DETAILED ACTION
This office action is in response to the correspondence filed on 08/27/2020. This application is a has a provisional 62/893,313 filed 08/29/2019. Claims 1-18 are pending and are examined.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Priority
Applicant's claim for the benefit of a prior-filed application under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged. 


Information Disclosure Statement
The information disclosure statement (IDS) was submitted on 08/27/2020. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.


Claim Objections
Claim 9 is objected to because of the following informalities:
Claim 9, “The method of claim 10” should likely read “The method of claim 1” similar to claim 18 where it is dependent on its own independent claim.
Appropriate correction is required.


Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitations are: a security console configured to perform in claims 10-18. 
Because this/these claim limitations are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 10-18 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claim limitations: a security console configured to perform in claims 10-18 invoke 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. 
The specification is devoid of adequate structure to perform the claimed function. There is no disclosure of any particular structure, either explicitly or inherently, to perform a security function (e.g. it can be implemented entirely by software). The use of the term security console is not adequate structure for performing a security function because it does not describe a particular structure for performing the function. As would be recognized by those of ordinary skill in the art, the term performing refer to performing an action and can be performed in any number of ways in hardware, software or a combination of the two. The specification does not provide sufficient details such that one of ordinary skill in the art would understand which structure or structures perform(s) the claimed function. 
Therefore, the claims are indefinite and are rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph.
Applicant may:
(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(c)        Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 
(a)        Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.


Claims 9 and 18 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention. 
Regarding claims 9 and 18, “the group” in the limitation was never recited before. There is insufficient antecedent basis for this limitation in the claim. 
Examiner suggests that “a group” can be used in the first occurrence of the term instead.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 4-6, 9-11, 13-15, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Chen et al. (US Pub No. 2019/0005386, referred to as Chen), in view of Martinez Canedo et al. (US Pub No. 2019/0095806 A1, referred to as Martinez Canedo) and further in view of Perumalla et al. (US Patent No. 10,587,632 B1, referred to as Perumalla).
Regarding claim 1, Chen discloses,
1. A method for detecting and responding to an intrusion in a computer network, comprising: 
generating an adversarial training data set that includes original samples and adversarial samples, by perturbing one or more of the original samples with an integrated gradient attack to generate the adversarial samples; (Chen: [0020]; training set manager 104 may determine a first training set based on input 101 (original samples), deep neural network (DNN) trainer 106 may then cause a first DNN to be trained to classify images using the first training set. Adversarial image generator 108 may generate one or more adversarial images that are misclassified by the first DNN. The one or more adversarial images may be generated using analytical attacks implemented by adversarial image generator 108. [0034]; causative image generator 402 may perform causative analytical attacks on trained DNN 304-1 to generate one or more adversarial samples (adversarial samples). [0035]; causative attacks may be implemented via a fast gradient sign method (gradient attack).)
…training a …neural network to detect anomalous activity in a computer network, using the adversarial training data set; and (Chen: [0023]; DNN may be trained to detect malware.)
Chen does not explicitly disclose, however Martinez Canedo teaches,
…encoding the… samples to generate …graph representations, based on node neighborhood aggregation; (Martinez Canedo: [0007]; a method for learning structural relationships between nodes of a graph (graph) includes generating a knowledge graph comprising nodes representing a system and applying a graph-based convolutional neural network (GCNN) to the knowledge graph to generate feature vectors describing structural relationships between the nodes. The GCNN comprises: a neighbor node aggregation (neighborhood aggregation) layer configured to derive neighbor node feature vectors for each subgraph and aggregate the neighbor node feature vectors with their corresponding subgraphs to yield a aggregated subgraphs. [0048]; a vector representation of each node in our graph, summarizes the relationships encoded (encoding) in the sampled contexts.)
…training a graph-based neural network (Martinez Canedo: [0008]; a GCNN is trained to classify structural relationships between nodes of the subgraphs into the functional labels.)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Martinez Canedo into the teachings of Chen with a motivation to learn efficient representations of heterogeneous data by training graph-based neural networks such as a Structured Graph Convolutional Neural Network (Martinez Canedo: [0037]).
The combination of Chen and Martinez Canedo does not explicitly disclose, however Perumalla teaches,
…performing a security action responsive to the detected anomalous activity. (Perumalla: Coln 6; ls. 42-50; the neural network may classify or predict that the set of network packets are being transmitted by malware, and execute a remedial action (e.g., generate an alert, cause termination of the transmission of the set of packets, block or prevent receipt of the set of networks by a destination system.)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Perumalla into the combination of Chen and Martinez Canedo with a motivation to protect network systems by using neural network to detect malwares and perform remedial actions.


Regarding claims 2 and 11, taking claim 2 as exemplary, the combination of Chen, Martinez Canedo and Perumalla discloses, 
2. The method of claim 1,
Chen does not explicitly disclose, however Martinez Canedo teaches,
wherein the original samples include graph information. (Martinez Canedo: [0007]; a method for learning structural relationships between nodes of a graph (graph) includes generating a knowledge graph comprising nodes representing a system and applying a graph-based convolutional neural network (GCNN) to the knowledge graph to generate feature vectors describing structural relationships between the nodes.)
The same motivation that was utilized for combining Chen and Martinez Canedo as set forth in claim 1 is equally applicable to claim 2.


