Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The IDS filed 10/29/2021 has been considered.	

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 2, 3, 8-12, 15-18 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 2, 5, 16, 17, 20 and 31 of U.S. Patent No. 10,581,891. See corresponding claim table. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims in the present application are fully anticipated by the patent. The only difference is that the independent claims in the present application are broader in that they do not include specific details as recited in the patent. This is a matter of Applicant’s choice to broaden the claims to seek broader patent protection.

Current Application
U.S. Patent No. 10,581,891
2. A method comprising: monitoring activities within a network environment; generating a multidimensional logical graph model comprising a set of nodes and a set of edges using at least a portion of the monitored activities, the set of edges comprising a first edge having a first edge type that indicates a first type of relationship between nodes interconnected by the first edge and a second edge having a second edge type that indicates a second type of relationship between nodes interconnected by the second edge; and using the generated logical graph model to detect an anomaly in the network environment.
3. The method of claim 2, further comprising generating an alert based on the detected anomaly.
11. The method of claim 2, wherein: the first edge type indicates a first type of behavioral relationship between the nodes interconnected by the first edge; and the second edge type indicates a different type of behavioral relationship between the nodes interconnected by the second edge.















8. The method of claim 2, wherein the generated logical graph model represents a baseline of behavior in the network environment.


9. The method of claim 8, wherein using the generated logical graph model to detect the anomaly includes comparing a current graph associated with the network environment against the baseline.

10. The method of claim 2, wherein the detected anomaly is associated with a security threat.

12. A system comprising: a processor; and a memory storing instructions configured to direct the processor to: monitor activities within a network environment; generate a multidimensional logical graph model comprising a set of nodes and a set of edges using at least a portion of the monitored activities, the set of edges comprising a first edge having a first edge type that indicates a first type of relationship between nodes interconnected by the first edge and a second edge having a second edge type that indicates a second type of relationship between nodes interconnected by the second edge; and use the generated logical graph model to detect an anomaly in the network environment.
13. The system of claim 12, further comprising generating an alert based on the detected anomaly.

























15. The system of claim 12, wherein the detected anomaly is associated with a security threat.

16. The system of claim 12, wherein: the generated logical graph model represents a baseline of behavior in the network environment; and using the generated logical graph model to detect the anomaly includes comparing a current graph associated with the network environment against the baseline.



17. A computer program product embodied in a non-transitory computer-readable storage medium and comprising computer instructions for: monitoring activities within a network environment; generating a multidimensional logical graph model comprising a set of nodes and a set of edges using at least a portion of the monitored activities, the set of edges comprising a first edge having a first edge type that indicates a first type of relationship between nodes interconnected by the first edge and a second edge having a second edge type that indicates a second type of relationship between nodes interconnected by the second edge; and using the generated logical graph model to detect an anomaly in the network environment.
18. The computer program product of claim 17, further comprising generating an alert based on the detected anomaly.


16. A method, comprising: monitoring activities within a network environment and generating a graph of physical connection information, wherein generating the graph of physical connection information includes matching information provided by a client and a server, respectively, into an established connection between the client and the server; using at least a portion of the generated graph of physical connection information to generate a multidimensional logical graph model, wherein the multidimensional logical graph model comprises a set of nodes and a set of edges, wherein a first node included in the set of nodes corresponds to an entity of a first type and wherein a second node included in the set of nodes corresponds to an entity of a second type that is different from the first type, wherein an edge connects the first node and the second node, wherein a first edge between the first node and the second node has a first edge type and a second edge between the second node and a third node has a second edge type that is different from the first edge type, wherein the first edge type indicates a first behavioral relationship between arbitrary nodes interconnected by the first edge type, and wherein the second edge type indicates a different behavioral relationship between arbitrary nodes interconnected by the second edge type; determining, using the generated multidimensional logical graph model, that a new edge has been added to the set of edges; and in response to determining that the new edge has been added to the set of edges, automatically generating an alert that an anomaly in the network environment associated with the new edge has occurred.
17. The method of claim 16 wherein the generated multidimensional logical graph model represents a baseline of behavior of nodes included in the network environment.

