Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim status: claims 1-7, 9-21 are pending in this Office Action

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
	
 	The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1,148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under pre- AIA  35 U.S.C. 103(a) are summarized as follows: 	1. Determining the scope and contents of the prior art. 	2. Ascertaining the differences between the prior art and the claims at issue. 	3. Resolving the level of ordinary skill in the pertinent art. 	4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-2, 6, 10, 12-13, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Yadav (US20160359695), in view of Ranjan (US8682812) 
Regarding to claim 1:
Yadav teaches A computer-implemented method performed by a computer system comprising a hardware processor, the method comprising: 
obtaining information representative of a defined network topology type for a first computer network (Yadav, fig. 5, step 70 [0073] receives network traffic data collected from a plurality of sensors. [0025] Fig. 1 … connect nodes over dedicated private communication links. [0054] the network devices and topology shown in FIG. 1 … leaf-spine architecture. [0023-26] The spine nodes … leaf nodes … connect geographically … according to predefined protocols), the first computer network including multiple network nodes (see fig. 1), each network node of the multiple network nodes having at least one communication connection with at least one other network node of the multiple network nodes  (Yadav, fig. 1 [0020] a data communication network including multiple network devices. The network may include any number of network devices in communication via any number of nodes); 
obtaining information representative of communication connections between the multiple network nodes ([0031] The sensors 26 may be installed in network components to obtain network traffic data from packets transmitted from and received at the network components … The term `component` … virtual machine, switch, router, gateway, etc) ; 
Yadav does not explicitly disclose creating creating a graph representation of a connection topology for the multiple network nodes, the graph representation comprising a plurality of graph nodes representing respective network nodes of the multiple network nodes and edges between graph nodes of the plurality of graph nodes, the edges representing the communication connections, automatically assigning respective roles to the plurality of graph nodes for the defined network topology type, analyzing the respective roles assigned to the plurality of graph nodes and the edges of the graph representation to identify an anomalous connection between network nodes with respect to the defined network topology type.
Ranjan teaches creating a graph representation of a connection topology for the multiple network nodes, the graph representation comprising a plurality of graph nodes representing respective network nodes of the multiple network nodes and edges between graph nodes of the plurality of graph nodes, the edges representing the communication connections (Ranjan Fig. 1 Col 7 lines 11-20 “communication links are provided between the malicious node classification tool (120), the computer network (110), and the user system (140). A variety of links may be provided to facilitate the flow of data through the system (100).  For example, the communication links may provide for continuous, intermittent, one-way, two-way, and/or selective communication … wired and wireless)
automatically assigning respective roles to the plurality of graph nodes for the defined network topology type, the roles comprising a first role assigned to a first subset of the plurality of graph nodes, and a different second role assigned to a second subset of the plurality of graph nodes (Fig.2 steps 203-207 “Using a machine learning algorithm … Assign labels to data units…”. Col 3 line 65 col 4 line 3 “characteristics of data units … the connection between a pair of IP addresses”. Col 11 lines 36-45 “labels each assigned to a corresponding data unit in the historical network data. Specifically, each label categorizes the corresponding data unit as malicious (i.e., associated with a botnet) or as legitimate (i.e., not malicious or not associated with a botnet) … blacklists identifying known botnets, whitelists identifying known non-malicious nodes”. Note: using machine algorithm to assign labels modes into whitelist and blacklist is automatically assigning)