Regarding claims 4 and 13, taking claim 4 as exemplary, the combination of Chen, Martinez Canedo and Perumalla discloses, 
4. The method of claim 1,
Chen discloses,
…original and adversarial samples (Chen: [0020]; training set manager 104 may determine a first training set based on input 101 (original samples), deep neural network (DNN) trainer 106 may then cause a first DNN to be trained to classify images using the first training set. Adversarial image generator 108 may generate one or more adversarial images that are misclassified by the first DNN. The one or more adversarial images may be generated using analytical attacks implemented by adversarial image generator 108.)
The combination of Chen and Martinez Canedo does not explicitly disclose, however Perumalla teaches,
wherein the model trainer is further configured to encode the …samples in a plurality of stages, with each stage including a neighborhood aggregation and a representation update. (Martinez Canedo: [0007]; a method for learning structural relationships between nodes of a graph (graph) includes generating a knowledge graph comprising nodes representing a system and applying a graph-based convolutional neural network (GCNN) to the knowledge graph to generate feature vectors describing structural relationships between the nodes. The GCNN comprises: a neighbor node aggregation (neighborhood aggregation) layer configured to derive neighbor node feature vectors for each subgraph and aggregate the neighbor node feature vectors with their corresponding subgraphs to yield a aggregated subgraphs. [0048]; a vector representation of each node in our graph, summarizes the relationships encoded (encoding) in the sampled contexts. [0046-0048]; repeated generation of contexts of nodes (stages) which is a representation of the information.)
The same motivation that was utilized for combining Chen and Martinez Canedo as set forth in claim 1 is equally applicable to claim 4.


Regarding claims 5 and 14, taking claim 5 as exemplary, the combination of Chen, Martinez Canedo and Perumalla discloses, 
5. The method of claim 4,
Chen does not explicitly disclose, however Martinez Canedo teaches,
wherein the neighborhood aggregation includes a mean aggregation. (Martinez Canedo: [0045]; embeddings are often used directly to perform a clustering task via K-means or other methods.)
The same motivation that was utilized for combining Chen and Martinez Canedo as set forth in claim 1 is equally applicable to claim 5.


Regarding claims 6 and 15, taking claim 6 as exemplary, the combination of Chen, Martinez Canedo and Perumalla discloses, 
6. The method of claim 4,
Chen does not explicitly disclose, however Martinez Canedo teaches,
wherein the representation update for each stage is based on each output from all previous stages. Martinez Canedo: [0046-0048]; repeated generation of contexts of nodes (stages) which is a representation of the information. The resulting embedding, a vector representation of each node in the graph, summarizes the relationships encoded in the sampled contexts (final/resulting embedding is based on all previous stages).)
The same motivation that was utilized for combining Chen and Martinez Canedo as set forth in claim 1 is equally applicable to claim 6.


Regarding claims 9 and 18, taking claim 9 as exemplary, the combination of Chen, Martinez Canedo and Perumalla discloses, 
9. The method of claim 1[[0]], 
The combination of Chen and Martinez Canedo does not explicitly disclose, however Perumalla teaches,
wherein the security action is selected from the group consisting of shutting down devices, stopping or restricting a type of network communication, enabling or disabling a connection between two devices, raising an alert to a system administrator, and changing a security policy level. (Perumalla: Coln 6; ls. 42-50; the neural network may classify or predict that the set of network packets are being transmitted by malware, and execute a remedial action (e.g., generate an alert, cause termination of the transmission of the set of packets, block or prevent receipt of the set of networks by a destination system.)
The same motivation that was utilized for combining Chen, Martinez Canedo and Perumalla as set forth in claim 1  is equally applicable to claim 9.