18. The method of claim 17 wherein using the multidimensional logical graph model to detect the anomaly includes comparing a current graph associated with the network environment against the baseline.

20. The method of claim 16 wherein the detected anomaly is associated with identifying a security threat.

1. A system, comprising: a processor configured to: monitor activities within a network environment and generate a graph of physical connection information, wherein generating the graph of physical connection information includes matching information provided by a client and a server, respectively, into an established connection between the client and the server; use at least a portion of the generated graph of physical connection information to generate a multidimensional logical graph model, wherein the multidimensional logical graph model comprises a set of nodes and a set of edges, wherein a first node included in the set of nodes corresponds to an entity of a first type and wherein a second node included in the set of nodes corresponds to an entity of a second type that is different from the first type, wherein an edge connects the first node and the second node, wherein a first edge between the first node and the second node has a first edge type and a second edge between the second node and a third node has a second edge type that is different from the first edge type, wherein the first edge type indicates a first behavioral relationship between arbitrary nodes interconnected by the first edge type, and wherein the second edge type indicates a different behavioral relationship between arbitrary nodes interconnected by the second edge type; determine, using the generated multidimensional logical graph model, that a new edge has been added to the set of edges; and in response to determining that the new edge has been added to the set of edges, automatically generate an alert that an anomaly in the network environment associated with the new edge has occurred; and a memory coupled to the processor and configured to provide the processor with instructions.

5. The system of claim 1 wherein the detected anomaly is associated with identifying a security threat.

2. The system of claim 1 wherein the generated multidimensional logical graph model represents a baseline of behavior of nodes included in the network environment.
3. The system of claim 2 wherein using the multidimensional logical graph model to detect the anomaly includes comparing a current graph associated with the network environment against the baseline.

31. A computer program product embodied in a non-transitory computer readable storage medium and comprising computer instructions for: monitoring activities within a network environment and generating a graph of physical connection information, wherein generating the graph of physical connection information includes matching information provided by a client and a server, respectively, into an established connection between the client and the server; using at least a portion of the generated graph of physical connection information to generate a multidimensional logical graph model, wherein the multidimensional logical graph model comprises a set of nodes and a set of edges, wherein a first node included in the set of nodes corresponds to an entity of a first type and wherein a second node included in the set of nodes corresponds to an entity of a second type that is different from the first type, wherein an edge connects the first node and the second node, wherein a first edge between the first node and the second node has a first edge type and a second edge between the second node and a third node has a second edge type that is different from the first edge type, wherein the first edge type indicates a first behavioral relationship between arbitrary nodes interconnected by the first edge type, and wherein the second edge type indicates a different behavioral relationship between arbitrary nodes interconnected by the second edge type; determining, using the generated multidimensional logical graph model, that a new edge has been added to the set of edges; and in response to determining that the new edge has been added to the set of edges, automatically generating an alert that an anomaly in the network environment associated with the new edge has occurred.


Claims 2, 8-12, 15-17 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 3, 4, 6, 17, 19, 20, 22 and 33 of U.S. Patent No. 11,153,339. See corresponding claim table. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims in the present application are fully anticipated by the patent. The only difference is that the independent claims in the present application are broader in that they do not include specific details as recited in the patent. This is a matter of Applicant’s choice to broaden the claims to seek broader patent protection.
Current Application
U.S. Patent No. 11,153,339
2. A method comprising: monitoring activities within a network environment; generating a multidimensional logical graph model comprising a set of nodes and a set of edges using at least a portion of the monitored activities, the set of edges comprising a first edge having a first edge type that indicates a first type of relationship between nodes interconnected by the first edge and a second edge having a second edge type that indicates a second type of relationship between nodes interconnected by the second edge; and using the generated logical graph model to detect an anomaly in the network environment.
11. The method of claim 2, wherein: the first edge type indicates a first type of behavioral relationship between the nodes interconnected by the first edge; and the second edge type indicates a different type of behavioral relationship between the nodes interconnected by the second edge.










