DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1, 2, 4-7, 11, and 15-16 are amended, claim 13 is canceled, claims 1-12,14-19 are pending. 
Response to Arguments
Applicant’s arguments with respect to claims 1, 11 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 6-7, 9, 15-17, are rejected under 35 U.S.C. 103 as being unpatentable over Wang (US 7454418 B1) in view of Bhattacharya et al(US 7483972 B2) and further in view of Coskun(US 20150135320 A1).

With regards to claim 1, 15 Wang discloses, A method for data breach detection, comprising: 
identifying a first snapshot of a data structure, wherein the first snapshot corresponds to a state of the data structure at a first point in time (col 24 line 35-50; In one implementation, the signature state list 700 can perform the scanning when the signature state list 700 is short and only one string field is being scanned for a particular connection at a particular time. However, if the signature state list 700 is long or multiple string fields are scanned for a particular connection at a particular time, other search data structure can be used for the signature state table 188. In one implementation, the signature state table 188 can be a signature state bloom filter or a signature state hash table, similar to the data structure in FIGS. 2A-2C. ); 
identifying a plurality of leaf nodes of the data structure based on the first snapshot (FIG 2A-2C, 5a-5c AND ASSOCITED TEXT;); 
generating a plurality of vectors corresponding to the plurality of leaf nodes, wherein each of the plurality of vectors represents data attributes of a corresponding leaf nodes (FIG 5A-5B and associated text; )
computing a distance metric between the snapshots (FIG 6, 610 and associated text;).and 
detecting an abnormal snapshot/Signature (col 20 line 20-30; Each element of the signature list 350 includes a signature segment ("signature seg") 352, a mask 354, a last flag 356, a next pointer ("nptr") 358, a type 360, and a signature/string ID ("sid") 362. The nptr 358 is a next pointer and the last flag 356 is a tail flag. When the type 360 has a value of 0, the sid 362 is a string ID 364; otherwise, the sid 362 is a signature ID 366. The mask 354 is used to specify certain criteria including: "don't care", "equal", "unequal", "in a range", "out of a range", "case-insensitive", and "case-sensitive" on the basic unit or even sub basic unit. Specifying the criteria can be performed by selecting the sources and results of a comparison unit.)

Wang does not exclusively but, Bhattacharya teaches, identifying a plurality of event/record of a data structure (FIG 8 801 and associated text; );

identifying a plurality of leaf nodes of the data structure for each Event/record (FIG 8 803 , 805 and associated text; ); It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Wang’s method with teaching of Bhattacharya in order to protecting computer networks from
attacks(Bhattacharya col line 10-15;)

Wang does not but, Coskun teaches, generating plurality of vectors corresponding to the plurality of nodes, wherein each of the plurality of vectors represents data attributes of a corresponding nodes (FIG 8 820-830; [0047] In some examples, the feature analyzer 460 analyzes k features for the entities 130(A), 130(B), . . . , 130(N) in the first network 120 of FIG. 1. In such examples, each of the entities 130(A), 130(B), . . . , 130(N) has a k--dimensional vector value corresponding to the feature values. ); 
computing a distance metric between the first snapshot signature and a second  snapshot signature representing the data at second point in time ([0047] The example distance function calculator 464 iteratively calculates a distance (e.g., a feature vector value difference) between the selected entities using a distance function (e.g., a weighted Euclidean distance function) to identify which of the features (e.g., which ones of the example overall aggregate features 600, the example per-type aggregate features 700, and/or the example extended features) are indicative of malicious activity. The example weight adjuster 466 assigns weights (w.sub.i) of the distance function for each generated feature i, which may be preprocessed to have zero mean and unit variance. During analysis of the features, the example weight adjuster 466 iteratively adjusts the weights (w.sub.i) of the distance function (e.g., based on stochastic gradient descent), as disclosed herein, to distinguish suspected malicious entities in the first network 120 from other entities in the first network 12 [0072] In some examples, the program 850 is repeated multiple times for the network log records 301 to identify the features (e.g., the features 600, 700 of FIGS. 6 and/or 7 and corresponding example extended features, etc.) that are indicative of malicious activity. )
detecting an abnormal snapshot based on the distance metrics (FIG 8 860 and associated text;) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Wang in view of Bhattacharya’s method with teaching of Coskun in order to identifying malicious behavior in a network from network log records. (Coskun[0001])