Regarding claim 10, Chen discloses,
10. A system for detecting and responding to an intrusion in a computer network, comprising:
a hardware processor; (Chen: [0057])
a memory; (Chen: [0057])
a …neural network model, configured to detect anomalous activity in a computer network; (Chen: [0042])
a model trainer, stored in the memory and executed by the hardware processor, configured to generate an adversarial training data set that includes original samples and adversarial samples, by perturbing one or more of the original samples with an integrated gradient attack to generate the adversarial samples; (Chen: [0020]; training set manager 104 may determine a first training set based on input 101 (original samples), deep neural network (DNN) trainer 106 may then cause a first DNN to be trained to classify images using the first training set. Adversarial image generator 108 may generate one or more adversarial images that are misclassified by the first DNN. The one or more adversarial images may be generated using analytical attacks implemented by adversarial image generator 108. [0034]; causative image generator 402 may perform causative analytical attacks on trained DNN 304-1 to generate one or more adversarial samples (adversarial samples). [0035]; causative attacks may be implemented via a fast gradient sign method (gradient attack).) 
…and to train the …neural network to detect anomalous activity in a computer network, using the adversarial training data set; and (Chen: [0023]; DNN may be trained to detect malware.)
Chen does not explicitly disclose, however Martinez Canedo teaches,
…a graph-based neural network (Martinez Canedo: [0008]; a GCNN is trained to classify structural relationships between nodes of the subgraphs into the functional labels.)
…to encode the… samples to generate …graph representations, based on node neighborhood aggregation; (Martinez Canedo: [0007]; a method for learning structural relationships between nodes of a graph (graph) includes generating a knowledge graph comprising nodes representing a system and applying a graph-based convolutional neural network (GCNN) to the knowledge graph to generate feature vectors describing structural relationships between the nodes. The GCNN comprises: a neighbor node aggregation (neighborhood aggregation) layer configured to derive neighbor node feature vectors for each subgraph and aggregate the neighbor node feature vectors with their corresponding subgraphs to yield a aggregated subgraphs. [0048]; a vector representation of each node in our graph, summarizes the relationships encoded (encoding) in the sampled contexts.)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Martinez Canedo into the teachings of Chen with a motivation to learn efficient representations of heterogeneous data by training graph-based neural networks such as a Structured Graph Convolutional Neural Network (Martinez Canedo: [0037]).
The combination of Chen and Martinez Canedo does not explicitly disclose, however Perumalla teaches,
…a security console configured to perform a security action responsive to the detected anomalous activity. (Perumalla: Coln 6; ls. 42-50; the neural network may classify or predict that the set of network packets are being transmitted by malware, and execute a remedial action (e.g., generate an alert, cause termination of the transmission of the set of packets, block or prevent receipt of the set of networks by a destination system.)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Perumalla into the combination of Chen and Martinez Canedo with a motivation to protect network systems by using neural network to detect malwares and perform remedial actions.


Claims 3 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Chen, in view of Martinez Canedo, further in view of Perumalla, and further in view of Carothers et al. (US Pub No. 2020/0342290 A1, referred to as Carothers).
Regarding claims 3 and 12, taking claim 3 as exemplary, the combination of Chen, Martinez Canedo and Perumalla discloses, 
3. The method of claim 2,
The combination of Chen, Martinez Canedo and Perumalla does not explicitly disclose, however Carothers teaches,
wherein each adversarial sample includes a copy of one of the original samples, with an edge added or removed. (Carothers: [0292]; adjusting a parameter the first deep learning model configuration may include adding or removing an edge of a neural network of the first deep learning model configuration.)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Carothers into the combination of Chen, Martinez Canedo and Perumalla with a motivation to be more efficient to change the parameters values of a deep learning model configuration than to generate a new deep learning model configuration by adding or removing edges (Carothers: [0291]).


Claims 7 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Chen, in view of Martinez Canedo, further in view of Perumalla, and further in view of Abolhasanzadeh (NPL - "Nonlinear dimensionality reduction for intrusion detection using auto-encoder bottleneck features.").
Regarding claims 7 and 16, taking claim 7 as exemplary, the combination of Chen, Martinez Canedo and Perumalla discloses, 
3. The method of claim 2,
The combination of Chen, Martinez Canedo and Perumalla does not explicitly disclose, however Abolhasanzadeh teaches,
wherein the model trainer is further configured to use a bottleneck that limits a dimensionality of a final graph representation. (Abolhasanzadeh: I. Introduction; right coln, 2th para; exploits neural network bottleneck features for dimensionality reduction.)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Abolhasanzadeh into the combination of Chen, Martinez Canedo and Perumalla with a motivation to reduces the time and space complexity of intrusion detection systems by exploiting neural network bottleneck features (Abolhasanzadeh abstract).


	Allowable Subject Matter
Claims 8 and 17 are objected to as being dependent upon rejected base claims, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. Claim 17 is also rejected under 112 rejection.
The following is an examiner’s statement of reasons for allowance: 
Although prior arts Chen, Martinez Canedo, Perumalla, Carothers and Abolhasanzadeh above disclose all the limitations of the prior claims (see rejections above), none of the prior arts of record alone or in combination discloses determining an integrated gradient for a perturbation to determine how much the perturbation will affect a prediction outcome for an unlabeled node as described in the claims.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Leskovec; Jurij et al.	US-PGPUB	US 20190286943 A1	Machine learning model training
Lee; Taesung et al.	US-PGPUB	US 20190130110 A1	Protecting cognitive systems from gradient based attacks through the use of deceiving gradients
Qin; Chongli		US-PGPUB	US 20200372353 A1	Training more secure neural networks by using local linearity regularization

Any inquiry concerning this communication or earlier communications from the examiner should be directed to KA SHAN CHOY whose telephone number is (571) 272-1569.  The examiner can normally be reached on MON - FRI: 9AM-5:30PM EST Alternate Fridays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571) 272-3685.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/KA SHAN CHOY/Examiner, Art Unit 2435