8. The method of claim 2, wherein the generated logical graph model represents a baseline of behavior in the network environment.


9. The method of claim 8, wherein using the generated logical graph model to detect the anomaly includes comparing a current graph associated with the network environment against the baseline.

10. The method of claim 2, wherein the detected anomaly is associated with a security threat.

12. A system comprising: a processor; and a memory storing instructions configured to direct the processor to: monitor activities within a network environment; generate a multidimensional logical graph model comprising a set of nodes and a set of edges using at least a portion of the monitored activities, the set of edges comprising a first edge having a first edge type that indicates a first type of relationship between nodes interconnected by the first edge and a second edge having a second edge type that indicates a second type of relationship between nodes interconnected by the second edge; and use the generated logical graph model to detect an anomaly in the network environment.

















15. The system of claim 12, wherein the detected anomaly is associated with a security threat.

16. The system of claim 12, wherein: the generated logical graph model represents a baseline of behavior in the network environment; and using the generated logical graph model to detect the anomaly includes comparing a current graph associated with the network environment against the baseline.


17. A computer program product embodied in a non-transitory computer-readable storage medium and comprising computer instructions for: monitoring activities within a network environment; generating a multidimensional logical graph model comprising a set of nodes and a set of edges using at least a portion of the monitored activities, the set of edges comprising a first edge having a first edge type that indicates a first type of relationship between nodes interconnected by the first edge and a second edge having a second edge type that indicates a second type of relationship between nodes interconnected by the second edge; and using the generated logical graph model to detect an anomaly in the network environment.


17. A method, comprising: monitoring activities within a network environment; generating a multidimensional logical graph model comprising a set of nodes and a set of edges using at least a portion of the monitored activities; and determining, using the generated logical graph model to detect an anomaly, and in response to detecting the anomaly, recording the anomaly; wherein a first node included in the set of nodes corresponds to an entity of a first type and wherein a second node included in the set of nodes corresponds to an entity of a second type that is different from the first type; wherein the first node comprises a plurality of individual elements clustered together; wherein a first edge connects the first node and the second node and wherein the first edge has a first edge type; wherein a second edge connects the second node and a third node and wherein the second edge has a second edge type that is different from the first edge type; and wherein the first edge type indicates a first type of behavioral relationship between arbitrary nodes interconnected by the first edge type and wherein the second edge type indicates a different type of behavioral relationship between two arbitrary nodes interconnected by the second edge type.

19. The method of claim 17, wherein the generated logical graph model represents a baseline of behavior of nodes included in the network environment.

20. The method of claim 19, wherein using the logical graph model to detect the anomaly includes comparing a current graph associated with the network environment against the baseline.

22. The method of claim 17, wherein the detected anomaly is associated with identifying a security threat.

1. A system, comprising: a processor configured to: monitor activities within a network environment; generate a multidimensional logical graph model comprising a set of nodes and a set of edges using at least a portion of the monitored activities; and determine, using the generated logical graph model, an anomaly, and in response to detecting the anomaly, record the anomaly; wherein a first node included in the set of nodes corresponds to an entity of a first type and wherein a second node included in the set of nodes corresponds to an entity of a second type that is different from the first type; wherein the first node comprises a plurality of individual elements clustered together; wherein a first edge connects the first node and the second node and wherein the first edge has a first edge type; wherein a second edge connects the second node and a third node and wherein the second edge has a second edge type that is different from the first edge type; and wherein the first edge type indicates a first type of behavioral relationship between arbitrary nodes interconnected by the first edge type and wherein the second edge type indicates a different type of behavioral relationship between two arbitrary nodes interconnected by the second edge type; and a memory coupled to the processor and configured to provide the processor with instructions.