With regards claim 2, 16 Wang in view of Bhattacharya and Coskun discloses, generating a plurality of snapshots based on to a backup  files of the data structure (Coskun FIG 8810-820, log records are from stored backups). Motivation would be same as stated in claim 1.

With regards claim 3, 17 Wang in view of Bhattacharya and Coskun discloses, identifying a tree structure on the data structure, wherein the leaf nodes of the data structure correspond to a bottom level of the tree structure (Bhattacharya FIG 9A-(C and associated text;). Motivation would be same as stated in claim 1.

With regards claim 6, Tan in view of Bhattacharya and Coskun discloses, assigning a weight to each of the vectors to produce a set of weighted vectors ([0055] In some examples, the weight adjuster 466 of the feature analyzer 466 adjusts the respective weights of the parameter vector w using a stochastic gradient descent method to reduce the computational complexity of an analysis (e.g., due to a large number entities, features, etc.).); 
wherein: the weight assigned to each of the vectors corresponds to a number of files associated with a corresponding leaf node (Bhattacharya FIG 8 803 And associated text; Note: vector value set for Event ID of leaf node). Motivation would be same as stated in claim 1.

With regards claim 7, Wang in view of Bhattacharya and Coskun discloses, assigning a weight to each of the vectors to produce a set of weighted vectors ([0055] In some examples, the weight adjuster 466 of the feature analyzer 466 adjusts the respective weights of the parameter vector w using a stochastic gradient descent method to reduce the computational complexity of an analysis (e.g., due to a large number entities, features, etc.).); 
, wherein: the weight assigned to each of the vectors corresponds to a cybersecurity risk associated with a corresponding leaf node (Bhattacharya Col 8 line 0-10; then in step 621 the leaf node invokes its parent node such that this incoming event message will be correlated with other event messages that previously registered at other leaf nodes, in order to detect the existence of a high-level network attack.). Motivation would be same as stated in claim 1.

With regards to claim 9, Examiner taking official notice that wherein: the distance metric comprises an earth mover's distance, a Kantorovich-Mallows distance, a Wasserstein distance, or any combination thereof is well known technique in the art and not an inventive step.

Claims 4 is rejected under 35 U.S.C. 103 as being unpatentable over Wang (US 7454418 B1) in view of Bhattacharya et al(US 7483972 B2) and further in view of Coskun(US 20150135320 A1) and in view of Bedhapudi  et al(US 20190108341 A1).

With regards to claim 4, Wang in view of Bhattacharya and Coskun do not but Bedhapudi  discloses, Identifying a tree structure corresponds to a file directory of the data structure (Bedhapudi [0079]; In general, primary data 112 can include files, directories, file system volumes, data blocks, extents, or any other hierarchies or organizations of data objects. As used herein, a “data object” can refer to (i) any file that is currently addressable by a file system or that was previously addressable by the file system (e.g., an archive file), and/or to (ii) a subset of such a file (e.g., a data block, an extent, etc.). Primary data 112 may include structured data (e.g., database files), unstructured data (e.g., documents), and/or semi-structured data. See, e.g., FIG. 1B.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Wang in view of Bhattacharya and Coskun’s method with teaching of Bedhapudi  in order to protect the information stored on their computer networks while minimizing impact on productivity. (Bedhapudi  [0003])

Claims 5 is rejected under 35 U.S.C. 103 as being unpatentable over Wang (US 7454418 B1) in view of Bhattacharya et al(US 7483972 B2) and further in view of Coskun(US 20150135320 A1) and in view Kapoor et al(US 20070192863 A1).

