DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1-20 is/are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Biswas et al (U.S. Pub. No. 2020/0128047 A1).


As per claim 1, 8 and 15 Biswas disclosed a method comprising:
generating, in response to obtaining one or more internet protocol addresses included within input data (paragraph.118) {Analytics can use information received from tenant systems that describes threat intelligence provided by the tenant. These sources, which are referred to in the example system 200 as tenant base lines 217, can include information such as specific IP addresses to watch or block}, a graph data structure based on one or more features of the one or more internet protocol addresses in the input data (Figure.5, paragraphs.9 and 65) {Method/operations may also include determining that an event in the activity data violates a security policy; determining that the event corresponds to an event captured in the directed graph; and generating a recommendation to modify the security policy. The method/operations may also include obtaining additional activity data from the service provider system; mapping actions performed by the particular user to the directed graph. Domain information 128 can include, for example, a network address or location of the service provider 110, identification information for an owner or operator of the service provider 110 (e.g., the person or organization that owns and/operates the service provider 110)};
generating a first matrix using the graph data structure, the first matrix to represent nodes in the graph data structure (paragraph.139, Table 5) {Table 5 below lists example values for several possible daily aggregation matrix vectors. The example vectors illustrated here include a count of logins per day for one day (“logcntday_1dy”), a count of failed logins per day for one day (“logfailcntday_1dy”), a count per day of IP addresses from which failed logins occurred over one day (“logfailipdisday_1dy”), and a count per day of IP addresses used to log in over one day (“logipdisday_1dy”).};
generating a second matrix using the graph data structure, the second matrix to represent edges in the graph data structure (paragraph.188) {When the first action is followed sequentially by the second action in the event log, the first vertex may be connected to the second vertex through an edge in the graph}; and
 classifying, using the first matrix and the second matrix, at least one of the one or more internet protocol addresses to identify a reputation of the at least one of the one or more internet protocol addresses (paragraph.169) {Third-party feeds can provide external information about and relating to potential security threats such as, for example, IP address reputation, malware, identification of infected node points, vulnerable web browser versions, use of proxy or Virtual Private Network (VPN) server by a user, and known attacks on clouds. In some examples, threat information is expressed in the Structured Threat Information eXpression (STIX) data format. For example, one or more services may contribute information concerning a particular IP address, such as a reputation (e.g., known for having software vulnerabilities, a host of malicious software, or source of attacks) and/or a geographic location associated with the IP address}.

As per claims 2, 9 and 16 Biswas disclosed the method of claim 15, wherein classifying the at least one of the one or more internet protocol addresses is implemented in a transductive machine learning environment (paragraph.117 and 121) {Some examples, the threat detection and prediction analytics application 212 can generate analytics using machine learning and other algorithms. One example of a threat scenario is IP hopping. In an IP hopping scenario, an attacker may use one or more proxy servers to hide the attacker's true location or machine identity before mounting an attack. Detection of this type of scenario can involve geographic resolution (e.g., identifying or looking up a geographic location associated with an IP address) of each IP connection used to connect to a cloud application. Detection can further include detecting anomalous characteristics in the spatial data, and predicting a threat from this information}.

As per claims 3 and 10 Biswas disclosed the computer readable storage medium of claim 9, wherein the instructions, when executed, cause the at least one processor to obtain the input data from at least one of a training controller and a connectivity environment (paragraph.171) {An algorithm can simulate normal user activities using previously acquired user activity data. For example, the tenant base lines 317 can include records of users' past use of a cloud service. The simulation can be used to train other machine learning algorithms to learn the normal behavior of an organization's users}.

As per claims 4, 11 and 17 Biswas disclosed the method of claim 16, further including obtaining the input data in response to a reputation verification request, the reputation verification request requesting to identify the reputation of at least one of the one or more internet protocol addresses (paragraph.169) {Third-party feeds can provide external information about and relating to potential security threats such as, for example, IP address reputation, malware, identification of infected node points, vulnerable web browser versions, use of proxy or Virtual Private Network (VPN) server by a user, and known attacks on clouds. In some examples, threat information is expressed in the Structured Threat Information eXpression (STIX) data format. For example, one or more services may contribute information concerning a particular IP address, such as a reputation (e.g., known for having software vulnerabilities, a host of malicious software, or source of attacks) and/or a geographic location associated with the IP address}.