6. The system of claim 1, wherein the detected anomaly is associated with identifying a security threat.

3. The system of claim 1, wherein the generated logical graph model represents a baseline of behavior of nodes included in the network environment.
4. The system of claim 3, wherein using the logical graph model to detect the anomaly includes comparing a current graph associated with the network environment against the baseline.

33. A computer program product embodied in a non-transitory computer readable storage medium and comprising computer instructions for: monitoring activities within a network environment; generating a multidimensional logical graph model comprising a set of nodes and a set of edges using at least a portion of the monitored activities; and determining, using the generated logical graph model to detect an anomaly, and in response to detecting the anomaly, recording the anomaly; wherein a first node included in the set of nodes corresponds to an entity of a first type and wherein a second node included in the set of nodes corresponds to an entity of a second type that is different from the first type; wherein the first node comprises a plurality of individual elements clustered together; wherein a first edge connects the first node and the second node and wherein the first edge has a first edge type; wherein a second edge connects the second node and a third node and wherein the second edge has a second edge type that is different from the first edge type; and wherein the first edge type indicates a first type of behavioral relationship between arbitrary nodes interconnected by the first edge type and wherein the second edge type indicates a different type of behavioral relationship between two arbitrary nodes interconnected by the second edge type.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 2-21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Lefebvre et al. (US 2015/0341379, hereinafter referred to as “Lefebvre”) in view of Devi Reddy et al. (US 2017/0118240, hereinafter referred to as “Devi Reddy).

Regarding claim 2, Lefebvre teaches a method comprising: 
monitoring activities within a network environment figure 1: monitoring device analyzes network traffic received from a gateway); 
generating a logical graph model (figure 3B), comprising a set of nodes and a set of edges using at least a portion of the monitored activities (abstract - generating a network map including at least a plurality of network nodes and a plurality of edges that indicate communications paths between the plurality of network nodes); and using the generated logical graph model to detect an anomaly in the network environment [0089 - monitoring device may send event message when edge anomaly score is greater than the threshold edge anomaly score, the event message may alert user to the edge anomaly].
However, Lefebvre does not teach the logical graph model being multidimensional, and the set of edges comprising a first edge having a first edge type that indicates a first type of relationship between nodes interconnected by the first edge and a second edge having a second edge type that indicates a second type of relationship between nodes interconnected by the second edge.
In an analogous art, Hertzog teaches the logical graph model being multidimensional (abstract - multidimensional chart for visualizing the behavior of a plurality of nodes, applications and/or users in a network).
Before the effective filing date of the application, one of ordinary skill in the art would have been motivated to employ multidimensional graph in order to allow user to visualize behavior of nodes (Hertzog, abstract) as well as enable the nodes to correspond to entities of different types in order to provide useful, immediate and effective overview of the network connections and activity between users, applications, node and ports [Hertzog, 0028]. Therefore one of ordinary skill in the art would combine the teachings of Lefebvre and Hertzog in order to monitor network in efficient manner.
In another analogous art, Devi Reddy teaches the set of edges comprising a first edge having a first edge type that indicates a first type of relationship between nodes interconnected by the first edge and a second edge having a second edge type that indicates a second type of relationship between nodes interconnected by the second edge (figure 7 - edges 710, 720 and 730; paragraphs 0121 - 0124 - edge 710 between entity 700 and entity 705, edge 720 represent relationship between entity 715 and entity 717 from 3 PM to 5 PM, edge 720 represent relationship between entities 717 and 725 at different time ranges). 
Before the effective filing date of the application, one of ordinary skill in the art would have been motivated to employ edges between nodes to represent behavior relationships in order to present to user entity graph that may be used to determine if a security threat is present [Devi Reddy, 0123].

Regarding claim 3, Lefebvre teaches the method of claim 2, further comprising generating an alert based on the detected anomaly [0089 - monitoring device may send event message when edge anomaly score is greater than the threshold edge anomaly score, the event message may alert user to the edge anomaly].