analyzing the respective roles assigned to the plurality of graph nodes and the edges of the graph representation to identify an anomalous connection between network nodes with respect to the defined network topology type, wherein the identifying of the anomalous connection comprises detecting in the graph representation, an edge between graph nodes assigned a same role (Fig. 2, step 208 “categorize at least one data unit in the real-time  network data as associated with the botnet based on label of the data unit”. Col 3 line 65 col 4 line 3 “characteristics of data units … the connection between a pair of IP addresses” See Fig. 3b Col 16 lines 52- Col 17 line 6 “As the nature and behavior of botnets change over time … relearns the classification model (306) … the newly computed classification model (e.g., M.sup.t, M.sup.t+1, etc.) is provided to be used in online classification (405), replacing the previous classification model computed in the previous time interval”. Col 11 lines 36-45 “labels … as malicious (i.e., associated with a botnet) or as legitimate (i.e., not malicious or not associated with a botnet) … blacklists identifying known botnets, whitelists identifying known non-malicious nodes”)
It would have been obvious to a person of ordinary skill in the art at the time the invention was made before the effective filling date of the claimed invention to take the teachings of Ranjan and apply them on the teachings of Yadav to further implement creating a graph representation of a connection topology for the multiple network nodes, the graph representation comprising a plurality of graph nodes representing respective network nodes of the multiple network nodes and edges between graph nodes of the plurality of graph nodes, the edges representing the communication connections, automatically assigning respective roles to the plurality of graph nodes for the defined network topology type, analyzing the respective roles assigned to the plurality of graph nodes and the edges of the graph representation to identify an anomalous connection between network nodes with respect to the defined network topology type.  One would be motivated to do so because in order to improve better system and method to provide communication between nodes, assign labels to different set of nodes, and categorize data units in the real-time  network data as associated with the botnet based on label of the data unit (Ranjan, Col 16 lines 52- Col 17 line 6).
Regarding to claim 2:
The computer-implemented method of claim 1, wherein the graph representation comprises a bipartite graph (Yadav,see fig. 1 bipartite graph.[0023-26] The spine nodes … leaf nodes … connect geographically. [0073] Anomalies within the network are identified based on dynamic modeling of network behavior (step 74). [0042] identify traffic flows and connection links, or flag anomalous data) and the analyzing of the respective roles assigned to the plurality of graph nodes to identify the anomalous connection uses a bi-colorable graph technique. (Ranjan, steps 207 “Assign labels to data units. Col 11 lines 36-45 “labels each assigned to … blacklists identifying known botnets, whitelists identifying known non-malicious nodes. See Fig. 3b Col 16 lines 52- Col 17 line 6 “relearns the classification model (306) … the newly computed classification model (e.g., M.sup.t, M.sup.t+1, etc.) is provided to be used in online classification (405), replacing the previous classification model computed in the previous time interval”. Col 11 lines 36-45 “labels … as malicious (i.e., associated with a botnet) or as legitimate (i.e., not malicious or not associated with a botnet) … blacklists identifying known botnets, whitelists identifying known non-malicious nodes”. Note: classification of blacklists and whitelists is uses a bi-colorable graph technique)
Regarding to claim 6:
The computer-implemented method of claim 1, wherein the obtaining of the information representative of the communication connections comprises discovering, using a network discovery device, active communication connections between the multiple network nodes (Yadav, [0017] to identify suspicious network activity potentially indicative of malicious behavior. [0081] All of these types of anomalies are applicable to identifying suspicious activity in network data).
Regarding to claim 10:
The computer-implemented method of claim 1, wherein the obtaining of the information representative of the communication connections comprises obtaining information from a stored set of attributes for off-line analysis of communication connections for the first computer network (Yadav, [0035] analyze the traffic … label (for anomalies) the process and user information and send it to the collector 32. [0041] collectors 32 for storage [0079] Anomalies may be identified … based on historical frequencies of the discretized feature combinations. [0081] New observations with a historically rare (e.g anomalies) combination of features may be labeled as anomalies. Note: historical anomalies combination analysis is off-line analysis. See spec [0022] an off-line network analysis … analysis for historical errors)
Regarding to claim 12:
[Rejection rationale for claim 1 is applicable].

