejected as claim 6.
Regarding Claim 21. This apparatus claim contains all the same or similar limitations as claim 7, hence similarly rejected as claim 7.
Claims 4, 11 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over “NPL: Behavior Query Discovery in System Generated Temporal Graphs, to Zong et al (hereinafter “Zong”), Source: https://arxiv.org/abs/1511.05911,” in view of Pub. No.: US 2019/0378051 A1 to Widmann et al. (hereinafter “Widmann”), as applied to claim 1 above, and further in view of Pub. No.: US 2017/0063912 A1 to Muddu et al. (hereinafter “Muddu”).
Regarding Claim 4. The combination of Zong-Widmann discloses the method as described in claim 1,  however it does not explicitly teach, but Muddu from same or similar field of endeavor teaches, “wherein the one or more atomic operations are identified by applying a statistical algorithm to sequences of events derived from the one or more process-centric subgraphs (Muddu, Para [0231-0235]: … the security platform introduced here can perform identity resolution based on the facts. The identity resolution module 812 can gain the knowledge by observing the system environment (e.g., based on authentication logs), thereby building the intelligence to make an educated identity resolution determination. That is, the identity resolution module 812 is able to develop user identity intelligence specific and relevant to the system's environment without any explicit user identity information  … To facilitate this fact-based identity resolution functionality in the security platform, the identity resolution module 812 can utilize a machine learning model to generate and track a probability of association between a user and a machine identifier. Specifically, after the entities in event data that represents an event are extracted (e.g., by the field mapper 808), the identity resolution module 812 can identify whether the event data includes a user identifier and/or a machine identifier, and can create or update the probability of association accordingly … According to some embodiments, the machine learning models used for identification resolution are user specific. It is also noted that the machine learning models used in the identity resolution (and device resolution, introduced below) are generally simpler than those models that would be used for anomaly and threat detection. In many embodiments, the models that are used in the identity resolution and/or device resolution are time-sequenced probabilistic graphs, in which the probability changes over time …).”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Muddu into the combined teachings of Zong-Widmann, because it discloses that “the models that are used to generate and track the probability of association between each user and possible machine identifiers are time-dependent, meaning that a result from the models has a time-based dependence on current and past inputs. The time dependence is useful to capture the scenario where a device is first assigned or given to a particular user, and is subsequently reassigned to a different user, which happens often in a large organization (Muddu, Para [0235])”.
Regarding Claim  511. This apparatus claim contains all the same or similar limitations as claim 4, hence similarly rejected as claim 4.
Regarding Claim 18. This apparatus claim contains all the same or similar limitations as claim 4, hence similarly rejected as claim 4.
Pertinent Prior Arts
The following prior arts made of record and not relied upon are considered pertinent to applicant's disclosure.
PGPUB US 20180032724 A1, Tang et al.: Tang discloses methods and systems for detecting anomalous events include detecting anomalous events in monitored system data. An event correlation graph is generated based on the monitored system data that characterizes the tendency of processes to access system targets. Kill chains are generated that connect malicious events over a span of time from the event correlation graph that characterize events in an attack path over time by sorting events according to a maliciousness value and determining at least one sub-graph within the event correlation graph with an above-threshold maliciousness rank. A security management action is performed based on the kill chains. The Kill chains are generated that connect malicious events over a span of time from the event correlation graph that characterize events in an attack path over time by sorting events according to a maliciousness value and determining at least one sub-graph within the event correlation graph with an above-threshold maliciousness rank. A security management action is performed based on the kill chains
	PGPUB US 20180219888 A1, Apostolopoulos: Apostolopoulos discloses techniques relate to a graph-based network security analytic framework to combine multiple sources of information and security knowledge in order to detect risky behaviors and potential threats. In some examples, the input can be anomaly events or simply regular events. The entities associated with the activities can be grouped into smaller time units, e.g., per day. The riskiest days of activity can be found by computing a risk score for each day and according to the features in the day. A graph can be built with links between the time units. The links can also receive scoring based on a number of factors. The resulting graph can be compared with known security knowledge for adjustments. Threats can be detected based on the adjusted risk score for a component (i.e., a group of linked entities) as well as a number of other factors. The present disclosure pertains to distributed data processing systems, and more particularly, to intelligence generation and activity discovery from events in a distributed data processing system.
	PGPUB US 20180048662 A1, Jang et al.: Jang discloses an automated method for processing security events begins upon receipt of information representing an offense. Based in part on context data extracted from the offense, an offense context graph is built. The offense context graph comprises nodes and edges, with an edge therein representing a relationship between a pair of nodes, at least one of the nodes being a root node representing an entity associated with the offense. The method then continues by mining information about other events that are determined to share a local contextual relationship with the offense represented by the offense context graph. This operation generates an enriched offense context graph. The enriched offense context graph is then pruned to identify an offense context for further examination. Pruning may involve applying a metric to events associated with the offense and removing nodes that, based on evaluation of the metric, do not contribute to the offense.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAHABUB S AHMED whose telephone number is (571)272-0364.  The examiner can normally be reached on 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/MAHABUB S AHMED/Examiner, Art Unit 2434          /KAMBIZ ZAND/                                                Supervisory Patent Examiner, Art Unit 2434