Regarding claim 4, Lefebvre teaches the method of claim 3, wherein the alert indicates a severity level [0061 - a diagonal cross hatch for a node may indicate that the corresponding node has a high probability of an active threat based on a high node anomaly score or a node anomaly score that is not low. In some examples, the colors may include red, yellow, and green, that indicate the probability of anomalous activity of the corresponding node based on multiple threshold values,].

Regarding claim 5, Lefebvre teaches the method of claim 2, wherein a single edge in the set of edges indicates a threat [0027 - The monitoring device 102 generates an edge anomaly score for each of the edges 108a-i that represents a probability that the corresponding connection is anomalous.]

Regarding claim 6, Lefebvre teaches the method of claim 2, wherein a combination of edges in the set of edges indicates a threat [0027 - The monitoring device 102 generates an edge anomaly score for each of the edges 108a-i that represents a probability that the corresponding connection is anomalous].

Regarding claim 7, Lefebvre teaches the method of claim 2, wherein: a single edge in the set of edges indicates a threat having a first severity level; and a combination of edges in the set of edges indicates the threat having a second severity level that is higher than the first severity level [0027 - The monitoring device 102 generates an edge anomaly score for each of the edges 108a-i that represents a probability that the corresponding connection is anomalous.]

Regarding claim 8, Lefebvre teaches the method of claim 2, wherein the generated logical graph model represents a baseline of behavior in the network environment [0006 - a standard deviation of a packet size or a packet quantity of the particular network node using the model of expected network activity, and determining the node anomaly score for the particular network node using the standard deviation and the second data.].

Regarding claim 9, Lefebvre teaches the method of claim 8, wherein using the generated logical graph model to detect the anomaly includes comparing a current graph associated with the network environment against the baseline [0007 – comparison between second data and the model expected network activity].

Regarding claim 10, Lefebvre teaches the method of claim 2, wherein the detected anomaly is associated with a security threat [0061 - determining probability of threat].

Regarding claim 11, Lefebvre does not explicitly teach the method of claim 2, wherein: the first edge type indicates a first type of behavioral relationship between the nodes interconnected by the first edge; and the second edge type indicates a different type of behavioral relationship between the nodes interconnected by the second edge. Devi Reddy teaches he first edge type indicates a first type of behavioral relationship between the nodes interconnected by the first edge; and the second edge type indicates a different type of behavioral relationship between the nodes interconnected by the second edge (figure 7 - edges 710, 720 and 730; paragraphs 0121 - 0124 - edge 710 between entity 700 and entity 705, edge 720 represent relationship between entity 715 and entity 717 from 3 PM to 5 PM, edge 720 represent relationship between entities 717 and 725 at different time ranges). The motivation to combine is the same as claim 2. 

Claims 12-14 are similar to claims 2-4, respectively, therefore are rejected under the same rationale. 

Claim 15 is similar to claim 10, therefor is rejected under the same rationale.

Claim 16 is similar to claims 8 and 9 combined, therefor is rejected under the same rationale.

Claims 17-19 are similar to claims 2-4, respectively, therefore are rejected under the same rationale. 

Claim 20 is similar to claim 10, therefor is rejected under the same rationale.

Claim 21 is similar to claims 8 and 9 combined, therefor is rejected under the same rationale.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
1. Gounares; Alexander G., US 9734040 – graph representing application relationships.
2. Kowalyshyn; Daniel, US 9654503 - detecting network anomaly between network connections. 
3. Tacchi et al., US 9558265 – analysis of graph comprising nodes and edges.
4. Muddu et al., US 9516053 - detect security related anomalies and threats.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALINA N BOUTAH whose telephone number is (571)272-3908. The examiner can normally be reached M-F 7:00 AM - 3:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William Trost can be reached on 571-272-7872. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

ALINA BOUTAH
Primary Examiner
Art Unit 2442



/ALINA A BOUTAH/           Primary Examiner, Art Unit 2442