DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
      Information Disclosure Statement
Information disclosure statement(s) (IDS) not submitted before the mailing date of this office action. Accordingly, no information disclosure statement is being considered by the examiner.
Response to Arguments
Applicant’s arguments, see Remarks, filed 05/23/2022, with respect to the rejection(s) of independent claims 1, 8 and 15 under 35 USC § 103 have been fully considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
       Claim Rejections - 35 USC § 103
 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over US-PGPUB No. 20190158520 A1 to DiValentin et al. (hereinafter “DiValentin”), US-PGPUB No. 20200285944 A1 to Lee et al. (hereinafter “Lee”), and further in view of US-PGPUB No. 20190081959 A1 to Yadav et al. (hereinafter “Yadav”)
Regarding claim 1:
DiValentin discloses:
A system comprising (¶15: “… networked computing system 100 …”, FIG. 1): 
a non-transitory memory (see ¶27: “…  one or more non-transitory machine-readable storage mediums.…”); and 
one or more hardware processors (¶26: “… processor 133 …”) coupled with the non-transitory storage medium and configured to execute instructions from the non-transitory storage medium to cause the system to perform operations comprising (see ¶27: “processor 133 executes programmed instructions stored in memory to cause the Graph Analytics Module 135 and MDID 130 to perform one or more functions described in this specification. The memory of processor 133 can include one or more non-transitory machine-readable storage mediums.”): 
determining, based on network traffic interactions between an external network resource and each of one or more internal servers, an external burst score for the external network resource, the external network resource being a network resource of one or more external domains (¶07: “… transmitting, from each of the plurality of domains, the reputation score for the domain to each host computer connected to the domain … receiving, by each of the plurality of domains, a reputation score for each host computer connected to the domain … and rescoring, for each of the plurality of domains, the reputation score for the domain based on a summation of the received reputation scores for each host computer connected to the domain.”,  
¶41: “…  a known non-malicious classification corresponds to a reputation score of 0.9. A known malicious classification corresponds to a reputation score of −0.9. A known suspicious classification corresponds to a reputation score of −0.6. If a domain is unclassified, then the domain is assigned a reputation score of 0.”); 
determining, based on network traffic interactions between an internal network resource and each of the one or more external domains, an internal burst score for the internal network resource, the internal network resource being a network resource of the one or more internal servers (¶07: “… propagating a portion of a reputation score for a host computer associated with an IP address corresponding to a first time period to the same IP address corresponding to one or more additional time periods … and rescoring the reputation score for each of the plurality of host computers based on the assigned time periods and the propagated portion of a reputation score …”
¶41: “… internal hosts that have not been confirmed as compromised are assigned a reputation score of 0.”);  
creating a burst graph based on the internal burst score and external burst score (see ¶05: “… generating a graph representation of the network, and the communication between networked computer assets (e.g., internal hosts and external domains) … apply various graph analytical measures to an iterative tuning process, which calculates and propagate reputation scores of nodes associated with identified domains and internal hosts in order to identify potentially malicious domains amongst unidentified domains. “); 
However, DiValentin failed to explicitly disclose the following limitation taught by Lee:  
based on the burst graph, determining an interaction pattern between the external network resource and the internal network resource using a graph convolutional neural network (see Lee ¶03: “… a method for making inferences from graph-structured data includes performing operations by one or more processing devices based on a graph convolutional neural network model that includes one or more graph convolutional layers. The operations also include … for each respective node in a set of nodes from the nodes in the graph, selecting one type of motif from multiple types of motifs … “, 
¶37: “A motif indicates a particular pattern of interactions between vertices.”);  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the teachings of DiValentin to incorporate the method for making inferences from a graph-structured dataset using graph convolutional neural network to analyze pattern interactions between nodes and infer expectations as disclosed by Lee, such incorporation would provide timely detection and identification of anomalous behavior. 