Regarding to claim 13:
[Rejection rationale for claim 2 is applicable].

Regarding to claim 17:
[Rejection rationale for claim 1 is applicable].

Claims 3, 14 are rejected under 35 U.S.C. 103 as being unpatentable over Yadav (US20160359695), in view of Ranjan (US8682812), further in view of Mahaffey (US20160099963)
Regarding to claim 3:
Yadav- Ranjan teaches The computer-implemented method of claim 1, wherein the defined network topology type is a leaf-spine network topology type (Yadav [0025] Fig. 1 … connect nodes over dedicated private communication links. [0054] the network devices and topology shown in FIG. 1 … leaf-spine architecture)
Yadav- Ranjan does not explicitly disclose the first role is a leaf node role and the second role is a spine node role.
Mahaffey teaches the first role is a leaf node role and the second role is a spine node role (Mahaffey Fig. 2. [0583] server 3551 allows policy to be configured by assessment criteria … creating a whitelist, blocking all applications not on the whitelist … a blacklist. [0578] set policy for what applications are desirable to install on a device or group of devices … A blacklist is a set of applications or assessment criteria that are explicitly denied from running on a mobile communications device …  a policy may allow only applications on a whitelist. Note: a whitelist policy set on server is the second role is a spine node role; A blacklist devices is the first role is a leaf node role. See spec [0032] the bottom layer, with the network devices (“leaf”) … upper layer with network devices (“spine.”). [0043] identify network devices that may represent a connection that violates the rules of placement or configuration for a single role (e.g. spine or leaf vertex)). 
It would have been obvious to a person of ordinary skill in the art at the time the invention was made before the effective filling date of the claimed invention to take the teachings of Mahaffey and apply them on the teachings of Yadav- Ranjan to further implement the first role is a leaf node role and the second role is a spine node role.  One would be motivated to do so because in order to improve better system and method to allow policy to be configured by assessment criteria … creating a whitelist, blocking all applications not on the whitelist (Mahaffey, [0583]).

Regarding to claim 14:
[Rejection rationale for claim 3 is applicable].

Claims 4-5, 7, 9, 11, 15-16, 18-21 are rejected under 35 U.S.C. 103 as being unpatentable over Yadav (US20160359695), in view of Ranjan (US8682812), further in view of Chase (US 20130074024)
Regarding to claim 4:
Yadav- Ranjan teaches The computer-implemented method of claim 1, 
Yadav- Ranjan does not explicitly disclose wherein the identifying of the anomalous connection comprises detecting an odd cycle in the graph representation, the odd cycle comprising an odd number of edges to complete a cycle between a group of graph nodes in the graph representation.
Chase teaches wherein the identifying of the anomalous connection comprises detecting an odd cycle in the graph representation, the odd cycle comprising an odd number of edges to complete a cycle between a group of graph nodes in the graph representation (Chase, [0252] step 3226 it is determined whether the cycle is even or odd … If the two islands have the same color, however, then the cycle is odd. [0253] odd cycle … violation. [0238] DPT odd cycle violation detection … if it is already colored in conflict with the color of the island (node) to which it would be newly connected, then a DPT odd cycle violation has been found. [0295] cycles connect an odd number of islands (three each), they indicate to the user two DPT odd cycle violations. [0238] island (node))
It would have been obvious to a person of ordinary skill in the art at the time the invention was made before the effective filling date of the claimed invention to take the teachings of Chase and apply them on the teachings of Yadav- Ranjan to further implement wherein the identifying of the anomalous connection comprises detecting an odd cycle in the graph representation, the odd cycle comprising an odd number of edges to complete a cycle between a group of graph nodes in the graph representation.  One would be motivated to do so because in order to improve better system and method to determined whether the cycle is even or odd (Chase, [0225]).
Regarding to claim 5:
Yadav- Ranjan teaches The computer-implemented method of claim 1, further comprising:
Yadav- Ranjan does not explicitly disclose displaying the graph representation as a visual representation on a display device, the visual representation having a first color for each graph node of the first subset assigned the first role, and a different second color for each graph node of the second subset assigned the second role.
Chase teaches displaying the graph representation as a visual representation on a display device (Chase, [0026] The coloring violations preferably are reported to a user in the form of visual indications of the cycles among the inter-island multi-patterning candidate spacing violations. [0275] the graph of islands interconnected by multi-patterning candidate spacing violations)
the visual representation having a first color for each graph node of the first subset assigned the first role, and a different second color for each graph node of the second subset assigned the second role (Chase, See Fig. 35. [0295] broken lines to indicate cycles. Since each of these cycles connect an odd number of islands (three each), they indicate to the user two DPT odd cycle violations …  If the number of islands making up a cycle is even, then no broken lines would be drawn for that cycle as no DPT violation has occurred. [0238] each island is added to a tree it is colored oppositely of the color of the island to which it will be connected in the tree … the color of the island (node)) 
It would have been obvious to a person of ordinary skill in the art at the time the invention was made before the effective filling date of the claimed invention to take the teachings of Chase and apply them on the teachings of Yadav- Ranjan to further implement displaying the graph representation as a visual representation on a display device and the visual representation having a first color for each graph node of the first subset assigned the first role, and a different second color for each graph node of the second subset assigned the second role.  One would be motivated to do so because in order to improve better system and method to provide to the user two DPT odd cycle violations with broken lines. If the number of islands making up a cycle is even, then no broken lines would be drawn for that cycle as no DPT violation has occurred (Chase, fig. 35).

