Notice of Pre-AIA  or AIA  Status
Claims 1-17 are presented for examination.  The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 9/30/19, 6/19/20, and 12/21/20 have all been considered by the Examiner.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 6, 7, 9-11, 14, 15, & 17 are rejected under 35 U.S.C. 103 as being unpatentable over Lee (U.S. Patent Publication 2020/0195673) in view of Apostolopoulos (U.S. Patent Publication 2019/0124104).

Regarding claims 1, 9 and 17:
Lee discloses an attack path detection method, system, and non-transitory computer readable medium comprising: establishing a connecting relationship among a plurality of hosts to generate a host association graph (paragraph 0032, and Figure 2; the nodes conforming to various types of computing devices [hosts] at paragraph 0056); labeling at least one host with an abnormal condition on the host association graph (the invention calculates an anomaly score for a node at e.g. paragraphs 0025 & 0042; see also paragraph 0053 regarding specific nodes with high anomaly scores as “reported” [i.e. the Lee invention can designate a node on the network as “abnormal” under the broadest reasonable interpretation of the claim term]); calculating a risk value corresponding to each of the plurality of hosts (paragraphs 0054-0055); in a host without the abnormal condition, determining whether the risk value corresponding to the host without the abnormal condition is greater than a first threshold, and utilizing a host with the risk value greater than the first threshold as a high-risk host (the Lee invention calculates an exposure score from other nodes on the network as part of the risk score for the potentially abnormal first node: see paragraphs 0061-0063; if the score exceeds a threshold, remedial actions are taken, as per paragraph 0069); and searching at least one host attach path from the high-risk host and the at least one host with the abnormal condition according to the connecting relationship of the host association graph (paragraphs 0061-0063, Ibid).  Per claim 9, Lee further discloses storage and a processor (Figure 4).
	Although Lee discloses recording historical data to be used as part of the analysis by his invention (e.g. paragraphs 0039, 0053, 0056, & 0060), it is not explicitly disclosed that this information is recorded as a series of host logs conforming to each of the plurality of hosts.  However, Apostolopoulos discloses a related invention for detecting network anomalies using graph-based analysis (e.g. Abstract) wherein that invention obtains the historical event data used to construct its graph(s) through inter alia system logs, server logs, activity logs, error logs, and the like (Apostolopoulos, paragraphs 0041-0050).  It would have been obvious prior to the effective filing date of the instant application for Lee to obtain historical data for its use via the various logs across all the hosts on that network, as these types of data when processed as disclosed can be used to analyze and diagnose performance problems, monitor user interactions, and derive other insights into the network’s operation (Apostolopoulos, paragraph 0041).

Regarding claims 2 and 10:	The combination further discloses wherein labeling the at least one host with the abnormal condition on the host association graph, further comprising: utilizing an abnormal connecting detection model to determine whether a traffic of each of the plurality of hosts with an abnormal connection, and labeling a host with the abnormal connection as the at least one host with the abnormal condition (machine learning employed by Lee at paragraph 0056).

Regarding claims 3 and 11:	The combination further discloses inputting a training traffic data set, wherein the training traffic data set comprises a plurality of training traffic data of a plurality of training hosts, and each of the plurality of training traffic data is corresponding to a labeling result, respectively, wherein the labeling result indicates whether a traffic of each of the plurality of training hosts is abnormal (Apostolopoulos, paragraphs 0164-016); and training the plurality of training traffic data and the labeling result corresponding to each of the plurality of training traffic data to generate the abnormal connecting detection model (Apostolopoulos, Ibid).

Regarding claims 6 and 14:	The combination further discloses wherein calculating the risk value corresponding to each of the plurality of hosts, further comprising: selecting the host without the abnormal condition as a selected host in sequence (Lee: paragraphs 0059-0063); and calculating corresponding risk value according to a first risk index and a second risk index of the selected host, wherein the first risk index indicates a probability that the selected host is infected by another host, and the second risk index indicates a probability that the selected host is infected by itself (Lee, Ibid).

Regarding claims 7 and 15:	The combination further discloses: determining whether the host with the abnormal connection has a source host according to the connecting relationship among the plurality of hosts (Lee, paragraphs 0059-0063, and 0065-0067); and if the host with the abnormal connection has the source host, labeling the source host as the high-risk host (Lee, Ibid).

Claims 4, 5, 8, 12, 13, & 16 are rejected under 35 U.S.C. 103 as being unpatentable over Lee in view of Apostolopoulos as applied to claims 2 & 10 above, and further in view of Lopez (U.S. Patent 11,030,311).

Regarding claims 4 and 12:	Neither Lee nor Apostolopolous explicitly discloses wherein labeling the at least one host with the abnormal condition on the host association graph, further comprising: establishing a file association graph of each of the plurality of hosts according to the host log set, wherein each of the file association graph comprises a file connecting relationship among a plurality of files corresponding to each of the plurality of hosts, and each of the plurality of files corresponds to a hash value; utilizing the hash value to determine whether corresponding file has a malicious data, labeling a file with the malicious data as a malicious file and labeling a file without the malicious data as a normal file; and labeling a host with the malicious file as the at least one host with the abnormal condition.  However, Lopez discloses a related invention for computer security via graph-based analysis (e.g. col. 2, lines 1-15 & Figure 2) comprising the steps of: establishing a file association graph of each of the plurality of hosts according to the host log set (col. 4, line 54 – col. 5, line 3), wherein each of the file association graph comprises a file connecting relationship among a plurality of files corresponding to each of the plurality of hosts (Ibid), and each of the plurality of files corresponds to a hash value (col. 5, line 48 – col. 6, line 2); utilizing the hash value to determine whether corresponding file has a malicious data, labeling a file with the malicious data as a malicious file and labeling a file without the malicious data as a normal file (Ibid); and labeling a host with the malicious file as the at least one host with the abnormal condition (e.g. quarantining a node that has been determined to contain a malicious file: e.g. col. 6, lines 58-63).  It would have been obvious prior to the effective filing date of the instant application to employ a file tracking graph as disclosed by Lopez into the invention(s) of Lee and/or Apostolopolous, as the ability to detect lateral movement of files that are part of a network breach can allow one to potentially thwart the attack from progressing to the stage where one’s data can be exfiltrated or one’s assets from being damaged (Lopez, col. 1, lines 10-20).

Regarding claims 5 and 13:	The combination further discloses: calculating an infected probability value of the normal file (Lopez, col. 6, lines 25-40); in each of the file association graph, determining whether the infected probability value corresponding to the normal file is greater than a second threshold (Lopez, Ibid, noting that in some embodiments Lopez calculates both a context threshold and a breach threshold for computing the likelihood [probability] that the tracked file is malicious); and in each of the file association graph, searching at least one file attach path between a normal file with the infected probability value greater than the second threshold and the malicious file (Lopez, Ibid)..

Regarding claims 8 and 16:	The combination further discloses wherein the at least one host attach path comprises the host with the abnormal connection, the host with the malicious file and the host as the high-risk host (Lee, paragraphs 0059-0063; Lopez: col. 6, lines 58-63).


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
U.S. Patents 11,349,587 (Shah) and 11,233,821 (Yadav)
U.S. Patent Publication 2020/0244673 (Stockdale)
“A Predictive Framework for Cyber Security Analytics Using Attack Graphs” (Abraham)
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THOMAS A GYORFI whose telephone number is (571)272-3849. The examiner can normally be reached 10:00am - 6:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

THOMAS A. GYORFI
Examiner
Art Unit 2435



/THOMAS A GYORFI/Examiner, Art Unit 2435                                                                                                                                                                                                        7/2/22