The combination of DiValentin and Lee failed to explicitly disclose the following limitation taught by Yadav:
determining an anomalous traffic event based on a deviation of the interaction pattern from a probability density function (see Yadav ¶281: “A statistical model can be implemented to then detect patterns based on the lineage of the process and identify any anomalies or malicious events.”, and 
¶290: “This disclosure can use a statistical model, such as markov chains, to study the lineage patterns and detect anomalies.”).   
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of DiValentin and Lee to incorporate the statistical model of the traffic monitoring system to determine anomalous behavior, as disclosed by Yadav, such incorporation would help determine the amount of traffic certain processes send, and establish patterns to provide timely detection and identification of anomalous behavior. 
Regarding claim 2:
The combination of DiValentin, Lee and Yadav Disclose:
The system in claim 1, wherein determining the internal burst score comprises: 
determining an internal resource interaction probability based on a number of total internal traffic interactions and a number of internal resource interactions (see Yadav ¶49: “… creating summary statistics related to the datacenter, identifying components or hosts that are at capacity, identifying components or hosts that are under-utilized or incapacitated, comparing current activity to historical or expected activity, etc.”), 
determining a resource interaction cost based on the internal resource interaction probability (see Yadav ¶49: “… the analytics module can modify an access control list, a firewall, subnet assignments, etc. The analytics module can then present a report describing the status of the datacenter (step 324), e.g., to an administrator. Step 324 can include creating charts, graphs, illustrations, tables, notifications, etc.”), and  
determining a difference between a burst state score and a base state score, wherein the burst state score is based on a state transition cost and the internal resource interaction probability, and wherein the base state score is based on the resource interaction cost and the internal resource interaction probability (see Yadav ¶442: “… the differences between attacks when a certain port was open are compared to when the port is closed using historical flow attack data. The vulnerability index for that port would be calculated based on the number of additional attacks that occurred when that port was open versus when it was closed.”).  
The same motivation used to combine the combination of DiValentin and Lee with Yadav in claim 1, also apply in the rejection of claim 2.
Regarding claim 3:
The combination of DiValentin, Lee and Yadav Disclose:
The system of claim 1, wherein determining the external burst score comprises: 
determining a normal external interaction range based on an average number of external resource interactions and an external resource standard deviation (see Yadav ¶484: “Anomaly detection—Detect when stats for a particular host, host-pair or flows are outside the normal range.” 
¶487: “… we would aggregate anomalies from a lower granularity, along with stats to more confidently detect DDOS.” 
¶489: “… a traits table … would include following features: (1) packets: a. mean and std of num packets …”), and 
determining a difference between the number of external network resource interactions and the normal external interaction range (see Yadav ¶479: “Irregular traffic can be discovered by developing a signature of normal traffic … and comparing it to current traffic. The signature can include packet count, byte count, service/host connection counts, TCP flags, port, protocol, port count, geo-location, user (of a process), process ID, etc. The signature can be created using statistics and analytics.”).  
The same motivation used to combine the combination of DiValentin and Lee with Yadav in claim 1, also apply in the rejection of claim 3.
Regarding claim 4:
The combination of DiValentin, Lee and Yadav Disclose:
The system for claim 1, wherein the operations further comprise: 
determining one or more external burst scores for each of the one or more external domains (see DiValentin ¶07: “… rescoring, for each of the plurality of domains, the reputation score for the domain …”); and
determining one or more internal burst scores for each of the one or more internal servers (see DiValentin ¶07: “… rescoring the reputation score for each of the plurality of host computers …”); and 
wherein creating the burst graph is further based on the one or more external burst scores and the one or more internal burst scores, and wherein the burst graph further comprises one or more edges between each of the one or more external domains and each of the one or more internal servers (see Yadav ¶39: “Leaf switches 204 can reside at the edge of network fabric 212, and can thus represent the physical network edge.”, ¶556: “… for each observed edge (communication) from a node in cluster A to a node in cluster B, on server port C, a … policy is introduced such that any node in cluster A can communicate with any node in cluster B on server port C.”, and ¶576: “… an edge is a communication from source (client) node to destination (server) node using a (server) port.” See Fig. 2 for edges and network resources).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of DiValentin and Lee to incorporate the network fabric which implements leaf switches that represent the physical network edges , as disclosed by Yadav, such incorporation would allow the system to aggregate network traffic coming from server nodes and connect endpoint groups that can be used for mapping applications and policy to the group of applications.