With regards to claim 5, Wang in view of Bhattacharya and Coskun discloses, assigning a weight to each of the vectors to produce a set of weighted vectors ([0055] In some examples, the weight adjuster 466 of the feature analyzer 466 adjusts the respective weights of the parameter vector w using a stochastic gradient descent method to reduce the computational complexity of an analysis (e.g., due to a large number entities, features, etc.).); 
Wang in view of Bhattacharya and Coskun do not but Kapoor discloses, wherein: each of the vectors comprises values corresponding to a path depth attribute, a file size, a file count, a file extension attribute, a file modification attribute, or any combination thereof (Kapoor [0554] This artificial neuron approach, optionally embodied in a self organizing map architecture or neural net, may be used to detect viruses, including, but not limited to, ones associated with network shares, software vulnerabilities, mass-mailers, worms, internet relay chat, shared drives, instant messages, infected files, peer-to-peer networks, physical drives, removable drives, floppy drives, spammed email, wireless (e.g., Bluetooth), and other infection vectors. This flow processing facility architecture may be used to analyze virus vectors, including, but not limited to, Trojan horses, Windows networking shares, worms, scripts, email spoofing, hidden text file extensions, chat clients, packet sniffing, root kits, bots, and other means of virus delivery.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Wang in view of Bhattacharya and Coskun’s method with teaching of Kapoor in order for protecting computer systems from viruses, attacks from hackers and other unauthorized intrusions, spyware, spam, phishing and other scams, malicious activities and code. (Kapoor  [0004]).

Claims 10, 19 are rejected under 35 U.S.C. 103 as being unpatentable over Wang (US 7454418 B1)  in view of Bhattacharya et al(US 7483972 B2) and further in view of Coskun(US 20150135320 A1) and Boettecher et al(US 7885791 B2).

With regards to claim 10,  19 Wang in view of Bhattacharya and Coskun do not but Boettecher discloses, computing a local reachability density for each of the snapshots based on the computed distance metrics; determining whether the local reachability density for each of the record is below a threshold based on neighboring records, wherein the abnormal record is identified based on the determination (Boettecher col 2 line 55-67; The present invention allows small and moving patterns in very noisy data to be detected. The present invention allows the development of clusters to be tracked over time and, more importantly, to distinguish tiny local structures from incidental data agglomerations. If data agglomerates by chance, it is very unlikely that this coincidence will happen over and over again. It is shown below that the present invention is capable of identifying very small local patterns, even in cases where there is much more noise than substantial data points, with only a very small number of false positives being flagged.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Wang in view of Bhattacharya and Coskun’s method with teaching of Boettecher in order for detecting patterns in data and in particular to the detection of formation and evolution of clusters of data points. (Boettecher col1 line 5-15).

Allowable Subject Matter

Claims 11-12, 14 are allowed based on prior art of record.
The following is an examiner’s statement of reasons for allowance:
The prior art of record does not teach or fairly suggest in combination of steps as recited in the Applicant’s independent claims as amended, compute a set of connection weights, wherein each of the connection weights comprises a first index corresponding to a first leaf node of a first snapshot and a second index corresponding to a second leaf node of a second snapshot, wherein a sum of connection weights having the first index is equal to a weight assigned to the first leaf node and a sum of connections weights having the second index is equal to a weight assigned to the second leaf node and a sum of the set of connection weights is equal to one; multiply each of the connection weights by a squared distance between a vector corresponding to the first leaf node and a vector corresponding to the second leaf node to produce a set of weighted distances; calculate a distance metric between each pair of the snapshots based on a sum of a set of weighted distances corresponding to the pair of snapshots, wherein the set of connection weights is computed to minimize the sum;.
The dependent claims, being definite, further limiting, and fully enabled by the specification are also allowed.

Claims 8, 18 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMED WALIULLAH whose telephone number is (571)270-7987. The examiner can normally be reached 8.30 to 430 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 1-571-272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MOHAMMED WALIULLAH/Primary Examiner, Art Unit 2498