Regarding to claim 7:
Yadav- Ranjan teaches The computer-implemented method of claim 5, 
Yadav- Ranjan does not explicitly disclose wherein the identifying of the anomalous connection comprises detecting graph nodes having a same color connected by the edge
Chase teaches wherein the identifying of the anomalous connection comprises detecting graph nodes having a same color connected by the edge. ([0252] step 3226 it is determined whether the cycle is even or odd … If the two islands have the same color, however, then the cycle is odd. [0253] odd cycle … violation)
It would have been obvious to a person of ordinary skill in the art at the time the invention was made before the effective filling date of the claimed invention to take the teachings of Chase and apply them on the teachings of Yadav- Ranjan to further implement wherein the identifying of the anomalous connection comprises detecting graph nodes having a same color connected by the edge.  One would be motivated to do so because in order to improve better system and method to determined whether the cycle is even or odd if the two islands have the same color, however, then the cycle is odd (Chase, [0225]).
Regarding to claim 9:
The computer-implemented method of claim 4, comprising: comparing the odd cycle to an even cycle in the group of graph nodes, wherein the identifying of the anomalous connection is based on the comparing (Chase [0264] step 3326 it is determined whether the cycle is even or odd. If the two islands are colored oppositely, then the cycle is even and nothing need be done, connected … If the two islands have the same color, however, then the cycle is odd. In step 3328 the odd cycle is inserted into the odd cycle collection structure for later presentation to the user. Again, there is no need to connect the new arc in the tree. [0253] odd cycle … violation)
Regarding to claim 11:
The computer-implemented method of claim 9, wherein the even cycle in the group of graph nodes comprises edges between graph nodes in the group of graph nodes, excluding an edge between graph nodes assigned the same role  (Chase [0252] step 3226 it is determined whether the cycle is even or odd. If the two islands are colored oppositely, then the cycle is even and nothing need be done, connected … If the two islands have the same color, however, then the cycle is odd. In step 3228 the odd cycle is inserted into an odd cycle collection structure for later presentation to the user. Again, there is no need to connect the new arc in the tree. Node: same color is same role)
Regarding to claim 15:
[Rejection rationale for claim 4 is applicable].

Regarding to claim 16:
[Rejection rationale for claim 9 is applicable].

Regarding to claim 18:
[Rejection rationale for claim 4 is applicable].

Regarding to claim 19:
[Rejection rationale for claim 9 is applicable].

Regarding to claim 20:
[Rejection rationale for claim 11 is applicable].

Regarding to claim 21:
[Rejection rationale for claim 11 is applicable].

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  
This action is a final rejection and is intended to close the prosecution of this application. Applicant’s reply under 37 CFR 1.113 to this action is limited either to an appeal to the Patent Trial and Appeal Board or to an amendment complying with the requirements set forth below.
If applicant should desire to appeal any rejection made by the examiner, a Notice of Appeal must be filed within the period for reply identifying the rejected claim or claims appealed. The Notice of Appeal must be accompanied by the required appeal fee.
If applicant should desire to file an amendment, entry of a proposed amendment after final rejection cannot be made as a matter of right unless it merely cancels claims or complies with a formal requirement made earlier. Amendments touching the merits of the application which otherwise might not be proper may be admitted upon a showing a good and sufficient reasons why they are necessary and why they were not presented earlier.
A reply under 37 CFR 1.113 to a final rejection must include the appeal from, or cancellation of, each rejected claim. The filing of an amendment after final rejection, whether or not it is entered, does not stop the running of the statutory period for reply to the final rejection unless the examiner holds the claims to be in condition for allowance. Accordingly, if a Notice of Appeal has not been filed properly within the period for reply, or any extension of this period obtained under either 37 CFR 1.136(a) or (b), the application will become abandoned.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HIEN DOAN whose telephone number is 571 272-4317.  The examiner can normally be reached on Monday-Thursday and biweekly Friday 9am-6pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SRIVASTAVA VIVEK can be reached on 571-272-7304(571)272-7304.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/HIEN V DOAN/Examiner, Art Unit 2449         

/VIVEK SRIVASTAVA/Supervisory Patent Examiner, Art Unit 2449