Regarding claim 5:
The combination of DiValentin, Lee and Yadav Disclose: 
The system for claim 4 wherein determining the interaction pattern further comprises: 
determining an embedding for each internal network resource based on the one or more edges of the burst graph between the internal server and each external domain (see Yadav ¶562: “vector types can be based solely on server ports …The set of vectors can then be post-processed, such as (frequent) feature pruning, TF-IDF re-weighting, and 12-normalization.”, and ¶613: “A TF-IDF computation (TF-IDF is an information retrieval technique) can be performed to reweight attributes by a measure of their informativeness for a node. A similar algorithm can be performed on clusters (each cluster can be represented by a single vector, then TF-IDF post-processing can be performed on such set of vectors).”); and
determining an embedding for each external domain based on the one or more edges of the burst graph between the external network resource and each internal server (see Yadav ¶562: “vector types can be … solely based on destination addresses (IPs). The set of vectors can then be post-processed, such as (frequent) feature pruning, TF-IDF re-weighting, and 12-normalization.”). 
The same motivation used to combine the combination of DiValentin and Lee with Yadav in claim 4, also apply in the rejection of claim 5.
Regarding claim 6:
The combination of DiValentin, Lee and Yadav Disclose:
The system for claim 1, wherein the external network resource includes a web browser or a mobile payment application (DiValentin ¶69: “The systems and techniques … can be implemented in a computing system … that includes a front-end component … e.g., a client computer having … a Web browser through which a user can interact with an implementation of the systems and techniques …”).  
Regarding claim 7:
The combination of DiValentin, Lee and Yadav Disclose: 
The system for claim 1, wherein the operations further comprise: 
in response to determining the anomalous traffic event, performing a corrective action comprising at least one of:  
blocking the external network resource from accessing the internal network resource, disabling the internal network resource, limiting connections to the internal network resource, or sending a notification to one or more users (DiValentin ¶51: “… network security functions may compare the returned final reputation score to a threshold associated with reputation scores for malicious nodes, and automatically quarantine (e.g., filter/block access) a computer asset having a reputation that is less than or equal to the threshold for being potentially malicious or exhibiting malicious behavior.”).  
Regarding claims 8-14: 
Claims 8-14 recite substantially the same limitations as claims 1-7, respectively, in the form of a system implementing the corresponding method, therefore, they are rejected under the same rationale. 
Regarding claims 15-20:
Claims 15-19 and 20 recite substantially the same limitations as claims 1-5 and 7, respectively, in the form of a non-transitory computer readable medium storing instructions for implementing the corresponding method, therefore, they are rejected under the same rationale.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
Harris et al.  (US-PGPUB No. 2018/0332064 A1)- disclosed a method of computing a risk score for a user using a device based on a peer group identifier
Wu et al. (US-PGPUB No. 2020/0104426 A1)- disclosed data graph similarity analytics based on graph embedding.
Apostolopoulos. (US-PGPUB No. 2018/0219888 A1)- disclosed techniques related to graph-based network security analytic framework to combine multiple sources of information and security knowledge in order to detect risky behaviors and potential threats. 
Rossi (US-PGPUB No. 2021/0014124 A1)- disclosed how to determine network embeddings that describe the underlying characteristics of nodes in a network.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHIAS HABTEGEORGIS whose telephone number is (571)272-1916. The examiner can normally be reached M-F 8am-5pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok B Patel can be reached on (571)272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/M.H./Examiner, Art Unit 2491                                                                                                                                                                                                        
/DANIEL B POTRATZ/Primary Examiner, Art Unit 2491