As per claims 5, 12 and 18 Biswas disclosed the method of claim 16 , further including extracting the one or more features from the one or more internet protocol addresses in the input data (paragraph.169) {One or more services may contribute information concerning a particular IP address, such as a reputation (e.g., known for having software vulnerabilities, a host of malicious software, or source of attacks) and/or a geographic location associated with the IP address}.

As per claims 6, 13 and 19 Biswas disclosed the method of claim 18, further including extracting the one or more features by identifying at least one of a subnetwork or an autonomous system numbers group associated with the one or more internet protocol addresses (paragraph.68) {Client devices 106a-106c through which the services 112a-112b are used, and/or obtained by monitoring points within an organization's network, such as at routers or the firewall 108. Herein, data obtained from client devices or within the organization's network is referred to as network data. To obtain network data, in some examples, monitoring agents can be placed on the client devices 106a-106c and/or on the network infrastructure of the organization's network}.

As per claims 7, 14 and 20 Biswas disclosed the method of claim 15, wherein classifying the at least one of the one or more internet protocol addresses is implemented with a graph neural network (paragraphs.165 and 187) {Some examples, feedback can be obtained using automated machine learning algorithms, such as decision trees and neural networks. Any contextual properties of each action (e.g., a network address, a geolocation, a date and time, etc.) can be represented as a subgraph of each vertex v.}.



Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is indicated in PTO form 892.

Applicant's future amendments need to comply with the requirements of MPEP § 
714.02, MPEP § 2163.04 and MPEP § 2163.06. 

"with respect to newly added or amended claims, applicant should show support  in the original disclosure for the new or amended claims." See MPEP § 714.02 and § 2163.06 ("Applicant should * * * specifically point out the support for any amendments made to the disclosure."); and MPEP § 2163.04 ("If applicant amends the claims and points out where and/or how the originally filed disclosure supports the amendment(s), and the examiner finds that the disclosure does not reasonably convey that the inventor had possession of the subject matter of the amendment at the time of the filing of the application, the examiner has the initial burden of presenting evidence or reasoning to explain why persons skilled in the art would not recognize in the disclosure a description of the invention defined by the claims."). See In re Smith, 458 F.2d 1389, 1395, 173 USPQ 679, 683 (CCPA 1972) In re Wertheim, 541 F.2d at 262,191 USPQ at 96 (emphasis added). 

"The use of a confusing variety of terms for the same thing should not be permitted. 

New claims and amendments to the claims already in the application should be scrutinized not only for new matter but also for new terminology. While an applicant is not limited to the nomenclature used in the application as filed, he or she should make appropriate amendment of the specification whenever this nomenclature is departed from by amendment of the claims so as to have clear support or antecedent basis in the specification for the new terms appearing in the claims. This is necessary in order to insure certainty in construing the claims in the light of the specification." Ex parte Kotler, 1901 C.D. 62, 95 O.G. 2684 
(Comm'r Pat. 1901). See 37 CFR 1.75, MPEP § 608.01 (i) and § 1302.01.

 Note that examiners should ensure that the terms and phrases used in claims presented late in prosecution of the application (including claims amended via an examiner's amendment) find clear support or antecedent basis in the description so that the meaning of the terms in the claims may be ascertainable by reference to the description, see 37 CFR 1.75(d)(1 ). If the examiner determines that the claims presented late in prosecution do not comply with 37 CFR 1.75(d)(1), applicant will be required to make appropriate amendment to the description to provide clear support or antecedent basis for the terms appearing in the claims provided no new matter is introduced." 

"USPTO personnel are to give claims their broadest reasonable interpretation in light of the supporting disclosure." In re Morris, 127 F.3d 1048, 1054-55, 44 USPQ2d 1023,1027-28 (Fed. Cir. 1997). MPEP § 2106. "  

The examiner has cited particular columns and line numbers in the references as applied to the claims above for the convenience of the applicant. Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested from the applicant, in preparing the responses, to fully consider each of the cited references in entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage disclosed by the examiner.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ASGHAR H BILGRAMI whose telephone number is (571)272-3907. The examiner can normally be reached M-F 6 AM to 9 PM IFP.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Srilakshmi Kumar can be reached on 571-272-7769. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ASGHAR H BILGRAMI/Primary Examiner, Art Unit 2647